Ron LaPedis
A cybercrime scene is much more challenging for investigators to manage than a physical crime scene. To address these challenges, law enforcement needs to continuously adapt and innovate to effectively combat cyber threats and ensure justice is served in the digital age.
Cops receive training in the academy, as well as guidance by their FTO and senior partner on how to handle a physical crime scene. For example, before entering a suspected bomb builder’s lair, you already know to watch out for possible booby trapped doors, drawers, etc. However, except for staff trained by the dozen FBI Regional Computer Forensics Laboratories (RCFLs) across the United States, or an equivalent facility, very few, if any, cops know what to do when faced with a suspected cybercrime scene.
In addition, computers which belong to a hacker, a suspect storing or sharing child pornography, or other cybercrime, these suspects may have placed digital booby traps as well.
Hackers excel in their activities due to their comprehensive understanding of computers. It is possible to booby trap a computer system so that any evidence of a crime is destroyed as soon as a single key is pressed. With that, it’s necessary to know the appropriate steps to take when you must gain entry to a computer which is under suspicion of being utilized in a crime.
The RCFLs were chartered to cultivate working relationships between law enforcement, the private sector, academia, and other government agencies by serving as a national clearinghouse for the exchange and dissemination of information.
Time is critical when investigating a crime and law enforcement personnel not have the luxury to wait for someone from the RCFL to show up on site to render assistance. Additionally, if a computer is powered down, you may lose essential information and may not be able to power it up again or log in.
Save Time in a Bottle
The absolute first step is to photograph anything and everything around the suspect computer. That includes the screen, keyboard, case, cables, peripherals, and power connections. This is done in case there is a time triggered software booby trap or the next steps trigger a booby trap. Ensure that every photo is well lit without shadows so that it is obvious where everything is connected – or not connected (figure 1).
Before touching the keyboard, you may want to dust it for fingerprints. Be very careful of putting downward pressure on the keyboard keys lest you trigger a booby trap.
Memory analysis is essential to recovering valuable evidence for almost any PC investigation. While the system is powered up, its memory contains running processes and programs, active network buffers, registry hives, passwords, encryption keys, and decrypted files. Many Web apps, like Gmail, or private/incognito browsing modes only store data in memory.
A loss of information in memory, or triggering a booby trap, can delete critical information needed for your case, including proof of links to dark servers or TOR networks, both of which are popular for criminal use. Whether you’re working a malware infection, intrusion incident or IP theft, there is bound to be evidence found in memory which could be vital to your investigation.
Coming upon a cybercrime scene is not the right time to be sourcing, evaluating and learning to use memory capture tools. Just like a sniper has honed his skills over many hours of range time, a cyber investigator must have practiced teasing out evidence on dozens to hundreds of configurations.
The raw memory capture data is set aside to be used as input for any one of dozens of tools which will help investigators to scan for evidence encoded as memory artifacts. Storage is available which physically can prevent writes to the storage media to preserve the contents.
The final step before moving on to storage is to label both sides of every cable and whatever each end is connected to and rephotograph. You need to know where every cable starts and ends so that the environment can be reconstructed if needed. Label all cables and take notes where they connect, then take photos.
Since cables could be directional, use A and B for each side. Simple 1A, 1B, 2A, 2B, labeling is fine and you will need two of each number/letter combination – one for the cable and one for the device to which it is connected.
A P-touch or equivalent labeler with extra strong adhesive labels, masking tape or gaffer’s tape will work.
Capture Storage
Even though you have memory captured, you still need to tread lightly as the tools and techniques used to create forensic images of running storage such as hard drives (HDs) and solid-state drives (SSDs) could also trigger a booby trap.
There are two ways to create a storage image. Do it live on the suspect computer or disconnect the drive cable (doing it while the machine is running is preferable) and use a hardware duplicator (figure 2) to take forensic images of the drives which will preserve the files and status of the machine as a snapshot in time.
Two of the most popular formats used for creating forensic images of running storage are E01 (Encase Image File Format) and DD (Data Dump). Both preserve the files and status as a snapshot in time. The E01 forensic image file format is the default imaging option for many computer forensics tools and has become a de facto standard of sorts. It also creates a hash or checksum of the drive and embeds it into the file. You can retrospectively prove the evidence has not changed by recalculating the hash value (essentially, the unique digital fingerprint of the file).
While somewhat lesser known, the raw image file format produces a bit for bit copy of the contents of a drive. This format is often referred to as the DD format due to the tool which originally generated such images. Depending on the tool used to create a DD image, you may need to enter a command to verify the images after they are created which will calculate hashes of the acquired image. Two options are the MD5 hash and the SHA1 hash.
Whichever format you decide upon, you need to make multiple copies and put one aside as your master copy. This master copy becomes your baseline and, if a booby trap is triggered while working with it, you can copy the master to another disk and try again. The creation and use of a true forensic hard drive image is a highly detailed process. If you do not have it performed by a trained professional, you may severely compromise your chances of obtaining admissible evidence because of your discovery efforts.
Suggested protocols for digital forensic analysis can be found within guidelines standardized by institutions and organizations like the Department of Justice (DOJ) and the National Institute of Standards and Technology (NIST).
