Introduction

In a fully connected truly globalized world of networks, most notably the internet, mobile technologies, distributed databases, electronic commerce and e-governance e-crime manifests itself as Money Laundering; Intellectual Property Theft; Identity Fraud/Theft; Unauthorized access to confidential information; Destruction of information; Exposure to Obscene Material; Spoofing and Phishing; Viruses and Worms and Cyber-stalking, Economic Espionage to name a few.

According to the House of Commons, Home Affairs Committee, Fifth Report of Session 2013–14, on E-Crime, “Norton has calculated its global cost to be $388bn dollars a year in terms of financial losses and time lost. This is significantly more than the combined annual value of $288bn of the global black market trade in heroin, cocaine and marijuana” (E-crime, House of Commons, 2013).

Since the launch of the UK’s first Cyber Security Strategy in June 2009 and the National Cyber Security Programme (NCSP) in November 2011, UK governments have had a centralized approach to cybercrime and wider cyber threats.

Until recently E-crimes had to be dealt with under legal provisions meant for old crimes such as conspiracy to commit fraud, theft, harassment, and identity theft. Matters changed slightly in 1990 when the Computer Misuse Act was passed but even then it was far from sufficient and mainly covered crimes involving hacking.

There were no new laws specific to computer crime since the Computer Misuse Act 1990, until The Fraud Act of 2006 to deal with e-crimes. The laws relied upon are as follows:

• Theft Act 1968 & 1978, (Amendment) 1996

• Criminal Attempts Act 1981

• Telecommunications Act 1984

• Public Order Act 1986

• Protection of Children Act 1978

• Obscene Publications Act 1959 & 1964

• Data Protection Act 1998

• Human Rights Act 1998

• Defamation Act 1952 & 1996

• Criminal Attempt Act 1981

• Freedom of Information Act 2000

• Protection from Harassment Act 1997

Despite all these lawsuit is still not adequate to tackle e-crime, because of the fast pace of information technology and information systems proliferation. In 2006 two new laws were passed to tackle e-crime namely the Fraud Act 2006 which came into force in 2007 which “the new law aims to close a number of loopholes in proceeding anti-fraud legislation, because, the Government said was unsuited to modern fraud,” and the Police and Justice Act 2006 (part 5) which prohibits “unauthorized access to computer material; unauthorized acts with intent to impair operation of computer and the supply of tools that can be used for hacking” (Police and Justice Act, 2006).

Documented guidance, practices and procedures were outdated and wholly inadequate to help tackle electronic evidence in a forensic manner, until first e-crime publication by ACPO in July 2007 and subsequently revised in November 2009 and 2012. This is recognized as the best guidelines ever produced to assist law enforcement in handling digital evidence (ACPO Guidelines, 2009).

Digital evidence is the evidence that is collected from the suspect’s workstations or electronic medium that could be used in order to assist computer forensics investigations.

There are basically two types of evidences that could support a digital forensic investigation, which are physical evidence and digital evidence. Physical evidences are categorized as touchable and substantial items that could be brought to court and shown physically. Examples of physical evidence that could assist in the investigations are computers, external hard disk drives and data storage (memory sticks and memory cards) handheld devices including mobile phones/smart phones, PDA’s, networking devices, optical media, dongles and music players. Digital evidence would be the data that is extracted from the physical evidence, or the computer system.

In order to perceive a bit of information or data as evidence, it needs to satisfy the five rules which are:

1. the evidence should be admissible and excepted in the court of law

2. the evidence needs to be authentic and not contaminated

3. the evidence needs to the whole piece, not just indicative parts

4. the evidence has to be reliable, dependable

5. the evidence needs to be believable

Digital evidence, as compared to hard evidence, are difficult to find, in terms of defining the nature of the data, and classifying it as a digital evidence that is worthy to be presented in court.

Proving evidence which is reliable has been proven to be a difficult task, not just because the nature of evidence, but also the wide scope and environment in which the evidence are extracted from.

In a corporate environment, the forensic investigator team will need to identify, contain and maintain the integrity of the evidence, and differentiate whether the piece of evidence is relevant or not to the current crime being investigated, and whether it would stand a chance in finding the culprit and charging them through legal proceedings.

