• No results found

CRIMINAL JOURNEY MAPPING

N/A
N/A
Info
Download
Protected

Academic year: 2022

Share "CRIMINAL JOURNEY MAPPING"

Copied!
7
0
0

Loading.... (view fulltext now)

Download now ( 7 Page )

Full text

(1)

Digital

ForensicS

/ magazine

WIN! an iPod Nano

PLUS!

Honeynets Bioinformatics Focus on the SOC Embracing eDiscovery

23

Latest News, 360 Book Reviews, IRQ

& much more inside!

CRIMINAL JOURNEY MAPPING

How to use Cyber Criminal Journeys

to support forensics investigation and

response deployment

(2)

D

igital forensic investigators are dealing with large and growing volumes of evidence across an increasing number and variety of sources.

This has stretched traditional forensic tools and processes to capacity. All the while, budgets are tightening and backlogs increasing.

According to the 2014 State of Policing report from Sir Thomas Winsor, Her Majesty’s Chief Inspector of Constabulary [1], “although performing well in many respects, the police are falling behind the curve of rapidly changing criminality, policing the crimes of today with the methods of yesterday and insufficiently prepared for the crimes of the future.”

Looking at technology specifically, it says:

“forces need urgently to match their digital forensic capability to the reality of modern crime.” Technology is an integral part of policing today. However, many police forces’ ability to “gather and analyse digital evidence are underdeveloped”.

Forensic analysis simply takes too long.

“Officers told of significant delays in receiving evidence from digital devices,”

the report says. “The absence of this evidence can cause unacceptable delays in investigations and prosecutions. This problem has an adverse effect on police officers’ ability to investigate the crimes that affect the public every day. It is not acceptable that evidential material that happens to be stored digitally cannot be made available to investigating officers for weeks, and sometimes months, after the crime.”

If I were a police chief or forensic investigator reading this, I’d be tempted to answer back, “That’s all very well, but you try policing the crimes of today with a smaller budget than I had a decade ago.

Especially in light of recent comments by the Chief Inspector of Constabulary that,

“police cuts are here to stay” [2].

While there’s little police forces can do about their budgets, there is a lot they can do about working more efficiently with the resources they have. For digital forensic capabilities to match the realities of modern crime, investigators must work smarter not harder.

/ Adapting To Meet Changing Demands

I have worked with quite a few investigative organisations that have streamlined their processes for handling digital evidence. Often this has required letting go of the ‘my way or the highway’

attitude and taking lessons from other disciplines. Specifically, investigators can learn a lot from the way legal teams handle electronic discovery, which typically involves even larger volumes of digital evidence than investigations.

Findings from the recently released report ‘eDiscovery in Digital Forensic Investigations’ [3] published by the United Kingdom Home Office, shed additional light on the benefits of this approach. The report details the results of a review into the use of eDiscovery software and workflows in the context of digital forensic investigation, conducted / ADVANCED

EMBRACING

EDISCOVERY

Paul Slater on meeting the demands of today’s digital investigations with the budget of 10 years ago.

/ FEATURE

(3)

commercial eDiscovery applications, they determined that: “there are clear benefits to investigators if they can access the data relevant to their case faster and see all the relevant data in one common format rather than separate reports or platforms for data from different sources”.

“If the investigators can be enabled to conduct their own searching of digital

information then the technical staff can also benefit through having more time available to focus on the technical issues which will continue to emerge as

technology progresses”.

This is an approach my colleagues and I have been advocating for several years. We have seen the benefits of digital investigators embracing legal discovery workflows and technologies

to complement their existing tools in criminal investigations first hand.

/ Lessons From eDiscovery

Case investigators, such as police detectives, often view digital evidence as a way of ‘joining the dots’ in a broader investigation. As a result, digital forensic investigators tend to examine evidence

sources individually, often without knowing the broader details of the case.

They must make critical decisions about particular evidence sources and extract the information they believe is relevant from each device.

This lack of collaboration means non-technical investigators and subject matter experts must rely on an incomplete and subjective slice of the evidence.

Because cases often hinge on the connections between multiple evidence sources, the context of evidence as well as its content, investigators can lose sight of the bigger picture.

Similarly, legal teams often use a tiered review system, assigning junior staff to perform a ‘first cut’ review of the material to eliminate documents and evidence sources that are clearly not relevant. However, rather than allowing these reviewers to

(4)

make arbitrary decisions, someone who has in-depth knowledge of the case would create a pre-defi ned set of guidelines for them to follow. This person may also review, validate or amend these decisions.

In this way, smaller and smaller volumes of more and more relevant material are passed up the chain. The highly knowledgeable, and usually highly paid, experts need only see the ‘hot’ documents, safe in the knowledge that someone has reviewed and classifi ed all other material. This process is a very effi cient way of classifying huge volumes of material into relevant or not relevant bundles. For it to work, legal teams must be able to:

• Divide up the available evidence into parcels for multiple people to review.

• Ensure each reviewer understands the ground rules for deciding what is relevant.

• Make the most relevant documents available for experts to analyse and examine.

