Investigating Computer Crime
Professor Carsten Maple
University of Bedfordshire
8th February 2013
RCPsych Faculty of Forensic Psychiatry Annual Conference 2013
Why am I here?
Background



Computer Scientist – applicable computing
Co-author of UK Security Breaches Report
supported by SOCA and PCeU
A director of the National Centre for
Cyberstalking Research
Definition of Computer Crime

We restrict our definition to where the computer;
 is a target of a criminal activity
 is a tool to commit a criminal activity

Some add that it;
 is a repository of either direct or circumstantial evidence of the
crime

The term ‘cybercrime’ has gradually become a general synonym
for computer crime, as is ‘e-crime’, defined as; [+] ‘ the use of
networked computers or internet technology to commit of facilitate
the commission of crime’.

We will use computer crime in place of these definitions
+ACPO,
The Association of Chief Police Officers of England, Wales and Northern Ireland, e-Crime strategy,
http://www.acpo.police.uk/asp/policies/Data/Ecrime%20Strategy%20Website%20Version.pdf; 2009.
Types of Computer Crime
+Ali
Alkaabi et al, “Dealing with the Problem of Cybercrime, Digital and Forensics and Cyber Crime”, 2 nd Internal ICST Conference, ICDF2C
2010, Abu Dhabi, UAE, 2010
Computer Crimes Against the Person

As a result victims suffer (not necessarily a complete list):

Financial (theft of credentials through Phishing, Trojans, hacking customer databases)
Scams (eBay bogus auctions, fake online shops, letters (Nigerian, Russian brides))
Extortion (Ransomware, personal data theft)

Loss of Reputation
Impersonation (hacking of victim’s email, Facebook, Twitter, etc.)

.
Loss of Data (failed extortion scheme leading to destruction of data held as ‘hostage’)
Computer Crimes Against the Person….cont’d

Also suffer:

Loss of Employment
Scams (EBay bogus auctions, fake online shops, letters (Nigerian, Russian brides))
Extortion (Ransomware, personal data theft)

Loss of Freedom (victim’s IP address hijacked, used for criminal action and victim
incarcerated)

.
Loss of Physical Integrity (online predators)
Computer Crimes Against the Computer

As a result organisations suffer (again some examples):

Theft of Critical Data (intellectual property, customer base)
Theft of Credentials (phishing/social engineering, Trojans, IT system hack)
Paralysis of Production Tools (Botnet DDoS, software vulnerability, compromise of
SCADA)

Loss of Reputation
Trust among users (loss of confidence, defacement of company’s website)

Financial Loss
Online Extortion (DDoS blackmail, loss of share value)
Financial Cost of Computer Crime

Financial costs includes;
•
•
•
•
•
•
•
•
•
•
•
•
Costs in anticipation of cybercrime
Physical & virtual security measures
Compliance (PCI DSS, etc.,), insurance costs
Costs as a consequence of cybercrime
Business continuity, disaster recovery
Commercial exploitation of IP
Costs in response to cybercrime
Compensation payments to victims
Regulatory fines, legal costs
Indirect costs associated with cybercrime
Reputational damage
Expansion of the underground economy
+Cabinet Office, The cost of cyber-crime, A Detica report in partnership with the Office of Cyber Security and Information Assurance in the
Cabinet Office, Available at:, http://www.cabinetoffice.gov.uk/resourcelibrary/, 2011.
Financial Cost of Computer Crime….cont’d
+Cabinet
Office, The cost of cyber-crime, A Detica report in partnership with the Office of Cyber Security and Information Assurance in the
Cabinet Office, Available at:, http://www.cabinetoffice.gov.uk/resourcelibrary/, 2011.
Opportunities for Computer Crime
[4] Cabinet Office, The cost of cyber-crime, A Detica report in partnership with the Office of Cyber Security and Information Assurance
in the Cabinet Office, Available at:, http://www.cabinetoffice.gov.uk/resourcelibrary/, 2011.
UK Legislation

In the UK, most computer crime falls under offences covered by
one of three pieces of law:





Computer Misuse Act 1990
Communications Act 2003
Fraud Act 2006
Regulation of Investigatory Powers Act 2000
Victims of computer crime are more often than not affected by at
least one of the three acts listed above
Motives

The motives for computer crime:
 Financial Gain
 Extortion
 Reputation (Kudos)
 Revenge / Malicious Damage (disgruntled employee)
 Hacktivism / Sense of Justice (Annoymous, LulzSec)
 Cyber Warfare / Espionage (Stuxnet)
 Terrorism
Methods used in Computer Crime

The methods used in computer crime include:
 Use of available vulnerabilities (known weaknesses in software
apps)
 Denial of Service (DoS) (is stopping a system by sending
enormous IP packets that disables the system which cannot
answer each request)
 Back doors (also called ‘trap-doors’, used by programmers to
access systems quickly and easily by bypassing security
mechanisms)
 Logic bombs (program stays inactive in system until a specific
date or event occurs)
 Malware (‘malicious software’) (computer viruses, worms,
Trojan horses, rootkits, key loggers, spyware, adware, etc.)
 Social Engineering (phishing, spoofing, tailgating, shoulder
surfing, etc.)
Opportunities for Computer Crime
Cyberstalking example:

Stalking existed before the development of computer, internet or mobile
phone.