Among the considerations that needs to be evaluated by the investigator when dealing with collecting digital evidence are the expenses, cost and lost incurred and the availability of the service during and after the incident.

The lack of expertise by law enforcement to understand the intricacies of e-crime, the wide demographics it covered and most of all jurisdiction issues was an excellent opportunity for those in the private sector, by presenting a niche and a need in the market for private individuals to offer the service of computer forensics. A lot of private companies emerged offering initially data recovery services and eventually computer forensic services.

At the same time a variety of computer tools came onto the market such as, Encase, FTK, Helix, Paraben Cell Seizure, MOBILedit, BitPim, etc. The tools both software and hardware automated the processing of computer evidence and did not require an in-depth thought process or knowledge of computer science in order to operate them. This made life easy for those who had to process computer evidence but also gave a false sense of security and the belief that if one could use these tools adequately it validated their claim of being an expert.

These tools and services have become heavily relied upon by law enforcement and with the lack of proper evaluating processes in place for tools and services, individuals and companies without the appropriate qualifications, understanding or enough experience are unfortunately being relied upon as experts in the field of computer forensics.

Digital Forensics Laboratory Preparation and Training

To set up a forensic laboratory there are number of processes and procedures that are required to be followed. If the laboratory requires accreditation then further requirements are set by the accreditation bodies such as International Standards Organizations, or American Society of Crime Laboratory Directors (Jones and Valli, 2004; Watson and Jones, 2013).

There are many standards that are relevant when creating a digital forensics laboratory, including: Environmental management systems (ISO 14000), occupational health and safety (OHSAS 18000), Risk Management (ISO 31000), Information security management (ISO 27000), etc.

Any forensics laboratory needs to be protected against external and environmental threats such as: fire, flood, backup systems, etc. and on-site secure evidence storage for the purpose of only storing the evidences. Chain of custody requires that the robust procedures of management of evidences are followed.

All these and many more require that all employees are regularly trained on forensics laboratory information security awareness, specialist hardware and software, risk management and much more.

It is no secret that setting up a forensic laboratories are very resource intense and require variety of expensive tools that are needed to address different threats and different platforms/systems.

Digital Anti Forensics Tools and Approaches

Anti-forensics as a concept is as old as the traditional computer forensics. Someone that commit a punishable action use any possible way to get rid of any evidence connected with the prohibited action. The traditional forensics can have a range of anti-forensics that start from a trivial level (e.g., wiping fingerprints from a gun) and to a level where our fantasy can meet the implementation of an anti-forensic idea (e.g., alteration of DNA left behind in a crime). In digital anti-forensics the same rules exist, with the difference that they are fairly new with little research and development (Jahankhani et al., 2007).

There are number of techniques that are used to apply anti-forensics. These techniques are not necessarily designed with anti-forensics dimension in mind. For instance, folder shielders have been designed in order to primarily provide a level of security and privacy, but they can be used as an anti-forensic tool since they can hide data. The others are:

• Digital Media Wiping: A proper wiping of the media that contain the digital evidence, will simply disappear the evidence.

• Steganography: Someone can use Steganography to hide a file inside another and make the investigator unable to take advantage of the evidence, since the last might not find a way to extract it.

• Privacy Wipers: These are tools aim to delete any privacy traces from operating systems, applications or both. If properly used the investigator might find no evidence at all inside the digital media.

• Rootkits: Rootkits can subvert the operating system kernel and even react to forensic acquisition processes by hijacking the way the operating system uses areas like process management or memory management to extract the evidence.

• S.M.A.R.T. Anti-Forensics: This kind of technology can be used by an attacker to suspect if a hard drive has been taken out for a forensic duplication process.

• Homographic Attacks: Such an attack can mislead an investigator since some letters that look similar to the human eye can be replaced with others in such a way to make a malicious file look legitimate.

• File Signature Modification Attacks: Someone can purposefully change the file signature of a file to make it look something else.

• Encryption: This can be used almost in every anti-forensic stage in order to obscure and make unreadable and unusable the evidence.