This approach is not new, even in investigative circles. For example, in many complex criminal matters, rank-and-fi le detectives do the groundwork, such as identifying witnesses and evidence, before passing on their fi ndings to senior offi cers and subject matter experts for review.

It is however rare for digital forensic investigators to follow this process when dealing with electronic evidence, often because traditional tools make it diffi cult to combine information from multiple sources and make it available to non- technical investigators or subject matter experts for review.

/ The ‘Investigative Lab’

Model for Collaboration

An investigative lab workfl ow can

dramatically increase the volume and quality of digital evidence a team of investigators can analyse. This collaborative approach offers investigators a more effi cient way of utilising available resources.

The investigative lab model couples the rigour of traditional digital investigation

methodologies with a tiered review system similar to the way legal teams handle electronic discovery. The fi rst stage of this process involves the investigative team assembling all available evidence, including forensic images, email and mobile phone communications, into a single location.

Conducting a light metadata scan of these sources then helps quickly establish which items are likely to be relevant.

Digital forensic investigators can then process these likely evidence sources in greater depth, following a set of previously agreed standards and settings. Over time, investigative organisations can build a series of best practices or case-specifi c workfl ows. By reducing operator-level decisions and inconsistencies around many time-consuming and error-prone tasks, investigative teams can deliver more consistent and repeatable outcomes.

They can quickly condense large evidence sets into smaller highly relevant items for expert review.

/ Collaboration & Review

To complete the task faster, investigative teams now divide up the digital evidence between many people. They may choose to divide the evidence by date ranges, custodians, location, language or content.

This eliminates the reliance on a single digital forensic specialist to examine each evidence sources one by one, and means different types of evidence can be distributed to the people most qualifi ed to understand it and its context. For example, in an inappropriate images investigation, detectives could package potentially relevant pictures and videos for specialist child protection teams, while leaving other fi le types for their digital forensic investigators. Or in a fraud case, investigators could pass on fi nancial records to forensic accountants and Internet activity to technical specialists.

In multi-jurisdictional investigations, investigative teams can produce evidence or intelligence packages for other agencies to review, comment on and return.

LINK ANALYSIS USES TECHNOLOGY TO REPLACE THE MANUAL PROCESS OF FINDING CONNECTIONS BETWEEN SUSPECTS AND EVIDENCE SOURCES.

/ Link Analysis

In network theory, link analysis is a data-analysis technique used to evaluate relationships (connections) between nodes. Relationships may be identifi ed among various types of nodes (objects), including organizations, people and transactions. Link analysis has been used for investigation of criminal activity (fraud detection, counterterrorism, and intelligence), computer security analysis, search engine optimization, market research and medical research.

Source: Wikipedia

/ Digital evidence

Digital evidence or electronic evidence is any probative information stored or transmitted in digital form that a party to a court case may use at trial. Before accepting digital evidence a court will determine if the evidence is relevant, whether it is authentic, if it is hearsay and whether a copy is acceptable or the original is required.

Source: Wikipedia

/ FEATURE

(5)

For some larger or national agencies it is not uncommon for investigators to spend days or weeks out of the office reviewing evidence.

Not only is this incredibly inefficient, it can also be incredibly costly.

So why isn’t the data brought to the reviewer and not the other way around? When it comes to eDiscovery, lawyers can access data 24 hours a day, anywhere in the world.

This is another area where law enforcement can take a lesson from eDiscovery to save valuable resources. This approach should become the rule and not the exception.

/ Intelligence & Analytics

Often, solving crimes requires finding the connections across multiple individuals, places, events and evidence sources. Human intuition has its place in the process, but much of the effort involves the time consuming task

of picking out and matching specific pieces of information from massive volumes of data. Computers, when applied judiciously, have a natural advantage in intelligence sharing, collaboration and data visualisation.

As digital evidence becomes larger and more complex, investigators’

greatest struggle is not a lack of

information, but having too much to make sense of. One example of how technology

can make this easier is by extracting, highlighting and cross-referencing intelligence items such as:

• Names

• Email addresses

• IP addresses

• Company names

• Credit card numbers

• Bank account numbers

• Identity numbers

• Amounts of money

Comparing and connecting this intelligence across all available evidence can rapidly reveal relationships between people, objects, locations and events.

Over time, investigators can build a library of intelligence that they can query across multiple cases.

(6)

/ Author BioGRAPHY

Paul Slater has over 20 years’ experience in investigations, digital forensics and eDiscovery as a police officer and consultant. He has an MSc in Computer Forensics and started his career in forensic technology as a computer forensic investigator in the UK’s Greater Manchester Police. Slater has been a senior manager within PwC’s and Deloitte’s regional UK Forensic Technology teams and has served as interim head of the Digital Forensics Unit in the UK’s Serious Fraud Office. He was also a member of the review board for the 2012 update of the UK Association of Chief Police Officers’ Good Practice Guide for Digital Evidence.

Visually representing these large volumes of data can be a fast way to locate the key facts and connections within a case. It enables people, even with limited technical knowledge, to follow a hunch or idea down to very specific details in a matter of seconds.

Common analytical techniques include:

• Top types. Quickly understanding the makeup of data sets by showing the most common file types as bar or pie charts.

