1. Digital Crime and Forensics
Project
Prashant Mahajan & Penelope Forbes
2. Table of Contents
1.0 Introduction
1.1 Definition of Digital Crime
2.0 Digital Crime
3.0 Conventional Crime versus Digital Crime
4.0 Evaluation of Forensics
5.0 Different Countries, Law Enforcement and Courts
6.0 New Trends in Cyber Crime and Law Enforcement
7.0 Conclusion
8.0 Appendix
2
3. 1.0 Introduction
The prevalence and threat that digital crime poses on society has created a field of
investigation known as digital forensics. Specialists face complexities that are parallel to digital
crime such as anonymity, opportunity, connectivity, borderless limitations and restricted legal
governance and penalties (Grabosky, 2007b). The purpose of this discussion paper is to analyse
the definition of digital crime, how it associates with conventional crimes and issues facing
investigations. No longer are crimes purely physical, with geographical laws to determine the act
illegal and punishable by law. With the advancement of technology and ambiguity that follows
this surrounding international definitions, holistic governance and procedures, criminals and their
techniques become a larger, more sophisticated threat for individuals, organisations and
government.
1.1 Definition of Digital Crime
The definition and aspects that constitute a digital crime are problematical. Society has
attempted to create a definition that encompasses all perspectives, however, due to multiple
jurisdictions and the technicalities of computerised crimes, a global definition has not been
accepted. The authors determined cyber crime as any crime where a computer is a tool, target or
both (Grabosky, 2007b; Cowdery, 2008). This paper concentrates on digital crime being built by
numerous attacks such as malicious code, denial-of-service, and hacking (Australian Institute of
Criminology, 2011; Whitman & Mattord, 2012). These contribute to the peril of crime and threats
such as terrorism, identity theft, and compromises to intellectual property (Grabosky, 2007b).
Linked to these attacks and threats is the aftermath involving forensics. Digital forensics is the
science of acquiring, retrieving, preserving and presenting data that has been processed
electronically and stored on digital media (Australian Institute of Criminology, 2009). It is evident
that forensics has faced a continual battle of improving and adapting its specialty, to provide for
emerging digital crimes.
The ever-concerning issue of poor security practices and the inability for policy and practice
to align effectively contributes to this growing problem (Information Warfare Monitor, 2010).
3
4. From cloud computing with servers offshore to USB sticks for data storage, targets are becoming
more vulnerable and criminals are advancing on any opportunity that is presented. As such, from
the early days of computer crime to the inter-connected and multi-layered digital crimes of
today’s age, forensics and digital crime have had a close, yet controversial relationship.
2.0 Digital Crime
Despite the absence of a holistic or cemented definition of digital crime, consensus lies in the
idea of offences against computer data or systems. Consistent views include unauthorised access,
modification or impairment of a computer or digital system (Australian Institute of Criminology,
2011; Commonwealth Government, 2001). These crimes are offences against the confidentiality,
integrity and availability of computer data and systems (The Council of Europe, 2012; Whitman
et al, 2012). An example of digitised attacks include phishing; attempting to gain personal or
financial information by posing as a legitimate entity (Grabosky, 2007a; Whitman et al, 2012).
Similar attacks utilise the vulnerabilities that digitalisation manufacture such as weak information
security policies, or reliance on information systems for the access and delivery of services.
Advances in society’s digital aspects, such as cloud computing and dependence on email
communication, inevitably leads to advances in the types and methods of crimes (Choo,
McCusker, & Smith, 2007). Although digitisation may appear to assist everyday tasks, anonymity
and connectivity are threatening structures. It is in these structures that vulnerabilities are targeted
(Information Warfare Monitor, 2010). Fast communication, ease of use, and no geographical
limitations in the world’s infrastructure are useful and positive things for society. Nevertheless,
with this come restricted legislation, obscurity and a connected and networked world, which are
taken advantage of by criminal minds (Choo et al, 2007).
There are cases that have altered the path and focus for forensics and law enforcement. When
major sites such as e-commerce sites like eBay become damaged victims by cyber attacks, it is in
the public domain and renders their services inaccessible and unavailable (Sandoval &
Wolverton, 2000; Williams, 2000). This case, along with similar cases such as the Estonia denial-
of-service attack, highlight that digital crimes are hard to defend against, investigate, and affect a
diverse range of individuals world-wide (Schreier, 2011; Australian Competition and Consumer
Commission, 2012). It is important to note that in these cases technology was the essential
ingredient to constitute these attacks.