If you come across a potential suspect computer which is already powered down, label the cables, take photos, dust the keyboard, then bring all the pieces to a cyber forensic lab to be investigated by qualified, professional forensic practitioners. Except for memory capture, most of the steps are the same as when you find a running machine.
Storage Volumes and RAID
A data volume, colloquially called a disk, used to be the same as, or a subset of a physical device. That is, if you held an HD or a SSD in your hand, you had what you needed, except perhaps the encryption key, to start forensic analysis of the contents.
With a Redundant Array of Independent Disks (RAID) volume, this no longer is true. While RAID was developed for speed and redundancy of data stored on physical devices, it also can be used to hide data from law enforcement.
On a RAID 1, or mirrored volume, the information is duplicated on two physical devices, so possession of either one gives you access to all of the data.
But, on every other type of RAID volume, the data is split across two or more physical devices (figure 3). If you are missing one of the physical devices in a RAID 0 volume, or two of the physical devices in a RAID 2 through 6 volume, the data may be unrecoverable. And, not only do you need the devices, but you also need the software which was originally used to create the array – along with the “map” which describes how the data was distributed when it was written.
Think of the data stored in a RAID array like a jigsaw puzzle where all the pieces are identical grey squares. Each physical device represents a column, but which one? And, what about the rows? That information is hidden in the volume map which only the RAID software can decode.
Additionally, there could be a chicken and egg predicament since the RAID software might be on a RAID volume. The computer’s boot process normally would resolve this, but is moot if a booby-trapped computer destroys the boot process. You will need to use other methods to determine the software in use, such as questioning the suspect or looking at purchase records.
The key to hiding data on RAID volumes is that there is nothing in the RAID specification which says that the physical devices need to be the same type of storage device nor contiguous.
That is, a RAID volume can be split across a few or up to dozens of storage devices – both inside and outside of the computer case. They can be in an enclosure or perhaps on a circuit board with a cable.
Whether internal or external, storage devices could be SATA (Serial Advanced Technology Attachment) HD, SATA SSD, or NVMe (Non-Volatile Memory Express) M.2 “blades.”
RAID volume recovery should only be done from your copies and never from your forensic masters. If there is any question as to how the volume components were connected, you can refer back to the photos you took of the computer, peripherals and cabling before it was dissembled.
Virtual Machines for Forensic Analysis
A virtual machine, or VM, is an application which runs on a computer and is the virtualization or emulation of a computer system. The VM software “tricks” the Operating System (OS) and apps into thinking that they are running directly on a computer when, in reality, they are running on a simulated computer.
Think about a firearms simulator for a moment. There are virtual targets on the screen and you are holding a firearm which communicates with the simulator. If you are on target and pull the trigger, a “hole” shows up in the target – just as surely as a piece of lead going downrange would make a hole in a paper target. You are inclined to believe that you made that hole.
If the OS or application can perform an action on a real computer, it can perform the same action on a VM. With a little finesse, you can recreate the suspect’s entire computer as a VM which in turn will allow you to recreate the entire digital crime scene in an accessible, virtual environment.
Using a virtual machine saves money by reducing the amount of hardware required – multiple VMs can share the same physical computer and access the same storage, putting processing power to use that otherwise might be idle while waiting for a human to respond.
Standard forensic principles often deny an investigator the opportunity to turn a computer back on once it has been powered down. The use of a VM lets the forensic examiner fire it back up and poke around it without affecting the original, unchanged evidence.
In the same way that a body from a physical crime scene can give up clues and evidence to a medical examiner as to who the perpetrator was and how the crime happened, use of a forensic VM from “dead box” storage (or an image of that storage) can offer up clues and powerful evidence to the digital examiner which are not available via standard forensic software. The VM enables a virtual autopsy of the suspect’s computer.
Finally, since the VM is divorced from the hardware, they are portable and can be moved from real computer to real computer or can be accessed from almost anywhere, even over the Internet.
There is a lot of documentation on the Internet about how to build and use a forensic virtual machine.
Being able to access an identical, but virtual, replica of the suspect’s machine means that you can interact with the files and the software on their system without fear of making a mistake which will modify or destroy it. If you experience a malfunction, you can just go back to the previous image (called a snapshot). And, because the VM is just a piece of software, it can be moved from place to place or can be sent to the RCFL or a vendor specializing in forensic work.
Creating a VM from a computer allows you to lock all of the original hardware and software to the time when you first came upon it. It will let you search for evidence without altering evidence and will let you go back to that time if required. If you need additional expertise, you can send the VM to the person who has that knowledge.
All in all, a VM can help you find elusive evidence and present it in court in a non-technical manner.
Summary
Investigating cybercrime scenes presents a set of unique challenges which surpass those of traditional physical crime scenes due to the virtual nature of the crimes, the global scope of the Internet, the technical expertise required, and the constantly evolving tactics employed by cybercriminals.
Ron LaPedis is an NRA certified Chief Range Safety Officer; NRA, USCCA and California DOJ certified instructor; is a uniformed first responder; and frequently writes and speaks on law enforcement, business continuity, cybersecurity, physical security, and public/private partnerships.
