Cybercrime Investigation Guide
Cybercrime Investigation Guide
Before jumping into the "investigation" part, let's go back to the basics: a digital
crime or cybercrime is a crime that involves the usage of a computer, phone or
any other digital device connected to a network.
These electronic devices can be used for two things: perform the cybercrime
(that is, launch a cyber attack), or act as the victim, by receiving the attack from
other malicious sources.
For example, in the U.S. and depending on the case, a cybercrime can be
investigated by the FBI, U.S. Secret Service, Internet Crime Complaint Center,
U.S. Postal Inspection Service or the Federal Trade Commission.
In other countries such as Spain, the national police and the civil guard take care
of the entire process, no matter what type of cybercrime is being investigated.
This also changes from one country to another, but in general, this type of
agency usually investigates cybercrime directly related to the agency.
For example, an intelligence agency should be in charge of investigating
cybercrimes that have some connection to their organization, such as against its
networks, employees or data; or have been performed by intelligence actors.
In the U.S., another good example is the military, which runs its own cybercrime
investigations by using trained internal staff instead of relying on federal
agencies.
Private security agencies are also important in the fight against cybercrime,
especially during the investigation process. While governments and national
agencies run their own networks, servers and applications, they make up only a
small fraction of the immense infrastructure and code kept running by private
companies, projects, organizations and individuals around the world.
With this in mind, it's no surprise that private cybersecurity experts, research
companies and blue teams play a critical role when it comes to preventing,
monitoring, mitigating and investigating any type of cybersecurity crime against
networks, systems or data running on 3rd party private data centers, networks,
servers or simple home-based computers.
There are thousands of tools for each type of cybercrime, therefore, this isn't
intended to be a comprehensive list, but a quick look at some of the best
resources available for performing forensic activity.
SIFT Workstation
¶
SIFT is a forensic tool collection created to help incident response teams and
forensic researchers examine digital forensic data on several systems.
It supports different types of file systems such as FAT 12/16/32 as well as NTFS,
HFS+, EXT2/3/4, UFS1/2v, vmdk, swap, RAM dta and RAW data.
When it comes to evidence image support, it works perfectly with single raw
image files, AFF (Advanced Forensic Format), EWF (Expert Witness Format,
EnCase), AFM (AFF with external metadata), and many others.
Other important features include: Ubuntu LTS 16.04 64 bit base system, latest
forensic tools, cross compatibility between Linux and Microsoft Windows, option
to install as a stand-alone system, and vast documentation to answer all your
forensic needs.
Written by Brian Carrier and known as TSK, The Sleuth Kit is an open source
collection of Unix- and Windows-based forensic tools that helps researchers
analyze disk images and recover files from those devices.
Its features include full parsing support for different file systems such as
FAT/ExFAT, NTFS, Ext2/3/4, UFS 1/2, HFS, ISO 9660 and YAFFS2, which leads
in analyzing almost any kind of image or disk for Windows-, Linux- and Unix-
based operating systems.
Available from the command line or used as a library, The Sleuth Kit is the
perfect ally for any person interested in data recovery from file systems and raw-
based disk images.
X-Ways Forensics
¶
This software is one of the most complete forensic suites for Windows-based
operating systems. It's widely supported for almost any version of Windows,
making it one of the best in this particular market and letting you easily work with
versions such as Windows XP/2003/Vista/2008/7/8/8.1/2012/10*, supporting both
32 Bit/64 Bit. One of its coolest features is the fact that it's fully portable, making
it possible to run it from a memory stick and easily take it from one computer to
another.
Its main features include: ability to perform disk cloning and imaging, read
partitions from raw image files, HDDS, RAID arrays, LVM2 and much more.
CAINE
¶
It works from the live CD, and can help you extract data created on multiple
operating systems such as Linux, Unix and Windows.
It includes popular digital crime investigation apps such as The Sleuth Kit,
Autopsy, Wireshark, PhotoRec, Tinfoleak and many others.
