Presentation is loading. Please wait.

Presentation is loading. Please wait.

Investigating Cybercrime DATALAWS Information Technology Law Consultants Presented by F. F Akinsuyi (MSc, LLM)MBCS.

Published byEunice Bryant Modified over 8 years ago

Similar presentations

Presentation on theme: "Investigating Cybercrime DATALAWS Information Technology Law Consultants Presented by F. F Akinsuyi (MSc, LLM)MBCS."— Presentation transcript:

1

2 Investigating Cybercrime DATALAWS Information Technology Law Consultants Presented by F. F Akinsuyi (MSc, LLM)MBCS

3 Objectives Highlight role of a Security Breach Handling Policy Highlight role of a Security Breach Handling Policy Summarise the forensic and digital evidence process options Summarise the forensic and digital evidence process options Outline procedural law Outline procedural law Summarise Lawful Interception Model Summarise Lawful Interception Model

4 Incident Handling Requirements An incident handling/response team must be established An incident handling/response team must be established Policies and procedures must be put in place to cater for the 24/7 nature of operation Policies and procedures must be put in place to cater for the 24/7 nature of operation A mechanism for storing security incident records must be established. A mechanism for storing security incident records must be established. Liaison with law enforcement bodies must be defined Liaison with law enforcement bodies must be defined

5 Incident Handling Policy Requirements Incident Handling Policy Requirements Security incidents must be registered as soon as they occur. Security incidents must be registered as soon as they occur. staff, contractors, third parties and clients must be made aware of and read this document staff, contractors, third parties and clients must be made aware of and read this document Security incidents must be reported immediately to the security manager. Security incidents must be reported immediately to the security manager. Staff responsible for affected systems must follow incident handling procedures. Staff responsible for affected systems must follow incident handling procedures.

6 Incident Handling Policy Steps Incident Handling Policy Steps

7 Minimising a Security Incident Impact Assessment Impact Assessment Document Events Document Events Incident Containment Incident Containment Evidence Gathering Evidence Gathering Eradications and Discovery Eradications and Discovery Follow up Analysis lessons learned Follow up Analysis lessons learned

8 Computer Forensics The systematic analysis of IT equipment for the purpose of searching for digital evidence The systematic analysis of IT equipment for the purpose of searching for digital evidence Typically takes place after the offence has been committed Typically takes place after the offence has been committed More evidence is potentially available due to vast use of computers More evidence is potentially available due to vast use of computers Note main focus is ability to use evidence for legal proceedings within an existing the legal framework Note main focus is ability to use evidence for legal proceedings within an existing the legal framework

9 Computer Forensics - Phases Four phases in criminal proceedings Four phases in criminal proceedings Identification of relevant evidence Identification of relevant evidence Collection and preservation Collection and preservation Analysis of digital evidence Analysis of digital evidence Presentation in court Presentation in court

10 Recording Computer Crime and Computer Forensics Rise in use of computers and subsequent increase in computer misuse has led to need for methods of detecting the where, when, and who Rise in use of computers and subsequent increase in computer misuse has led to need for methods of detecting the where, when, and who Detecting misuse has to be accurate and based on defined set of principles for the collection and evaluation of evidence Detecting misuse has to be accurate and based on defined set of principles for the collection and evaluation of evidence

11 Computer Forensics Issues Individuals must be qualified and experienced Individuals must be qualified and experienced Risk of destroying data during investigations Risk of destroying data during investigations Not finding appropriate evidence Not finding appropriate evidence

12 Digital Evidence The shift from creating documents on physical paper to computer files has lead to new types of investigations being undertaken on digital equipment The shift from creating documents on physical paper to computer files has lead to new types of investigations being undertaken on digital equipment Digital evidence can be defined as any data stored, transmitted or processed using computer related technology that supports a theory about how an offence occurred. Digital evidence can be defined as any data stored, transmitted or processed using computer related technology that supports a theory about how an offence occurred.

13 Digital Evidence Computer related crime has led to digital evidence becoming a new type of evidence in conjunction with paper trail evidence Computer related crime has led to digital evidence becoming a new type of evidence in conjunction with paper trail evidence Data stored or transmitted using computer technology that can be used to support how an offence happened Data stored or transmitted using computer technology that can be used to support how an offence happened Has influenced how law enforcement agencies and courts handle computer related evidence Has influenced how law enforcement agencies and courts handle computer related evidence More countries updating their evidence laws for courts to deal with computer generated evidence More countries updating their evidence laws for courts to deal with computer generated evidence

14 Digital Evidence - Challenges Fragility and easily deleted Fragility and easily deleted Susceptible to alteration Susceptible to alteration Stored in different places Stored in different places Technical development Technical development Not to be solely relied on traditional methods still applicable, i.e. Internet café cctv Not to be solely relied on traditional methods still applicable, i.e. Internet café cctv

