# 7CCSMCFC Computer Forensics and Cybercrime

## Notes

MSc Computing and Security

### Definitions

• Crime: An action which constitutes an offence and is punishable by law.
• Digital crime: Crime committed using any digital device. e.g. GPS, game controllers, the national infrastructure systems.
• Computer crime: A crime committed with isolated computers.
• Cyber-crime: A crime committed across a network. e.g. DoS, hacking.
• Forensics: The process of getting evidence that will be acceptable in a court of law. (mention court of law).
• Digital forensics: Forensics related to digital devices. e.g. GPS, game controllers, the national infrastructure systems.
• Computer forensics: Forensics related to isolated computers.
• Cyber-forensics: Forensics related to networked computers.
• eDiscovery: Looking into systems to find out how well they are running or secure. Normally part of a civil law, which doesn’t require evidence of the same strictness or standard as criminal evidence.

Conventional crimes which may involve the use of a digital system in their commission (e.g., forgery, fraud, blackmail, extortion, embezzlement, theft, etc.) are known as Digitally Assisted crimes.
Crimes in which altering the contents or operation of a digital system or network is the criminals’ target (e.g. hacking, malware, denial of service, etc.) are known as Digitally Related crimes.

### Article

Computer crime is divided into (covered by the Computer Misuse Act 1990):

• Computer Related Crime (CRC): A computer or its contents is the subject of the criminal attack (e.g. Hacking or Denial of Service attacks).
• Computer Assisted Crime (CAC): A computer is an accessory to the crime (e.g. Financial Fraud or Embezzlement).

Software Bombs consist of a trigger and a payload (often a destructive payload for blackmail/sabotage). The trigger can be:

• Time Bomb: date/time trigger.
• Logic Bomb: logical condition trigger.

Trojan Horses need to be explicitly ran by a user for it to run their hidden side-effects.

Worms are replicators that do not necessarily damage information, but instead use up computer resources until the computer ceases to function, thus can be used for extortion, black-mail and sabotage.

Viruses are parasitic replicators that need to attach themselves to other executables.

## Lecture 3 - Cost of Cybercrime

Most (~85%?) goes unreported, due to fears of over loss of brand reputation, business confidence, market share, etc. Estimates vary from £2.2bn to £27bn pa in UK, and from £33bn to £643bn pa worldwide, depending on definitions and methodologies.

Study the UK Cabinet Office report (2011), particularly pp.2-3; the WEIS paper (2012), particularly Table 1; and the UK Home Office review (2013), particularly the Summary on p.14, and the Ponemon Institute report (2015), particularly Figure 1 & p.4, which suggests £5bn pa for the UK.

Malware attacks on businesses occur every 1–3 minutes – see the FireEye report (2012).

### UK Cabinet Office Report 2011 (Detica)

pp.2-3:

Method:

• Based on estimates & assumptions instead of real data.
• Used public information to give worst-case, most-likely case, and best-case scenarios for the magnitude of cyber-crime.

Lack of transparency for their data.

This report estimates the cost of cyber-crime in the UK economy to be £27bn with Intellectual Property theft at the top with £9b.

This shows that the impact of cyber-crime does not fall equally across all sectors, therefore businesses need to look again at their defences. They believe that the cost of cyber-crime will rise even further as UK businesses increase their reliance on ICT.

### WEIS 2012

Table 1

They scaled the global estimates to the UK using the UK’s share of GDP for a lot of the types of cyber-crime.

### UK Home Office Review 2013

p.14

Estimating the costs of cyber crime is challenging and there are limitations with previous research that has attempted to produce estimates. As outlined by the Home Affairs Select Committee report on e-crime (Home Affairs Select Committee, 2013), the precision of Detica’s (2011) £27 billion estimate has been questioned due to the lack of robust and transparent data upon which their estimates were based. Progress in this complex area has been made with work conducted by Anderson et al. (2012) who estimated separate costs for different cyber crimes, opting not to produce one total estimate given the paucity and reliability of the data available. However, there are also limitations with Anderson et al.’s approach, which relies partly on scaled down global estimates and case-studies, based on the UK being five per cent of the world gross domestic product (GDP). The UK cyber security strategy (Cabinet Office, 2011) recognised the challenges in this area and noted “a truly robust estimate will probably never be established, but it is clear the costs are high and rising”. Based on the limited research available at present, for example, drawing upon Anderson et al. (2012), the costs of cyber crime could reasonably be assessed to equate to at least several billion pounds per year.

To improve cyber-crime evidence base

• recording mechanisms that accurately distinguish between online and offline crime.
• more reporting of cyber-crime from public and businesses and better awareness that some cyber incidences are actually crimes.
• consistency between the measurement and definitions of cyber crime within the relevant research.
• transparency and comparability of information from industry sources.
• methodologically sound surveys of victims.
• cyber crime can be large scale that could result in a relationship between victims and offenders that is different to offline crime.
• cyber crime is not constrained by national boundaries.