Available Resources
There are several no-cost resources available for law enforcement agencies and personnel to enhance their knowledge and capabilities in dealing with cybercrime. These resources offer training, information, tools, and collaboration opportunities. Here are some options.
- Federal Law Enforcement Training Centers (FLETC) Cybercrime Courses: FLETC offers various cybercrime training courses to law enforcement personnel. These courses cover topics such as digital evidence collection, cyber investigations and cyber threats. (https://tinyurl.com/342ryrxx)
- Department of Homeland Security (DHS) Cybersecurity Training and Resources: DHS provides a range of cybersecurity training and resources, including the Federal Virtual Training Environment (FedVTE) which offers free online courses on cybersecurity-related topics. (niccs.cisa.gov)
- Federal Bureau of Investigation (FBI) Cyber Crime Resources: The FBI provides numerous resources, including the Internet Crime Complaint Center (IC3) which collects and analyzes reports of cybercrimes. The FBI also offers online training courses through the Law Enforcement Enterprise Portal (LEEP). (https://tinyurl.com/bdzh99d2)
- National Institute of Standards and Technology (NIST) Cybersecurity Framework: NIST offers a comprehensive Cybersecurity Framework which law enforcement agencies can use to improve their cybersecurity posture and response to cyber threats. (nist.gov/cyberframework)
- International Association of Chiefs of Police (IACP) Cyber Center: The IACP’s Cyber Center provides resources and guidance for law enforcement agencies to address cybercrime, including training, research and best practices. (https://tinyurl.com/ycxv4h3e)
- United Nations Office on Drugs and Crime (UNODC) Cybercrime Resources: UNODC offers resources and tools to support law enforcement agencies in dealing with cybercrime at the international level. (https://tinyurl.com/mv5ykdan)
- Cybercrime Support Network: This organization offers assistance to law enforcement and victims of cybercrime, including resources for reporting and responding to cyber incidents. (fightcybercrime.org)
- InfraGard: InfraGard is a partnership between the FBI and private sector organizations. It provides information sharing and collaboration opportunities for law enforcement and other stakeholders to address cyber threats. (infragardnational.org)
- Cybersecurity and Infrastructure Security Agency (CISA): CISA offers various cybersecurity resources, including alerts, guidance documents and training materials aimed at enhancing the cybersecurity posture of government agencies and organizations. (cisa.gov)
- Open Source Intelligence (OSINT) Tools: There are various open source tools available for law enforcement to gather intelligence from publicly available online sources. Examples include Maltego for data mining and analysis, and Shodan for searching Internet connected devices. (https://tinyurl.com/mst8z2ru)
- Local Cybersecurity Groups and Communities: Many local cybersecurity groups and organizations offer free resources, workshops and networking opportunities. These groups can provide valuable insights and connections within the cybersecurity community.
Nine Reasons Why Cybercrime Scenes Present Greater Challenges for Investigators
- Invisibility and Anonymity: Cybercriminals can operate from anywhere in the world, making their actions difficult to trace. They can hide behind proxies, VPNs and other anonymizing technologies, making it challenging to identify their real identities and locations. This contrasts with physical crimes, where suspects’ movements are more constrained.
- Virtual Nature: Cybercrime scenes exist in the digital realm which means that investigators must have specialized skills to gather and interpret digital evidence. Unlike physical evidence, digital evidence can be easily manipulated, deleted or concealed, requiring investigators to use advanced techniques to recover and preserve it accurately.
- Global Jurisdiction: The Internet transcends national borders and cybercriminals can target victims in different countries without ever physically crossing those borders. This raises complex jurisdictional issues and legal challenges for law enforcement agencies which need to collaborate across international boundaries.
- Rapid Evolution: The landscape of cybercrime is constantly evolving with new attack vectors, tools and techniques emerging regularly. Investigators need to stay up-to-date with the latest trends in cybercrime to effectively combat these threats which can be more challenging than investigating traditional crimes which may have more established patterns.
- Scale and Scope: Cybercrimes can affect a large number of victims simultaneously and on a global scale. Investigating such incidents requires dealing with a vast amount of digital data, potentially spanning across multiple jurisdictions, systems and networks, making it much more complex compared to a single physical crime scene.
- Technical Expertise: Investigating cybercrimes demands a deep understanding of various technologies, including networking protocols, encryption, malware analysis, and digital forensics. This technical expertise is often required on top of traditional investigative skills, setting a higher bar for cybercrime investigators.
- Non-physical Traces: In physical crime scenes, evidence is often tangible and visible. In cybercrime investigations, evidence consists of digital footprints, log files, network traffic, and other intangible elements which require specialized tools and techniques to identify, preserve and interpret.
- Evidence Tampering: Cybercriminals can tamper with digital evidence more easily than physical evidence. They can manipulate timestamps, modify logs and cover their tracks in ways which are not possible in the physical world, making it challenging for investigators to establish a clear chain of custody and authenticity.
- Resource Allocation: Investigating cybercrimes requires significant resources, including skilled personnel, advanced technology and ongoing training. Law enforcement agencies need to invest in these resources to effectively combat the ever growing threat of cybercrime.