15 Legal Considerations for Forensics Admissible: It must conform to certain legal rules before it can be put before a court. Admissible: It must conform to certain legal rules before it can be put before a court. Authentic: It must be possible to positively tie evidentiary material to the incident. Authentic: It must be possible to positively tie evidentiary material to the incident. Complete: It must tell the whole story and not just a particular perspective. Complete: It must tell the whole story and not just a particular perspective. Reliable: There must be nothing about how the evidence was collected and subsequently handled that casts doubt about its authenticity and veracity. Reliable: There must be nothing about how the evidence was collected and subsequently handled that casts doubt about its authenticity and veracity. Believable: It must be readily believable and understandable by a court. Believable: It must be readily believable and understandable by a court. See RFC 3227 for more information See RFC 3227 for more information

16 Computer Forensics - Examples Hardware Analysis Hardware Analysis Software Analysis Software Analysis Software of suspects computer Software of suspects computer Identification of relevant digital information Identification of relevant digital information Hidden File Investigation Hidden File Investigation Deleted File Recovery Deleted File Recovery Decrypting encrypted files Decrypting encrypted files

17 Computer Forensics - Examples File Analysis File Analysis Authorship Analysis Authorship Analysis Data Integrity Data Integrity IP Tracing IP Tracing Email Analysis Email Analysis Financial Transaction Tracing Financial Transaction Tracing Real Time Traffic Data Collection Real Time Traffic Data Collection Monitoring Monitoring

18 Procedural Law Sample Law enforcement require procedures to assist them in identifying offenders and collecting evidence Law enforcement require procedures to assist them in identifying offenders and collecting evidence Article 16 of the Cyber Crime Convention allows LEA’S order preservation of traffic and content data Article 16 of the Cyber Crime Convention allows LEA’S order preservation of traffic and content data Obligation to transfer Article 18 and can constitute any data relevant for the investigation Obligation to transfer Article 18 and can constitute any data relevant for the investigation Article 18 also provides obligation to submit subscriber information Article 18 also provides obligation to submit subscriber information

19 Procedural Law Sample Search and Seizure covered by Article 19 Search and Seizure covered by Article 19 Includes data related searches and copying data from servers Includes data related searches and copying data from servers It is to be noted that necessary measures for maintaing integrity of data is critical if it cant be shown it may not be accepted as evidence It is to be noted that necessary measures for maintaing integrity of data is critical if it cant be shown it may not be accepted as evidence Real time traffic data collection Article 20 Real time traffic data collection Article 20 Interception of content data Article 21 Interception of content data Article 21

20 Lawful Interception Lawful Interception Advancement of technology has also called for the need for law enforcement agencies to curb criminal and terrorist activities Lawful Interception legislation allows law enforcement agencies to access communications records to combat crime.

21 Technology and Law Combating crime What is intercepted under lawful Interception? Lawful interception involves the intercepting of communications data which embraces the “who”, “When” and “where” In relation to a communications transmission but not the content of such. Communications data in turn can be broken down into the following categories: Traffic data: This contains information that identifies who the subscriber contacted, their location as well as that of the person they have contacted and what time the contact was made. Traffic data: This contains information that identifies who the subscriber contacted, their location as well as that of the person they have contacted and what time the contact was made. Service data: This identifies services used by the subscriber and how long they were used. Service data: This identifies services used by the subscriber and how long they were used. Subscriber data: This identifies the user of the service their name address and telephone number. Subscriber data: This identifies the user of the service their name address and telephone number.

22 Technology and Law Combating Crime Interception of communications can take place in a number of ways: Pen Trap: A pen trap device records only the numbers of incoming and outgoing telephone calls. It can also be used to collect and record "to" and "from" header information from the targets email Pen Trap: A pen trap device records only the numbers of incoming and outgoing telephone calls. It can also be used to collect and record "to" and "from" header information from the targets email Wire Tap: this involves the installation of a transmitting device on a telephone line, for the purpose of intercepting, and usually recording, telephone conversation and telephonic communications. Wire Tap: this involves the installation of a transmitting device on a telephone line, for the purpose of intercepting, and usually recording, telephone conversation and telephonic communications. Location Tracker: This involves using devices to identify through the telecommunication system the location of an individual. Location Tracker: This involves using devices to identify through the telecommunication system the location of an individual.

23 Lawful Interception Model Source of diagram www.etsi.org: Telecommunications Security; Lawful Interception (LI); Concepts of Interception in a Generic Network Architecture.