PALADIN
¶
The PALADIN Toolbox helps streamline numerous forensic tasks, truly offering
“forensic tools galore”—over 30+ categories with over 100 tools, including The
Sleuth Kit and Autopsy. This veritable forensic lab on a disk is available in both
64- and 32-bit versions, making it one of the most popular suites of its kind. Used
by law enforcement, military, federal, state and corporate agencies, PALADIN is
the perfect ally for any computer crime investigator.
ProDiscover Forensic
¶
This tool is one of the best multi-platform forensic applications used by security
researchers and forensic professionals to browse all the critical data in a single
place.
With Oxygen Forensic Detective you can easily extract data from multiple mobile
devices, drones and computer OS, including: grabbing passwords from
encrypted OS backups, bypassing screen lock on Android, getting critical call
data, extracting flight data from drones, user information from Linux, MacOS and
Windows computers. It also supports IoT device data extraction.
Open Computer Forensics Architecture
¶
It has been integrated into or is part of the core of many other popular cybercrime
investigation tools such as The Sleuth Kit, Scalpel, PhotoRec and others.
While the official project was discontinued some time ago, this tool still being
used as one of the top forensic solutions by agencies from all over the world.
There are many other related projects that are still working with the OCFA code
base, those can be found at the official website at SourceForge.
Bulk Extractor
¶
Bulk Extractor is one of the most popular apps used for extracting critical
information from digital evidence data.
It works by extracting features like URLs, email addresses, credit card numbers
and much more from ISO disk images and directories or simply files—including
images, videos, office-based and compressed files.
It's a tool that serves not only for data extraction, but for analysis and collection
as well. And one of its best attributes is its wide support for almost any OS
platform, including Linux, Unix, Mac and Windows, all without problem.
ExifTool
¶
ExifTool supports extracting EXIF from images and vídeos (common and specific
meta-data) such as GPS coordinates, thumbnail images, file type, permissions,
file size, camera type, etc.
It also allows you to save the results in a text-based format or plain HTML.
SurfaceBrowser™
¶
SurfaceBrowser™ is your perfect ally for detecting the full online infrastructure of
any company, and getting valuable intelligence data from DNS records, domain
names and their historical WHOIS records, exposed subdomains, SSL
certificates data and more.
3. Collection. Data is transferred from a company to legal counsel. The legal counsel
   determines the data's relevance.
4. Processing. Files are loaded into a review platform. Data is usually converted into
   a PDF (Portable Document Format) or TIFF (Tag Image File Format) for court.
5. Review. The review process assesses documents for privilege and responsiveness
   to discovery requests.
                                                                                  This
chart shows the 6 steps in the e-discovery process.
Legal issues with e-discovery
E-discovery is an evolving field that goes far beyond just technology. It gives rise to
many legal, constitutional, political, security and personal data privacy issues, many
of which have yet to be resolved. For example, the timeline for e-discovery is
relatively short, and parties can face penalties if they fail to meet deadlines to provide
ESI.
In the past, data has also been leaked unintentionally due to the e-discovery process.
In 2017, an attorney for Wells Fargo accidently sent opposing counsel confidential
information about the bank's clientele. The information included customer names,
Social Security numbers and financial details.
Two other issues with e-discovery include collection of new data types and reduction
of cost. The cost of e-discovery is directly related to how much data needs to be
collected and retained. As more and new types of data are collected, more money
needs to be spent on storage, information technology and management. The review
phase is also typically expensive, as individual documents need to be reviewed for
relevance and privilege. The lawyers and managers who make up in-house counsel
and are typically in charge of costs are pressured to reduce costs where possible,
including in data management. This may lead to further complications and fines if an
organization cannot properly manage all its collected data.
Technology-assisted review and predictive coding are other trends that use supervised
machine learning and rules-based approaches in order to find relevance,
responsiveness and privileges of ESI.
    E-discovery firms also do not analyze the data they collect, nor do they determine the
    intent of a user or provide legal advice -- as forensic experts do. Rather, e-discovery
    gathers and organizes information for others to view.
