Computer crime talk take aways

US congress started contemplating laws in 1970 bit only implemented in 1986.

Phreaking was the first hack. It happened in the us proving its superiority. Nowadays hacking happens from Russia. Is this the emerging super power?

A criminal offense requires both will and action. Involuntary action is not a criminal act.

Traditional trace evidence

Once it is evident there is a criminal offense stop investigations and pass on to police. They will use data blockers during disk access to prevent data being written to it. They are placed in a uncontaminated quarantine area first then labelled and registered and clearly marked . The system used to analyse or copy must have its registry checked and av scan run and all logged accordingly.

Poisoned tree concept that contamination moves down a seed. Defence will always use contamination to pour doubt into the evidence. If there is the slightest doubt it favours the accused. That evidence is thrown out.

there is no link between the computer or mobile and the person using it. And exclude beyond all doubt that the accused was the person using the mobile

Even digital signatures are not good enough since one can claim that someone else ha access to the device where signature is saved.

Twin towers guys went under the radar by sharing a gmail acct and leaving emails in draft never sending them. Thus there was.no matching record for the sent email. To date this is the only such occurrence in electronic cases.

In Malta we have the (British adopted) concept of the Criminal electronic environment which includes the perpetrators and devices

Using backups for examination is good practice since it has least disruption on the business. Of course this is not best .

Data blockers can cost as low as two hundred dollars.

Take as much detail as possible of the disk manufacture etc to prevent future failures from
Document all processes.
Ncase is a very good software but expensive. If you cannot afford it use free other but only licensed software to avoid worms from existing the data or compromising the outcome reliability.
Use only licensed an official software sources so that defence cannot put the evidence in question.
Do not carry out analyses on a trial and error basis

Conclude on evidence but do not forward any opinion.
Work in pairs and sign together the logs
Once you find evidence stop. Do not attempt to overdo it

Once you establish a fact you take control over the evidence. The disk cannot be accessed must be labelled signed etc till handed to police

In any investigation proving facts lies on prosecution
Once you prove one fact stop there. In Maltese law, ten or hundred cases makes no difference in the significance of the infringement.
Magistrate is an IT lay person so keep the analyses simple
Be concise and objective
Never suppose or assume. Be sure beyond any doubt
Use paid software to avoid virus infection of the free site be a point of attack

 

If meeting the guy keep minutes and both of you nee to sign.

Show and keep proof that you had a plan how to investigate. Ensure you can prove you worked in a structured manner. This again helps avoid contamination being a source of doubt.
Report objectively on findings
If identify a suspect remember you are not law enforcement

If meeting the guy keep minutes and both of you nee to sign.

Show and keep proof that you had a plan how to investigate. Ensure you can prove you worked in a structured manner. This again helps avoid contamination being a source of doubt.
Report objectively on findings
If identify a suspect remember you are not law enforcement

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s