• Metadata Anti-Forensics: Information about data (metadata) can be altered in order to hide user actions.

• Slack Space Anti-Forensics: Someone can hide malicious software in areas that operating system might not use, like slack space, because they might be considered as reserved or empty.

• Secure Digest Functions (MD4, MD5, etc.) Collision Generation: Someone can alter a file and then use Anti-Forensic software to make this file having the same MD4 or MD5 value like before the alteration, thus bypass a forensic integrity check.

• Digital Memory Anti-Forensics: There are programs that are able to hide processes or other evidence from memory.

• Misleading Evidence: Someone can leave evidence in such a way to mislead the forensic investigation.

• Packers/Binders: Someone can use such a program in order to transform a file by changing its structure, thus it can bypass security mechanisms that searches for malicious behavior patterns inside files.

• Forensic Tools Vulnerabilities/Exploits: There are already implementations available to show that some of the computer current Forensic Tools can be bypassed or exploited.

• Resource Waste: To purposefully leave traces in a big network in order to make the forensic investigator waste valuable resources and time.

• Forensic Detection: Someone can install a mechanism to be triggered after any computer forensic-related presence.

• Anonymous Actions: It includes every action that can be done by a fake or unknown identity. The result from the investigator is to fail to trace back the malicious activities.

• Anti-Forensics In Flushable Devices: Someone can take advantage of devices that can be flashed (like PCI cards or BIOS) and install malicious code inside them, thus they can remain unnoticed.

From a forensic scope, anonymity can be considered as a major anti-forensic approach. For example, below are top Free Anonymous Web Proxy Servers (Mitchell, 2013):

• Proxify: this web proxy support encryption via Secure socket Layer (SSL), HTTPS network protocols and hides IP address and cookies filtering cookies.

• Anonymouse: has been around for many years and supports Web, email and Usenet (news) proxies.

• Anonymizer: is the most known name in the anonymous web proxy services.

• Ninja Cloak: from their homepage you can insert the URL of the site to be visited. This web-based proxy uses CGI.

Today WiFi networks are used widely; therefore, it would make it very easy for malicious network users to hide their true identities by stepping randomly on these wireless networks in order to conduct their attacks.

While in theory the forensics investigator should monitor everything available around the suspect, in reality the post incident response could end up quite dramatically. This could be due to: ignorance regarding the network activity logs, legal barriers between the access point and the forensics acquisition, noncooperative ISPs, etc.

The forensic process should be enhanced with security mechanisms which would upgrade the post-incident reaction to real time. The real-time acquisition tools should have capabilities of capturing activity of all the wireless point within a respectable distance.

Anti-forensics is a reality that comes with every serious crime and involves tactics for “safe hacking” and keeps the crime sophistication in a high level. Computer forensic investigators along with the forensic software developers should start paying more attention to anti-forensics tools and approaches.

If we consider the computer forensics as the actions of collection, preservation, identification and presentation of evidence, anti-forensics can affect the first three stages. Because these stages can be characterized as “finish to start” between them from a project management point of view, the failure of one of them could end up as a failure of the lot. Thus, there is a high impact of anti-forensics to the forensics investigations.

Officially there is no such thing as anti-forensic investigations because the anti-forensic countermeasures are still part of the investigator’s skills.

The Main Difficulties Faced by Law Enforcement Officers Fighting Cyber-Crime

It is evident that cybercrime is no longer in its infancy. It is “big business” for the criminal entrepreneur with potentially lots of money to be made with minimal risks. At the same time the main areas which have been recognized as the contributory elements in the failing by law enforcement officers are as follows:

• Lack of up-to-date guidelines

• Lack of proper training

• Lack of funding

The UK law enforcement cannot investigate all alleged offences, which then raises a question as to how decisions are made, as to which cases to investigate and which not to investigate, because of the scale and the international nature of these crimes. How much of the public interest is taken into consideration and is it another way of dealing with e-crime irrespective of how ineffective and discouraging it appears?

