# 7CCSMCFC Computer Forensics and Cybercrime

## 2016 Exam

MSc Computing and Security

## Question 1

### a). What is meant by the terms Forensic Science and Digital Forensics? [10 marks]

Forensic science is the process of getting evidence that will be acceptable in a court of law. Digtal forensics is Forensic science related to digital devices e.g. GPS, game controllers, etc.

### c). List the five attributes of evidence in UK courts of law, giving a brief (one sentence) explanation of each. [15 marks]

• Admissibility: The evidence is first-hand, original, not hearsay.
• Authenticity: Is genuine, what it claims, or is claimed, to be.
• Accuracy: Precise and clear, not vague.
• Completeness: Self-contained, not vague.
• Probative value: Relevance to the case in hand must be greater than the prejudicial value (resulting degree of harm).

### d). What is meant by probative value and the prejudicial value of evidence? What criterion involving these two values must be met in order for the evidence to be deemed admissible in court? [10 marks]

The probative value is the relevance to the case in hand and it must be grater than the probative value which is the resulting degree of harm. i.e. the evidence must be more relevant to the case than it is damaging.

### e). Why are the laws and statutes involving digital evidence in continual need of updating? [5 marks]

As society becomes more technologically advanced, people have more knowledge on how to avoid prosecution with existing laws. e.g. With the advent of the internet, cybercrime (crime across networks) became more prominent and easy to conduct.

## Question 2

Digitally assisted crime is where digital devices are used in accessory to a crime. e.g. Embezzlement, Fraud.

Digitally related crime is where a digital device (or digital devices) are the subject of the crime. e.g. DoS, hacking.

### b). Briefly explain how the 2011 Detica/Cabinet Office report estimated the annual cost of cybercrime in the UK as £27 billion whereas in 2012 a paper at WEIS concluded that it was around £2.2 billion. [10 marks]

The Detica paper was based on estimates and assumptions, instead of real data. They used public information to give worst-case, most-likely case, and best-case scenarios for the magnitude of cyber-crime.

The WEIS paper scaled global estimates using the UK’s share of GDP for different types of cybercrime.

### c). Explain what is meant by a power law relationship giving its equation. [10 marks]

A power law characterises a multitude of processes that have a large amount of small events but a small amount of large events. Its equation is $p(x) = Cx^{-a}$.

### d). With the aid of a diagram explain how a double power law can be used to characterise cybercrime into opportunistic cybercrime and organised cybercrime, indicating which cybercrimes fall into the latter category. [20 marks]

Using data from the CSI Computer Crime and Surveys for average financial loss, we arrive a diagram looking similar to this:

The 2nd line of best fit(right hand side) is the organised cybercrime (the small amount of large events), and the 1st line of best fit is the opportunistic cybercrime (the large amount of small events).

Cyber-crime can be viewed as an asymmetric conflict, where the resources required for defence are far greater than the resources required for attack. It is opportunistic in nature and so it resembles terrorism rather than conventional (symmetric) warfare.

## Question 3

### a). What is meant by a digital evidence geolocation timeline? Explain briefly how it is constructed. [9 marks]

A geolocational timeline is representation of where a piece of evidence has been moved/traveled. i.e. a locational lifespan of a piece of evidence. It is constructed using timestamp and locational information from devices that have held the evidence.

### b). List three devices that are capable of providing digital evidence of location. [6 marks]

• GPS
• CCTV
• Entry key cards

### c). When analysing recovered digital evidence of time, briefly describe four types of errors or anomalies that may be encountered. [20 marks]

N/A: don’t think possible error will come up as cannot find in teaching material.

### d). Suggest two types of digital device that might potentially be capable of placing an individual person in a particular location at a particular time and explain briefly how this might be achieved. [10 marks]

• CCTV: an image of a person on a CCTV with a timestamp can give us the location of the individual at a specific time.
• Retina scan entry: If someone uses a retina based authentication, we can find when that individual entered the area from logs.

## Question 4

### a). What is meant by a dual use tool? Give one example of such a tool and explain briefly why the Council of Europe Convention on Cybercrime had to be revised to take account of dual use tools. [10 marks]

A tool that can be used for both good and bad. nmap is one tool as it can be used to scan for open ports on a remote machine as part of a cyber attack.

The Council of Europe Convention on Cybercrime had to be revised as many tools such as nmap can be used for the testing and protection of systems, and were initially created for that purpose. It had to be revised to take into account whether the use of the tool was malicious.

### b). In what ways do (i) cloud forensics; (ii) mobile forensics, differ from hard disk drive (HDD) digital forensics? [10 marks]

Cloud forensics are much harder to conduct as usually data centres reside in different jurisdictions. It is possible, but usually takes a long time for a request to be processed.

Mobile forensics are also difficult as it is possible for a suspect to control the mobile remotely and wipe it. Mobiles should be placed inside a faraday bag to stop all radio communication from it and it should also remain charged.

### c). Explain briefly what is meant by counter-forensics (or anti-forensics), stating why it might be used, and by whom. [10 marks]

Counter-forensics are a set of strategies that make a forensic inspection much more difficult or impossible. It may be used by criminals to hide incriminating evidence or give misleading incriminating evidence. It may also be used by highly secretive organisations.

### d). Give four examples of counter-forensic or (anti-forensic) techniques, explaining briefly in each case how the technique achieves its aim. [20 marks]

• Deceive - Steganography (hiding information)
• Divert - Planting misleading information.
• Destroy - Delete evidence
• Deny - Cryptogaphy