24 Lawful Interception Model Explained 1) A LEA requests lawful authorisation from an authorisation authority, which may be a court of law. 2) The authorisation authority issues a lawful authorisation to the LEA. 3) The LEA passes the lawful authorisation to the communications provider. The communications provider determines the relevant target identities from the information given in the lawful authorisation. 4) The communications provider causes interception facilities to be applied to the relevant target identities. 5) The communications provider informs the LEA that the lawful authorisation has been received and acted upon. Information may be passed relating to the target identities and the target identification. 6) Information Related Information (IRI) and Content of Communication (CC) are passed from the target identity to the communications provider. 7) IRI and Content of Communication are passed from the communications provider to the Law Enforcement Monitoring Facility (LEMF) of the LEA. 8) Either on request from the LEA or when the period of authority of the lawful authorisation has concluded the communications provider will cease the interception arrangements. 9) The communications provider announces this cessation to the LEA

25 End Of Session

Download ppt "Investigating Cybercrime DATALAWS Information Technology Law Consultants Presented by F. F Akinsuyi (MSc, LLM)MBCS."

Similar presentations

Institutional Telecomms and Computer Network Monitoring Andrew Charlesworth University of Bristol 10 June 2002.

Institutional Telecomms and Computer Network Monitoring Andrew Charlesworth University of Bristol 10 June 2002.
Australian Competition & Consumer Commission

Australian Competition & Consumer Commission
Chapter Extension 24 Computer Crime and Forensics © 2008 Pearson Prentice Hall, Experiencing MIS, David Kroenke.

Chapter Extension 24 Computer Crime and Forensics © 2008 Pearson Prentice Hall, Experiencing MIS, David Kroenke.
Forensic and Investigative Accounting Chapter 15 Cybercrime Management: Legal Issues © 2007 CCH. All Rights Reserved. 4025 W. Peterson Ave. Chicago, IL.

Forensic and Investigative Accounting Chapter 15 Cybercrime Management: Legal Issues © 2007 CCH. All Rights Reserved W. Peterson Ave. Chicago, IL.
Workshop on Harmonizing Cyberlaw in the ECOWAS region ( Procedural Law in the Budapest Convention ) Ghana, Accra 17 – 21 March 2014, Kofi Annan International.

Workshop on Harmonizing Cyberlaw in the ECOWAS region ( Procedural Law in the Budapest Convention ) Ghana, Accra 17 – 21 March 2014, Kofi Annan International.
Responding to Cybercrime in the Post-9/11 World Scott Eltringham Computer Crime and Intellectual Property Section U.S. Department of Justice (202) 353-7848.

Responding to Cybercrime in the Post-9/11 World Scott Eltringham Computer Crime and Intellectual Property Section U.S. Department of Justice (202)
BACS 371 Computer Forensics

BACS 371 Computer Forensics
Coping with Electronic Records Setting Standards for Private Sector E-records Retention.

Coping with Electronic Records Setting Standards for Private Sector E-records Retention.
1 Cryptography and Network Security Third Edition by William Stallings Lecturer: Dr. Saleem Al_Zoubi.

1 Cryptography and Network Security Third Edition by William Stallings Lecturer: Dr. Saleem Al_Zoubi.
Developing a Records & Information Retention & Disposition Program:

Developing a Records & Information Retention & Disposition Program:
Www.oaic.gov.au Introduction to the APPs and the OAIC’s regulatory approach Presented by: Este Darin-Cooper Director, Regulation and Strategy May 2015.

Introduction to the APPs and the OAIC’s regulatory approach Presented by: Este Darin-Cooper Director, Regulation and Strategy May 2015.
Network and Systems Security Security Awareness, Risk Management, Policies and Network Architecture.

Network and Systems Security Security Awareness, Risk Management, Policies and Network Architecture.
What is Computer Forensics? (Some definitions) “ The process of identifying, preserving, analyzing and presenting digital evidence in a manner that is.

What is Computer Forensics? (Some definitions) “ The process of identifying, preserving, analyzing and presenting digital evidence in a manner that is.
In-depth look at ISACS 05.60 Border controls and law enforcement cooperation.

In-depth look at ISACS Border controls and law enforcement cooperation.
Network security policy: best practices

Network security policy: best practices
Database Auditing Models Dr. Gabriel. 2 Auditing Overview Audit examines: documentation that reflects (from business or individuals); actions, practices,

Database Auditing Models Dr. Gabriel. 2 Auditing Overview Audit examines: documentation that reflects (from business or individuals); actions, practices,
Introduction to Computer Forensics Fall 2007. Computer Crime Computer crime is any criminal offense, activity or issue that involves computers (http://www.forensics.nl).http://www.forensics.nl.

Introduction to Computer Forensics Fall Computer Crime Computer crime is any criminal offense, activity or issue that involves computers (
By Drudeisha Madhub Data Protection Commissioner Date: 12.08.14.

By Drudeisha Madhub Data Protection Commissioner Date:
Www.nationalsmartcardproject.org.uk www.scnf.org.uk National Smartcard Project Work Package 8 – Security Issues Report.

National Smartcard Project Work Package 8 – Security Issues Report.
Proving Your Case - Computer Security Terrence P. Maher Abrahams Kaslow & Cassman

Proving Your Case - Computer Security Terrence P. Maher Abrahams Kaslow & Cassman

Similar presentations

Ads by Google