    In the early 80s PCs became more popular and easily accessible to the general
    population, this also led to the increased use of computers in all fields and criminal
    activities were no exception to this. As more and more computer-related crimes began to
    surface like computer frauds, software cracking, etc. the computer forensics discipline
    emerged along with it. Today digital evidence collection is used in the investigation of a
    wide variety of crimes such as fraud, espionage, cyberstalking, etc. The knowledge of
    forensic experts and techniques are used to explain the contemporaneous state of the
    digital artifacts from the seized evidence such as computer systems, storage devices (like
    SSDs, hard disks, CD-ROM, USB flash drives, etc.), or electronic documents such as
    emails, images, documents, chat logs, phone logs, etc.
    Process involved in Digital Evidence Collection:
    The main processes involved in digital evidence collection are given below:
       Data collection: In this process data is identified and collected for investigation.
       Examination: In the second step the collected data is examined carefully.
       Analysis: In this process, different tools and techniques are used and the collected
        evidence is analyzed to reach some conclusion.
       Reporting: In this final step all the documentation, reports are compiled so that they
        can be submitted in court.
Types of Collectible Data:
The computer investigator and experts who investigate the seized devices have to
understand what kind of potential shreds of evidence could there be and what type of
shreds of evidence they are looking for. So, that they could structure their search pattern.
Crimes and criminal activities that involve computers can range across a wide spectrum;
they could go from trading illegal things such as rare and endangered animals, damaging
intellectual property, to personal data theft, etc.
The investigator must pick the suitable tools to use during the analysis. Investigators can
encounter several problems while investigating the case such as files may have been
deleted from the computer, they could be damaged or may even be encrypted, So the
investigator should be familiar with a variety of tools, methods, and also the software to
prevent the data from damaging during the data recovery process.
There are two types of data, that can be collected in a computer forensics investigation:
   Persistent data: It is the data that is stored on a non-volatile memory type storage
    device such as a local hard drive, external storage devices like SSDs, HDDs, pen
    drives, CDs, etc. the data on these devices is preserved even when the computer is
    turned off.
   Volatile data: It is the data that is stored on a volatile memory type storage such as
    memory, registers, cache, RAM, or it exists in transit, that will be lost once the
    computer is turned off or it loses power. Since volatile data is evanescent, it is crucial
    that an investigator knows how to reliably capture it.
Types of Evidence:
Collecting the shreds of evidence is really important in any investigation to support the
claims in court. Below are some major types of evidence.
    Real Evidence: These pieces of evidence involve physical or tangible evidence such
     as flash drives, hard drives, documents, etc. an eyewitness can also be considered as a
     shred of tangible evidence.
    Hearsay Evidence: These pieces of evidence are referred to as out-of-court
     statements. These are made in courts to prove the truth of the matter.
    Original Evidence: These are the pieces of evidence of a statement that is made by a
     person who is not a testifying witness. It is done in order to prove that the statement
     was made rather than to prove its truth.
    Testimony: Testimony is when a witness takes oath in a court of law and gives their
     statement in court. The shreds of evidence presented should be authentic, accurate,
     reliable, and admissible as they can be challenged in court.
Challenges Faced During Digital Evidence Collection:
   Evidence should be handled with utmost care as data is stored in electronic media and
    it can get damaged easily.
 Collecting data from volatile storage.
 Recovering lost data.
 Ensuring the integrity of collected data.
Recovering information from devices as the digital shreds of evidence in the investigation
are becoming the fundamental ground for law enforcement and courts all around the
world. The methods used to extract information and shreds of evidence should be robust
to ensure that all the related information and data are recovered and is reliable. The
methods must also be legally defensible to ensure that original pieces of evidence and
data have not been altered in any way and that no data was deleted or added from the
original evidence.
EVIDENCE PRESEVATION
E-MAIL INVESTIGATION
Fake Emails
The biggest challenge in email forensics is the use of fake e-mails that are created by
manipulating and scripting headers etc. In this category criminals also use temporary
email which is a service that allows a registered user to receive email at a temporary
address that expires after a certain time period.
Spoofing
Another challenge in email forensics is spoofing in which criminals used to present an
email as someone else’s. In this case the machine will receive both fake as well as
original IP address.
Anonymous Re-emailing
Here, the Email server strips identifying information from the email message before
forwarding it further. This leads to another big challenge for email investigations.