• Pivot. Analysing the relationship between any two elements in a data set including custodians, file extensions, file types, languages, named entities, tags and word lists.

• Date trending. Visualising the frequency of data over the entire case or any filtered subset, then drilling down to year, month or day views.

• Timeline. Reviewing the content of emails, documents, phone calls or other communications from multiple sources or custodians in the order they happened.

• Communication network. Showing the interactions between persons of interest with an interactive network diagram that shows the number of connections for each link.

• Link analysis. Understanding the connections between people and intelligence items such as credit card numbers, IP addresses, organisations and sums of money.

• Intersection. Rapidly understanding how key elements in the data overlap and pinpointing the critical intersections between multiple result sets and data types.

• Shingle and word lists. Rapidly understanding the key words and phrases, and their context, in the case.

Combining analytical techniques can help investigators progress from a bewildering array of information to highly relevant details very quickly. For example, you could filter an entire evidence set to just email messages within a relevant date range that contain credit card numbers.

If that still returns too many results, you could use other techniques such as suspect names or keyword searches to further filter the evidence. Now you can use a network diagram to see who is emailing credit card numbers to whom.

Link analysis uses technology to replace the manual process of finding connections between suspects and evidence sources. It automatically tallies and displays connections between people and named entities such as credit card or phone numbers. When applied across a compound case containing multiple case files, link analysis has proven particularly effective in finding connections between seemingly unrelated people and events.

A timeline view, traditionally used for email messages, is also useful for SMS messages, mobile device call logs, instant messages, Skype chats and social media messages.

In my experience, many people say things in instant messages that they would avoid in email. This may stem from the belief that these formats are not as rigorously logged as email. But from the investigator’s perspective, advanced technologies make these communication formats just as permanent and searchable as email.

/ What About Forensics?

Investigators and forensic technicians may be asking themselves, ‘But what about forensics, will any of this stand up in court?’

The techniques I have discussed do not eliminate the need for forensic analysis, particularly in the areas of provenance and authenticity. However, the volume of evidence in most cases makes it too time-consuming to conduct deep forensic analysis on every data source. As a result, in-depth forensic analysis must become the exception rather than the rule.

Budget issues are an inevitable part of law enforcement, and they make it especially hard to solve the issues the Chief Inspector of Constabulary identified in relation to the speed of digital forensic analysis. However, the recent Home Office findings about the benefits of using eDiscovery workflows in digital forensic investigation are part of the answer.

By re-examining how they handle, process and review digital evidence, how they utilise their human and technological resources within the investigative workflow, and maximising the value of information and intelligence within a case, law enforcement agencies can start to fight back and start to address the challenges of policing the digital crimes of today, even with the budget of 10 years ago. /

REFERENCES

1. State of policing: the annual assessment of policing in England and Wales 2013/14.

The 2014 State of Policing report from Sir Thomas Winsor, Her Majesty’s Chief Inspector of Constabulary.

http://www.justiceinspectorates.gov.uk/hmic/

publication/state-of-policing-13-14/

2. Police cuts are here to stay, says head of watchdog.

http://www.bbc.com/news/uk-30671127 3. ‘eDiscovery in Digital Forensic Investigations https://www.gov.uk/government/uploads/

system/uploads/attachment_data/

file/394779/ediscovery-digital-forensic- investigations-3214.pdf

/ FEATURE

(7)

References

Download now ( PDF - 7 Page - 625.93 KB )

Related documents

IEC Ii I 850 Standard Application 6uide

l Meter Total VA-h current value Integer SHARK200IECMeas/eneMMTR1$ST$TotVAh$q (Good) 0000000000000 Bit stream quality.. SHARK200IECMeas/eneMMTR1$ST$TotVAh$t Meter Time Stamp UTC time

visit: for the most recent information on e-file mandates.

For tax years beginning on or after January 1, 2004, income tax return preparers who completed 200 or more original Massachusetts Forms 1 and 1-NR-PY, including those e-filed,

Students Difficulties of Solving Inequalities in Calculus

Similarly, inequality solutions are required to determine the monotonicity and concavity of functions by the use of derivative (Sandor 1997).. E-mail address:

When it Comes to ICD-10, Preparation is Everything

A free short on-line system demonstration, or an initial assessment using a provider’s sample, data should be enough to identify the reimbursement risk and the quality insights

Effects of parameters of Helmholtz resonator on transmission loss of hybrid muffler

The RMS values of transmission loss of hybrid muffler become higher than the original value when the length of Helmholtz resonator cavity is decreased except 90

Marine Fisheries Census 2005 and 2010 of Andhra Pradesh: Comparison

However, landing centres in East Godavari, West Godavari and Prakasam districts showed decrease due to disturbance to fishing activities by industrial/other activities.The

ALINTA ENERGY (ALTN)

The MEP must provide the registry manager with the required metering information for each metering installation the MEP is responsible for, and update the registry metering records

No Bounce Overdraft Service For Consumer Accounts

If you have established overdraft protection to cover a negative balance through an automatic transfer from a savings account, the Credit Union will access funds from these