From law enforcement point of view the task of fighting cyber-crime is a difficult one. Although crime is irrespective of how big or small it is, a decision has to be made on the merits of each case as to whether investigating and prosecuting is in the public’s interest. In April 2007, a decision was made that all credit card fraud should be reported to the banks and not directly to the police. The banks can then decide which ones to refer to the police for investigation. It is recognized that not all cases will have sufficient evidence and with the limited resources available to law enforcement this ensures that resources are allocated where they are required the most (ACPO Guidelines, 2009). This is not seen as a very good decision especially by politicians and one of the reasons given for this is that it prevents the acquisition of accurate statistics on e-crime. This was indeed never possible due to the fact that not all e-crimes are reported.

It is no longer adequate to depend on individuals as governments own and control vast databases with sensitive information both private to individuals and relevant to national security in general. It is becoming necessary to understand and manage the computer forensics process.

Some research (EURIM-IPPR, 2004; Taal, 2007) has formulated a set of principles and has suggested a high level methodology for this purpose. All procedures and guidelines for the collection and handling of computer evidence are based on the Association of Chief Police Officers (ACPO) guidelines; many follow the ACPO Guidelines including those in the private sector. ACPO is an independent, professionally led strategic body, they lead and coordinate the direction and development of the police service in England, Wales and Northern Ireland.

This guidance was created to assist law enforcement in dealing with computer evidence (ACPO Guidelines, 2009). This came in the form of four principles as follows:

Principle 1: No action taken by law enforcement agencies or their agents should change data held on a computer or storage media which may subsequently be relied upon in court.

Principle 2: In exceptional circumstances, where a person finds it necessary to access original data held on a computer or on storage media, that person must be competent to do so and be able to give evidence explaining the relevance and the implications of their actions.

Principle 3: An audit trail or other record of all processes applied to computer-based electronic evidence should be created and preserved. An independent third party should be able to examine those processes and achieve the same result.

Principle 4: The person in charge of the investigation (the case officer) has overall responsibility for ensuring that the law and these principles are adhered to.

In the private sector, the guidelines are usually incorporated into their internal procedures as most computer forensic companies in the private sector deal with defense work and civil matters where the guidelines may not always apply. Only a few may have contracts with the Metropolitan Police, Scotland Yard and other prosecution authorities in which case their procedures have to be followed and not that of the private sector.

From the above it is clear that the guidelines are necessary but without the successful use of the guidelines requires proper training and understanding of the guidelines. Most law enforcement agents found themselves in this field somewhat reluctantly, because of the heavy demand to tackle e-crime.

Educational Provision for the Study of Computer Forensics

Computer forensics is no longer a new field as some would like to believe and a lot needs to be done to train and encourage new entrants to the field as well as unifying skills and experience acquired by those already in the field. The need to train not just on the technical side but also the legal aspects has been fully recognized by government, training companies and universities, and most universities are now offering courses specifically tailored to law enforcement officers, yet training is only embarked upon by most in law enforcement as a backup plan for post-retirement.

Those joining the profession will have to understand the importance of an academic qualification especially if they have no experience in the field at all.

Computer forensics is no longer a profession where training on the job to get experience is sufficient. Most other professions require one to have a degree before one can progress to train in their vocation, i.e. teachers, lawyers, forensic scientist and doctors, etc., the same should be with computer forensic as the work we do is as important as those in other fields and be it positive or negative does affect people’s lives.

Numerous universities in this country and abroad are offering Computer Forensic and Information Security courses to graduate and post-graduate level which will help those taking on the courses to have a good grounding in computer science, a better understanding of computer forensic theories and most of all help them develop to be more innovative in coming up with new forensically sound ways of fighting e-crime and to “think outside the box.”

It is time for the government to actively work in partnership with universities to encourage people to take on these courses especially those already working in the field in the public sector.

A degree is now a prerequisite in the private sector as well as experience, as it is becoming a lot more difficult for one to claim to be an expert in the field of computer forensics and an expert witness in a court of law. Gone are the days where do-it-yourself forensics will be accepted.