4
5. 3.0 Conventional Crime versus Digital Crime
A subject to consider is whether data was safer without digital influences. The paradoxical
argument of conventional methods of crime, such as theft via physical contact, versus digitally
based crimes, such as unauthorised access, is present in society. Some suggest that digital
techniques assist traditional methods, or, alternatively, some would agree that digital methods
surpass those crimes (Brenner, 2009; Smith, Grabosky & Urbas, 2004). The authors suppose that it
is an adaptation and addition to conventional crime. This is due to advancement through
instantaneous execution via unauthorised access, manipulation or harm to a computer system
(Libicki, 2009).
The progression with digitalisation means more discriminate, undetectable, and highly
detrimental techniques of crime (McQuade, 2006; Broadhurst, 2006). They are multifaceted and
adaptive to the needs of users. Every new application of digital technology that is created produces
a new digital method criminals can exploit (Grabosky, 2007b). Alternative to conventional brute
force attacks, where an intruder gains physical access to sensitive data, or rebel groups invade a
country, digital crime is sophisticated, and anonymous to an extent. There are no physical barriers
in the cyber-world and therefore there is absence of violence and presence of intellectual, skilled
technique (Taylor, 1999; Smith et al, 2004).
The authors consider that a concern is how to investigate and prosecute without evidence of
the exploitation (Libicki, 2009; Kanellis, 2006). Similarly, digital attacks aim at coercing or
intimidating, through destroying confidentiality of communications, reliability of systems and
services, and integrity of data (Stevens, 2009). The digital attacks give criminals ways to launch
their acts, and with lax laws, this means challenging investigations (Kanellis, 2006). The authors
state that digital crime contributes to more intricate and refined conventional crimes, and
consequently creates need for more concrete forensic investigations.
4.0 Evaluation of Forensics
“Forensic Science is science exercised on behalf of the law in the just resolution of conflict”
(Thornton, 1997). The use of computer forensics occur after an event with the purpose of
attempting to gain admissible evidence to prosecute; that is, it is a post-event response and the
5
6. damage has occurred (Rowlingston, 2004). Are criminals always one step ahead in the cat and
mouse game?
An identified issue is that organisations question whether investing in forensic investigation
is beneficial. Would it not be more effective to employ resources and money on prevention to stop
criminals rather than investigating and prosecuting, when the damage is already done? The authors
believe this is not the case. Forensic investigations are valuable to determine who committed a
crime, how it was committed, and potentially reduce the likelihood of a similar event occurring.
Investigation using forensics has the potential to reveal the culprit, limit damage and prevent
associated attacks occurring (Vacca, 2005).
Despite the aid of forensic evidence, the negatives must be considered to gain a holistic
approach to digital crime and forensics. Faults with staffing is a damaging problem. Failures relate
to untrained and unqualified staff, along with being unprepared for preservation of evidence (New
York Computer Forensic Services, 2012). Due to delicate procedures it must be ensured that the
team is aware of not only technological skill, but also overarching trends in digital crime. For
example, theoretically, imaging tools do a bit-for-bit image of the entire hard drive. Realistically,
however, they only access the 'user accessible area' and not the service area. This area is the
location where the hard drives ROM and data like SMART is stored which is used for the
functionality (Shipley & Door, 2012). Criminals may store data here knowing it is typically not
transferred. It is imperative, in the writer’s judgment, that digital forensic investigators are
experienced and aware of concerning affairs such as these. Having proficient investigators
manufactures an understanding of other problems with forensics, such as Cloud Computing.
Digital forensics is difficult when the authority over physical storage media is absent.
Credentials are required to acquire Cloud Computing data and this issue will be discussed in detail
shortly. In Cloud, deletion means indefinitely deleted. Having information stored on an external
server without any protection via a legal system, means that not only are the end-users experiencing
privacy and ownership issues, but investigators must be networked to ensure they can access the
data. However, aside from this undesirable interpretation, the portable devices used to access Cloud
data tend to store abundant information to construct a case (Ball, 2011). Though handhelds are
trickier to acquire, they reveal most of the required information needed to obtain evidence.
6
7. Following these matters, the authors analysed further problems with digital forensics such as
strengths in encryption, the intricacy of anti-forensics and networked environments. It is apparent
that digital forensics has areas of vulnerability. However, the authors believe that firm procedures
such as those previously discussed and the establishment of international agreement and
implementation of legislation, digital forensics will become an active tool in reducing the effect of
cyber criminals.
5.0 Different Countries, Law Enforcement and Courts
The difficulty politicians and law enforcement face in agreement on not only definitions of
crimes committed but also the policy and governance around the digital world, is significantly
evident (Broadhurst, 2006; Information Warfare Monitor, 2010). The absence of a holistic, mutual
and world-wide accepted ruling on digital methods of crime, produces an inability for countries to
effectively govern and restrict the access, use and manipulation of data (Cowdery, 2008). Efforts to
secure the borderless, multilayered cyber-space are reactive rather than proactive. Accordingly, the
authors suggest a solution is a global governing body that produces standards and policies, along
with enforcing the implementation of stringent legislation.