### Ponemon Institute Report 2015

Figure 1 & p.4

Method:

• Interviews with companies over 10 months.
• Direct and indirect expenses.

## Lecture 15 - Analysis in more Detail

Attempts to make sense of the evidence. E.g. constructing geolocational timelines for devices and people (CCTV, mobiles, satnavs, swipe-cards, ATM cards, USB keys, games consoles, digital cameras, CSP/ISP logs, etc.)

Attempts to answer the ‘5WH’ questions: who did what when, where, why and how?

Intruder behavioural profiling aims to identify ‘who’ by studying online M.O. (modus operandi) from e.g. what files/directories/databases are searched? what keywords/key phrases are searched for? how frequently is email monitored? how frequently is snooping monitored? how long is a typical online session? how many computers/networks are scanned? what system/network scanning tools are used? what backdoors/Trojans/scripts are exploited?

See the Case Study: FSA Insider Dealing prosecution (Owen Brady – guest lecture).

## Lecture 16 - Evaluation in more Detail

In an adversarial legal system (e.g. UK), USA, HK) the defence side will either try to discredit the prosecution side’s evidence by using the 5 legal criteria, or they may agree the evidence but argue instead that there is another perfectly innocent alternative explanation for that evidence. Since a criminal prosecution requires the prosecution side to prove their case “beyond a reasonable doubt”, the defence side only has to find a plausible alternative explanation for the evidence in order to win the case. The Trojan Horse Defence (THD) and the Inadvertent Download Defence (IDD) are two of the most common alternative defences used. In such situations it is important to be able to evaluate how plausible the defence side’s alternative explanation is, relative to the prosecution side’s contention. This is usually expressed in terms of an Odds Ratio.

There are a number of ways of approaching these problems including:

• Bayesian networks (introduced by Judea Pearl in 1988, pioneered for digital forensics by K-P Chow et al. in 2008; in particular, see Figure 5 and Table 5)
• Complexity theory (based on Ockham’s razor, Einstein’s principle of simplicity, and Hoyle’s principle of contingency)

Case Study: HK Possession of Child Pornography (CP) prosecutions. Both the THD and the IDD have been used successfully to avoid convictions for possession of CP in HK and UK. To combat either defence it is necessary for the prosecution side to demonstrate that they are implausible beyond a reasonable doubt.

### Quantitative Plausibility of the Trojan Horse Defence against Possession of Child Pornography

Study the paper “Quantitative Plausibility of the Trojan Horse Defence against Possession of Child Pornography” (in particular, the Methodology sections and the Table) on combating the THD using complexity theory.

The Operational Complexity Model (OCM) evaluates how easy (probable) it is to accidentally/unknowingly/spontaneously perform a set of actions on a computer. The Trojan horse hypothesis is modelled by the OCM as the simplest user-oblivious process that produces all of the requisite evidential traces and no others. The reason for this is not only to achieve clarity but, even more importantly, to produce a lower bound on the complexity of the Trojan horse process, which will be reflected in an upper bound on the plausibility of the Trojan horse hypothesis. Since a simpler Trojan horse model results in a higher plausibility for this alternative hypothesis, it enables the prosecution to assess the maximum plausibility of the defence’s alternative explanation for the existence of the recovered evidence as a ‘worst case scenario’.

The Enhanced Complexity Model (ECM) builds upon the OCM by taking into account the additional effort required to integrate the Trojan Horse into software components.

Study also “An approach to quantifying the plausibility of the inadvertent download defence”” on combating the IDD using probability theory (in particular, sections 2 & 4).

## Lecture 17 - Forensic Readiness

The digital forensic process is greatly aided if organisations proactively prepare themselves for the possibility of an on-site forensic investigation, so that all the required evidence has been securely saved.

Forensic readiness is defined as the ability of an organisation to maximise its potential to use digital evidence whilst minimising the costs of an investigation

This is described in Rob Rowlingson’s paper “A Ten-Step Process for Forensic Readiness” (see particularly pp.9–24; p.9 gives the overview).

1. Define the business scenarios that require digital evidence.
2. Identify available sources and different types of potential evidence.
3. Determine the evidence collection requirement.
4. Establish a capability for securely gathering legally admissible evidence to meet the requirement.
5. Establish a policy for secure storage and handling of potential evidence.
6. Ensure monitoring is targeted to detect and deter major incidents.
7. Specify circumstances when escalation to a full formal investigation (which may use the digital evidence) should be launched.
8. Train staff in incident awareness, so that all those involved understand their role in the digital evidence process and the legal sensitivities of evidence.
9. Document an evidence-based case describing the incident and its impact.
10. Ensure legal review to facilitate action in response to the incident.

Further details of many aspects covered in this course are in Peter Sommer’s “A Guide to Forensic Readiness” (4/e).