Cybercrime investigation: Where geek meet gumshoe
- By Matt Leonard
- May 25, 2017
Agencies that have fallen victim to cybercrimes should take care with their evidence collection. According to a new publication from the Cybercrime Investigation Body of Knowledge, investigations must follow certain standards and procedures if they are to be effective.
CIBOK is designed to give law enforcement organizations and enterprises the knowledge, skills and behaviors required to solve or prevent today’s complex and sophisticated cybercrimes.
Investigations should have several phases, starting with broad-based “triage-based evidence collection.” Artifacts uncovered from one phase should be used to inform the next.
“It can be helpful to think of this process in terms of a funnel where the top of the funnel represents the easiest data to collect,” the report said. “As the funnel narrows, more effort is required to both collect and analyze the data.”
Automated collection tools can be programed to watch for indications of network intrusion and send alerts when they are found, and alerts-based logging of metadata could prove useful when investigating an attack.
After a cybercrime, investigators must look through anti-virus logs, monitoring logs, the operating system, file system listings and other locations within the network and end points. Enterprise applications, such as EnCase, Access Data and F-Response can be used for this process, CIBOK said.
Once a sweep has identified artifacts that warrant further analysis, investigators should consider using metadata or a content-oriented acquisition method to collect them. Native operating system or third-party tools can facilitate this. Windows and Linux, for example, allow users to search network configurations and connections. And tools like PowerShell gather data in a central location to be analyzed. Third-party tools like nmap, tcpview and WireShark can provide added insight into a user’s network.
Besides describing cybercrime and investigative tools, CIBOK also covers the scope of investigations, sources of evidence, methods of evidence collection and analysis, information sharing and management frameworks.
The 300+ page report “provides legal, judicial, technical and practical organizational development guidance,” for cybercrime investigations, a spokesperson told GCN in an email. CIBOK describes the needs, background and requirements for security researchers to assist law enforcement, and for corporate risk managers to investigate cybercrimes.
More information is available here.
Matt Leonard is a former reporter for GCN.