The Council of Europe (COE) Convention on CyberCrime was the initial international treaty
seeking to address computer crimes by harmonising law, improving investigative techniques and
increasing cooperation among nations. COE believe that digitalisation and continuing globalisation,
produces the need for unity and mutual agreement on the matter (The Council of Europe, 2012;
Broadhurst, 2006). Similarly, the United Nations Convention against Transnational Organised
Crime has indirectly targeted digital crime (United Nations, 2012). The United Nations could not
agree upon the COE convention and did not sign this. These internationally recognised bodies have
attempted to create a scope for agreement and cross-border cooperation, however, neither have
been successful. The authors believe that these bodies have documented a basic impetus for
recognition of cyber crime, however, it is not simply a task for world leaders to take a stance on
digital crime, but a task for society to support the efforts that are required by politicians and
technical specialists to reduce the impact these crimes have (Broadhurst, 2006).
In addition to recognition, depending on the country in which the digital evidence is
collected, reflects the dependence courts and law enforcement have on the admissibility and weight
7
8. of digital evidence. This is the important relationship between digital crime and forensics. Diverse
jurisdictions have various admissibility rules, some of which are flexible and adapt to the situation,
some of which are formal and rigid (Kanellis et al, 2006; Grabosky, 2007a). Moreover, continuity
of evidence when dealing with networked crimes is another controversial factor.
Digital data or evidence can be unreliable. It is volatile, susceptible to manipulation and
ephemeral in nature (Chaikin, 2007). Data can be altered and this alteration can be impossible to
detect (Kanellis et al 2006). Unlike the conventional evidence such as witness recollection, digital
evidence can be perceived as wholesome and highly ingenuous which is a misconception.
Similarly, conventional evidence was scrutinised and determined true or false by experts. However,
the expert with the right expertise and tools can only identify altered digital data. Therefore,
reliance in courts on digital evidence is significantly lessened. The authors suggest that all parties to
a court case should have knowledge of the risks and limitations of digital evidence and forensics.
That is, prosecutors, lawyers, judges and juries should be aware that digital evidence may not be
evidence at all and should be viewed as risk-associated (Kanellis et al 2006). Additionally, another
issue with digital evidence consistency is geographical complications.
A major issue for jurisdictions is that in order to use digital evidence in court, a legitimate
warrant in the corresponding jurisdiction is essential for admissibility (Broadhurst, 2006). This
flows on from the issue discussed earlier of such a networked and interconnected cyber-world.
Inevitably, criminals will network, recruit and associate with individuals from other areas and
when, for example, law enforcement is required to gather evidence of an international organised
crime group, digital evidence may be limited.
The authors conclude that when evaluating digital evidence in diverse jurisdictions there
must be clear operational procedures, consistent education, training and awareness, and understood
policies on how this is collected and used. There is a necessity for international resolution that
contributes several approaches to the problem. Data sharing across geographical boundaries via
digital methods requires limitations and common mechanisms, with procedures to guide it
(Grabosky, 2007a). Similarly, each country needs enforced and publicised policy creating a domain
for acceptance and understanding of the risks and security approaches.
The view to be accepted for successful cross-national acceptance is legislative harmony,
policies and frameworks for law enforcement, and the capacity, technology and skills to investigate
8
9. and prosecute (Grabosky, 2007b). The authors strongly trust that approaches taken by bodies such
as COE is a paramount step towards international legal and technical weapons against cyber
criminals. However, it is just that, a first step. As criminal networks become stronger and
interconnected, networks between policing and governmental bodies are required to enforce a
global response against digital crime. This global agreement is needed due to new threats emerging
and the convolutions that come with law enforcement having to respond.
6.0 New Trends in Cyber Crime and Law Enforcement
As a final examination of cyber crimes and digital forensics, the authors briefly evaluated the
emerging trends criminals are inventing. Common emerging trends include botnets, targeted
attacks, organised crime and hacktivism (PricewaterhouseCoopers, 2012). For example, the
distributed nature of botnets involving compromised computers being utilised to dispense large-
scale transmissions is concerning because of the threat on individuals and effortlessness this
provide criminals (Search Security, 2012a). For perspective, the impact this new trend placed on
law enforcement and society was the MAC Botnet that compromised 600,000 plus systems
(Wisniewski, 2012). Trends such as this and the rise of mobile malware relate to advancement in
technology assisting digital crimes and adapting conventional crimes.