      Header Analysis
      Server investigation
      Network Device Investigation
      Sender Mailer Fingerprints
      Software Embedded Identifiers
In the following sections, we are going to learn how to fetch information using Python for
the purpose of email investigation.
Extraction of Information from EML files
EML files are basically emails in file format which are widely used for storing email
messages. They are structured text files that are compatible across multiple email
clients such as Microsoft Outlook, Outlook Express, and Windows Live Mail.
Imagine that you have been invited to give a lecture at a professional conference. But the
audience was behind the curtain. In such a situation, it is impossible to assess the
audience’s reaction.
The situation is similar with email. If you keep sending out emails and not seeing a
response from your subscribers, you’re not going to get anywhere.
Conversions may still happen, but using email tracking tools can be a much more
effective marketing process. You can see how customers respond to your emails using the
tools and services of your email service provider.
This will allow you to adjust your marketing strategy, increase the number of potential
customers, and create a stable and growing trend of exchanging orders through this
channel.
It’s important to understand that your email list is more than just a string of letters and
numbers. Some potential customers can make money for your business.
If they care about your product or service, you just have to inspire them more. If you
open the email tracking feature in your email, you can see what percentage of your email
subscribers are responding positively to your content.
For example, if only 5% of people open your email, you need to change your email
marketing strategy and maybe the content you put in your messages (the content should
be authentic and engaging).
It is important to pay attention to the key useful tools that can improve your email and the
speed of mail delivery.
You can see how many users opened an email, when exactly they opened it, and how
their interaction changes with subsequent emails they receive from you.
The email tracking process allows you to create effective marketing templates that can be
used consistently to achieve specific business goals.
Marketers and entrepreneurs can send 3-5 welcome emails to new subscribers and see
which emails they respond to and which emails are opened the most.
This information can be used to improve your marketing strategy. Key benefits of
email tracking include:
         Track key metrics. This will allow you to see how loyal your emails are to your
          subscribers. If you use this information correctly, you will be able to work with
          your marketing channel much more effectively;
         A complete history of customer relations. For certain emails, you can monitor
          changes in user behavior in relation to the marketing technique employed.
         Modern email tracking software saves time. Thanks to observation, you can
          determine the best marketing business model and use it constantly to improve
          the results of business activity;
         Space for experiments. You can try different ways to spread the word about
          promotions, new product offers, or price reductions;
The essence of the email tracking process is to use visitor identification tool. They are
integrated into the text of the letter and help to record important information.
Most popular messaging platforms use this method. You can enable the tracking of open
letters in the settings of Gmail and Outlook mail services.
In addition to regular e-mails, analysis of mail services, and tracking tools, there is the
possibility of using Google Analytics and similar solutions.
This allows you to track clicks on links that are present in e-mails, in the text of the e-
mail.
All modern tracking technologies have their own complex advantages and disadvantages,
so you need to choose the right solution for you.
You don’t need to contact the analytics service to check whether the recipient opened the
email or not. For almost any email, the basics are enough to give you email tracking
options.
If marketers and business owners don’t know what percentage of their subscribers are
using email, time is wasted. It should be noted that reading the email is important given
the current level of spam and other marketing emails.
Open tracking can be done via email, but it’s not an ideal solution for mass email
marketing. Professional email open-tracking software is recommended for such tasks.
There are other metrics to track. Focusing on just one metric doesn’t give you the full
picture of how effective your marketing channel is. Clicks are tracked with a special tag
attached to the URL.
If you have 5–10 links in your email, you can see which links your customers click on the
most and adjust your email accordingly to make your marketing strategy work
effectively.
Even if the email contains no products or offers, it still contains more than one URL. It
can be a review of transactions, an unsubscribe from a newsletter, or something else.
Activity monitoring
Activity tracking refers to additional activities that allow you to receive additional signals
about the behavior of potential customers. This information can help you improve your
email marketing strategy.
For example, analytics systems can determine which devices are most often used to send
emails to customers. Since 95% of people use smartphones, it makes sense to focus on
mobile devices.
Today’s email-tracking services are constantly improving their key technical capabilities
and providing users with more email-tracking tools. Your mail delivery will be more
efficient.
Some trackers can monitor downloads and send notifications when subscribers perform
certain actions.