This leads us to another area a lot of experts in the field of computer forensics have been reserved about and that is the idea of accreditation. It is an area that is very difficult to make decisions on. Most agree and recognize that a board should be set up, but what cannot be agreed upon is who should lead it. Some have suggested that it should be led by universities, by government, by their peers or jointly by universities, government and businesses.

If it is university led, the concern is that those who have worked in the field for many years without academic qualifications may find that in order to be recognized as experts in the field and fully accredited they may have to get some recognized academic qualification in addition to their experience, which most are against.

If it is government led, without set standards the situation will be no different from what we have at present. It will also involve those working in the profession to give it some direction and it is still doubtful as to whether those people are in a position to decide what form of accreditation to be embarked upon.

This brings us to the last option, a joint partnership with government, universities and businesses. This is the most feasible option but a lot of joint effort will be required to come up with a credible accreditation that will be accepted by all.

The March 2007 an article written by a Peter Warren appeared in the Guardian newspaper, the incident has been of great concern to those in the profession. “Last month saw the downfall of Gene Morrison.” A conman who masqueraded as a forensic scientist and gave evidence in more than 700 police cases, some of them involving rape and drink-driving, Morrison, 48, of Hyde, Tameside, was found guilty of 22 counts of perjury at Minshull Street Crown Court in Manchester and given a 5-year jail sentence. His claims to be a forensic scientist were bogus, and the BSc and PhD qualifications he claimed were in fact bought from a university that existed only on the internet.

One thing is for sure having a form of accreditations will force government, academics, researches and those working in the field of computer forensics to set more appropriate standards and controls for those who handle, analyze and investigate computer evidence.

The CFM Methodology

The CFM consists of four phases namely Identify, Acquire, Preserve and Report:

1. Identify: Source of digital evidence.

2. Acquire: Taking an image of the media as it was found.

3. Preserve: Chain of custody as well as the integrity of the data itself making sure no information has been added or altered.

4. Report: To report all findings and processes used.

The persons carrying out the above must adhere to standard evidence rules, i.e., Police and Criminal Evidence Act (PACE) 1984 in criminal matters, that are admissible in a court of law. The Home Office current PACE codes came into effect on 27th of October 2013 (The Police and Criminal Act, 1984).

Stage 4 requires more detailed decomposition into the necessary methods for the analysis and classification of the data for use as evidence and as a historical record. In the field of computer forensics there is still a lot to be done, i.e., standardizing procedures, etc. The field in itself has various branches of digital forensics, for example, Internet Forensics, Network Forensics and Mobile phone Forensics to name but a few. Customized guidelines for these branches will enable the scientists to ensure the quality of both the process and the data collected.

It is also important to extend the CFM to include a fifth phase that of Review and Improve in the light of empirical data which can be classified, organized and mined for maximizing the effectiveness of the processes.

Conclusions

With all the above the most important thing people forget and this is by all, is that in this field the practical experience and the theoretical skills you acquire from academic institutes go hand-in-hand. You cannot call yourself an expert if you have all the experience in the world and lack the basic understanding of computer science.

There is concern within law enforcement, government and the private sector as to the lack of consensus to a standardize approach to training courses and lack of funds for research.

Defense lawyers have not been confident enough to challenge computer forensic findings, the lack of understanding and basic knowledge of computers and lastly the benefits of instructing computer forensic experts when defending individuals charged with crimes involving computers.

As defense lawyers become even more confident to challenge computer forensic findings, then, the prosecution success rate will be different and those of us working in the field of computer forensics are beginning to see the changes both within civil matters such as tort, breach of contracts, defamation, employee disputes, etc., to criminal matters theft, criminal damage, drugs related offence and criminal offences concerning copyright and theft of intellectual property. The key issue here is the lack of understanding and basic knowledge of computers and lastly the benefits of instructing computer forensic experts when defending individuals charged with crimes involving computers.

The development of one or more major multi-disciplinary research centers, following the model of Centre for Information Technology Research for the Interest of Society (CITRIS), is necessary to attract private funding and bring together experts from different academic departments and industry in a more integrated, multi-disciplinary research effort. It is recommended that the Research Councils take the lead in initiating discussions with Government, universities and industry with a view to the prompt establishment of an initial centre in UK.