The motivation & techniques of stalkers have remained consistent over
time.

Tools stalkers use has changed over time.

They exploit technology in ways never envisioned or intended by the
creators [5]
 Surveillance, tracking and eavesdropping with commonly used
technology
 Location tracking devices attached to victim’s car
 Social networking
 Email communications

2011 Cyberstalking in the UK – An Analysis of the ECHO Pilot Survey
found that of those who reported being stalked electronically;
 83% were stalked through e-mail
 35% through instant messaging
 46% reported been stalked using a hidden camera to monitor their
actions
 10% reported that Global Positioning System (GPS) location tracking
technology was used to monitor their location
How NCCR advises on Cyberstalking





Prevention
Motivation
Means
Impact
Investigation
Types of attack
•
•
•
•
•
•
•
•
•
•
•
Identity theft – controlling victim’s credentials
Posting false profiles
Posing as the victim and attacking others
Discrediting in online communities
Discrediting victim in workplace
Direct threats through email/instant messaging
Constructing websites targeting the victim
Transferring attack to victim’s relatives
Use of the victim’s image
Provoking others to attack the victim
Following the victim in cyberspace
Attribution
Attacker
Victim
Communication Medium
Challenges in Investigating Computer Crime
‘‘we will never have enough law enforcement to deal with the extent of cybercrime out there’’
Charlie McMurdie, 2008 [+]
Technical




Legal



challenges:
Offenders can use software devices that do not require in-depth technical
knowledge, e.g.; Backtrack – Port Scanning, Cain and Abel – Password Cracking,
etc.
Attribution – Difficulty in tracing offenders and they can hinder investigation by
disguising their identity and employing Anti-Forensic techniques e.g.; TimeStomp,
MAC Spoofing, etc.
Few control instruments that can be utilised by law enforcement available on the
internet
Technical proficiency of perpetrators often exceeds the capability of the victims and
law enforcement
challenges:
Legislation and procedures can differ across international jurisdictions
A single crime scene can be compounded by the lack of any definitive jurisdiction or
consistent global legislation
No clear distinction between issues that are best dealt with through better regulation
and those that require law enforcement action
+McMurdie
C, The e-crime gap, Police Professional, December 11, 2008
Computer Forensics Approach
 Machine Learning Forensics
• Borrows techniques and technology from Computer Security domain for
Computer Forensics. Log Analysis (use of data mining algorithms to search
& correlate large log datasets)
• Mining Intrusion Detection Systems (IDS) collect multiple event log data
sources
 Live Digital Forensics
• Gathering data from a system during operation. Reveals open ports, active
network connections, memory resident malware, etc.
• Encrypted data could be unlocked as encryption key usually stored in RAM
 Distributed Digital Forensics
• Addresses problem of imaging very large datasets and helps alleviates I/O
bottlenecks
 Email Forensics
 Remote Forensics
Support for Successful Prosecution

UK instrumental in contributions to fight Computer Crime nationally
and internationally

ACPO (Association of Chief Police Officers)
• Leads the strategic and operational development of policing practice in
England, Wales and Northern Ireland

PCeU (Police Central e-Crime Unit)
• Investigates significant intrusions (‘hacking’) eg. Government, commercial
and academic
• DoS, BotNets, large scale phishing

CEOP (Child Exploitation and Online Protection)
• Tackles the sexual abuse and exploitation of children and young people
•
Virtual Global Taskforce (VGT)
• Partnership approach between police, industry and academia
Case Studies – Good and Bad Computer Crime Investigations

Good - PCeU
• Operation Pagode (investigation into underground forum for
cybercriminals. Saved £84m ‘ worth of harm’)
• Operation Dynamaphone (investigation into co-ordinated online banking
fraud and phishing attacks. Saved £5.5m ‘worth of harm’

Bad – Northfolk Constabulary
• Operation Cabin+ – (‘botched’ investigation into the hacking of data from
the Climate Research Centre (CRU) at the University of East Anglia (UEA)
nicknamed ‘Climategate’)
• Complex and costly investigation, involving Met’s Counter Terrorism
Command (CTC), National Domestic Extremism Team (NDET) , PCeU and
consultants in online security
• Investigation team ‘lacked expertise and resources to identify
perpetrators’
• Investigation started in 2009, 3 year time limit for prosecution expired in
2012
*http://www.met.police.uk/pceu/
+http://thinkprogress.org/climate/2012/07/19/546131/uk-police-cease-botched-investigation-into-stolen-uea-climate-scientists-emails/
Questions?