Most analytical services perform their work 100%, but it should be taken into account
that the reports may contain errors. The size of the possible error depends on how
correctly the tracking technology is implemented.
The bug also affects the percentage of users who have third-party tracking blocked.
Tracking clicks is real, but other metrics get tricky.
IP TRACKING
What is an IP address?
First things first, we need to understand what an IP address actually is, or how will we
know how to track it?
IP stands for internet protocol, which is basically a set of rules that dictates how data is
sent across the internet. This might sound complicated, but honestly, it’s just a posh
way of explaining how different devices (like your computer or mine) communicate.
To be able to communicate, the internet will identify the IP address of your device. Your
IP address is the number assigned to your piece of hardware that allows other devices
to identify it. This works the same whether you’re using a laptop, mobile or tablet.
Websites also have IP addresses. This means that when you’re visiting a website, your
device will exchange its own IP address with that of the site to ensure data can be sent
and received between the two. It’s just the same as when you’re making a phone call or
sending an email, you need to have the necessary data in place for it to work.
But don’t worry, there’s nothing you need to do or set up. All devices that use the
internet are already programmed to follow internet protocol so they know how to engage
with each other. This keeps the internet functioning the way we need it to. Clever.
This is also what makes IP tracking possible. Since IP addresses are fully accessible in
order to facilitate communication between devices, tracking tools can gather the
information they need to analyse and record future movements. In other words, identify
who you are as a visitor and recognise you as you move through your journey on a
website.
For the best results we recommend using a strong tracking tool (like CANDDi, of
course) who can record, extract and analyse IP address data.
Identifying IP Addresses
Recording is usually done through a JavaScript code that attaches onto the website’s IP
address. In doing so, the tracking tool can learn relevant information for website
analytics, as well as gathering the IP address data.
Extracting data
The next step is putting this recorded data to good use. Once the tracking tool has
identified and recorded the IP address of the website, it’s ready to start extracting and
analysing valuable, actionable data. Obviously, the validity of the data gained from a
tracking tool depends on their capabilities. If you’re using an advanced tool like
CANDDi, you’ll be able to monitor location, company name, individual visitor
information, key contact details and other firmographic information.
How? Well IP tracking tools tend to draw on information from various public databases.
This is something us techies like to call IP lookup.
IP lookup is a process that runs a reverse DNS lookup to find information related to the
IP address in question. DNS stands for Domain Name System, a system that essentially
translates domain names into IP addresses so internet browsers can load the relevant
resources. A reverse DNS does the opposite. It extracts the domain name or hostname
from an IP address.
So, how does this provide the tracking information? When a company registers a new
domain name, they have to provide the registrar with their contact details. This includes
business name, location, phone number, etc. This allows IP tracking tools to pull more
information on each IP address as it scours the internet’s databases. Since all domain
registrars have to maintain the information of their registrants, you’ll always be able to
figure out their domain name, their company, and their contact info! (as long as you
have their IP address).
Cookies
So, you’ve now managed to figure out what an IP address is, how they can be tracked,
and what information you can get out of it. But what if you’re not ready for your tracking
to end there? If that’s the case, you need a tracking tool like CANDDi, that also uses
cookies.
If your IP tracking tool uses cookies, which are little nuggets of data that can store
information on your website behavior for a better user experience, then they’ll also be
able to link a website visitor’s browsing history to other data about you. This doesn’t
mean they’ll find out your dog’s name or what you had for dinner, but cookie tracking
does mean they recognise if you’re visiting a website for the first time or if you’re
returning for the fourth, fifth or hundredth time. Oh, as well as which specific pages you
visited
E MAIL RECOVERY
But, the hard-deleted emails or Shift + Delete emails will not remain in the trash folder,
instead, this will delete the data permanently. In such instances, it’s difficult to recover
emails from the trash folder.
Thus, the location of deleted emails solely depends on the way you deleted them.
However, the question here is, can you recover them? If yes, then how?
But, in case you deleted your emails from the trash permanently, or 30 days have
passed since you deleted the emails, then, it’s a matter of concern. But, don’t worry,
there is a Professional Email Forensics Tool available that can recover
deleted/permanently deleted emails effortlessly. Let’s find out what’s this tool and how
you can use it.
Sometimes, users who have accidentally deleted their important emails from the Gmail
application or any other email platform should know that their emails are not deleted
permanently. Instead, those emails are relocated to the trash folder or bin folder which
can be recovered easily.
But if the emails are permanently gone then the above-mentioned software comes to
the rescue.
This tool is specially designed to properly track emails and investigate email crimes.
And, recovering permanently deleted files is an integral part of the tool. That’s why, we
recommend you use MailXaminer software for the email recovery process in cyber
forensics.
The tool offers countless features to analyze emails. This email forensic tool supports
20+ email clients and 80+ email file types. In the next section, we will discuss how to
recover deleted or lost emails with the help of the most trusted tool for email
analysis/investigation.
To learn how to recover emails that have been lost or deleted, follow these steps using
the forensic tool. First, download and launch the software on your Desktop/Laptop. After
that, for forensic recovery of evidence, follow these simple steps:
Step-1. Create a new case to begin the investigation. For that, in the Cases screen
choose the option Create Case and fill in the required details related to the case.
Step-2. Now, add the evidential file into the software for scanning by clicking on
the Add New Evidence button.
Step-3. An Add Evidence window will then appear. Here, choose the email client.
Step-4. Then browse the evidence file using the Add File button and click Finish.
Step-5. After the file is scanned, go to the “Search” tab. Here, the software will preview
all the emails along with the deleted ones. The deleted emails will be highlighted in red
color through which users can easily find the deleted items.
Step-6. After adding the suspected file to the software, and identifying the deleted
emails, you can view the emails in different preview modes. Moreover, it allows
investigators to find precise information from the emails that helps in extracting the
evidence.
Step-7. Moreover, to view the deleted files separately, select the Deleted option from
the Standard Filters. It will show you all the recovered files separately.
Step-8. Further, if you want to save the data in your local system, select the emails and
click on the Export Selected Items option and choose the desired file format in which
you want to export the recovered lost emails.
Some Additional Features of the Tried and Tested Tool for Email Recovery
The software is proven to be one of the best tools in the market for email recovery in
cyber forensics. Here are some of the prime features of the tool.
As you can see, there are manual as well as automated methods available to recover
lost or deleted emails. However, the manual method can recover only soft-deleted
emails which are present in the trash folder. But for the recovery of hard deleted emails
(SHIFT+DELETE), trustworthy forensic email recovery software is the relevant option
for you.
So, if you are one of those who lost their emails permanently or belong to the digital
forensics domain, try the software now and experience a smooth process.
        Encryption is the process which take          While decryption is the process which
  2.    place at sender’s end.                        take place at receiver’s end.
        Its major task is to convert the plain text   While its main task is to convert the
  3.    into cipher text.                             cipher text into plain text.
    The takeaway point is that individuals believe they can get away with copying files onto
    a device, such as a USB stick, having no idea that it could lead to a number of forensic
    professionals, backed with a court order, surprising you at your personal address to
    seize and capture data from all your household devices. Upon further court
    proceedings, the preserved data is then typically investigated to see if and how it has
    been used for any potential competitive advantage within the marketplace.
    If you are a company employing a new member of staff from a competitor who has
    potentially stolen data, you as the business could find yourself as the respondent of a
    court order for unknowingly using stolen data. It’s worth noting, however, that there
    must be clear signs of data theft for a judge to approve the search order due to its
    invasive process. Ultimately, it is the shock and awe of the search order experts which
    stops the respondents’ from destroying incriminating data.
   CYFOR recently executed the search and seizure of over 200 exhibits, in a coordinated
    operation involving 7 investigators across 5 locations for the duration of one week. The
    forensically collected data was then processed and hosted for online review by the
    relevant parties.
   CYFOR were instructed for the search and seizure of digital evidence relating to 75
    custodians, as part of a £50M dispute between a local government body and a
    construction firm.
   CYFOR were instructed to attend a commercial and private property relating to a new
    business set up to compete with the individual’s ex-employer. Later court proceedings
    demonstrated mass data theft.