In addition, technology has assisted crimes in becoming a collaborated tool with other
methods. Targeted attacks and organised crime fall in this category, as multiple methods of
committing crimes become powerful attacks. An example occurred for Google in 2010 when the
corporate infrastructure and intellectual property was threatened by a targeted attack (Drummond,
2010). This demonstrated the importance of how a single security incident can lead to further, more
detrimental attacks, of which digital forensics plays a part to determine who is attacking, how they
are attacking, and how to potentially stop this. Lastly, an emerging threat for cyber criminals is
Hacktivism, whereby for the purpose of a political or social disruption an individual hacks into a
system bringing attention to an issue (Search Security, 2012b). As the authors discovered the new
criminal trends, we proposed some resolutions to these.
As discussed, collaboration between agencies will reduce the impact and pace of criminals
(Australian Crime Commission, 2012; Cowdery, 2008). For example, Microsoft seized the Zeus
Servers in their Anti-Botnet Rampage (Zetter, 2012) The authors suggest in addition to
9
10. collaboration globally, development in tools and techniques is required through agencies enforcing
information sharing (Australian Crime Commission, 2012; Cowdery, 2008). It is important for the
common theme of this paper such as the need for a global definition, collaboration multi-nationally
in regard to investigative techniques and procedures, and lastly, holistic legislation, is reflected in
the combat against new trends, and the adaptation of conventional crimes.
7.0 Conclusion
In conclusion, as we have discussed, digital crimes are a relevant, threatening aspect to
information security. Digital forensics is similarly an emerging field of investigative tools that is
imperative for the effective prosecution in the cyber-world. The authors suggest this paper has
evaluated how digital crimes contribute to conventional crimes and the negative consequences of
the digitised world infrastructure. Forensics has some faults that associate with the complexities of
digital crime, however, with more effective procedures alongside international recognition and
legislation, the cat and mouse game will soon come to a closer match than ever before.
10
11. 8.0 Appendix
Computer forensics activities commonly include five stages, which ensure that digital crimes are
investigated correctly. Initially, identification is the point of contact for forensic investigators and a
crime scene. The purpose is to identify the evidence, determine types of information available, and
how to recover or retrieve the suspect data, via various computer forensic tools and software suites.
From here, the acquisition phase is entered, whereby the computer data is secured physically or
remotely. Obtaining possession of the computer, network mappings from the system, and external
physical storage devices are involved in this stage. Once collected, the next stage aims at preserving
the evidence with the least amount of change possible (Vacca, 2005). This is due to accounting for
change, and maintaining the chain of custody. It is via these first stages, that the data is most fragile
as it may be in a susceptible and vulnerable area, insecure with the chance of manipulation or
destruction.
The stages that follow however are as important because the evidence must be presented in a
clear and concise manner (National Computer Forensic Institute, 2009). The analysis phase involves
extracting, processing, and interpreting the data to determine details such as origin and content. This
evaluation is crucial to determine if and how it could be used for prosecution in court. Lastly,
presentation is a final significant stage for forensic investigators (Vacca, 2005). Due to evidence
being accepted in court on presentation aspects, such as manner of presentation, presenter
qualifications and credibility of the processes used to preserve and analyse evidence, stringent and
thorough procedures must be recognised in this process.
11
12. References
Australian Competition and Consumer Commission. (2012) Nigerian 419 Scams. Retrieved 10th May,
2012, from http://www.scamwatch.gov.au/content/index.phtml/tag/nigerian419scams
Australian Crime Commission. (2012) The Response to Organised Crime In Australia. Retrieved 20th
May, 2012, from http://www.crimecommission.gov.au/publications/crime-profile-series-fact-
sheet/response-to-organised-crime-australia
Australian Institute of Criminology. (2009) What is Forensic Computing? Trends and Issues in Criminal
Justice, 118. Retrieved 22nd May, 2012, from http://aic.gov.au/documents/9/C/A/%7B9CA41AE8-
EADB-4BBF-9894-64E0DF87BDF7%7Dti118.pdf
Australian Institute of Criminology. (2011) CyberCrime: Definitions and General Information. Retrieved
5th May 2012, from http://www.aic.gov.au/crime_types/cybercrime/definitions.aspx
Ball, C. (2011) The End of Digital Forensics? Retrived 20th May, 2012, from
http://forensicfocus.blogspot.com.au/2011/03/end-of-digital-forensics.html
Brenner, S. (2009) Crime Vs Cybercrime: Is the Law Adequate? Retrieved 13th May, 2012, from
http://www.circleid.com/posts/20050506_crime_vs_cybercrime_is_law_adequate
Broadhurst, R. (2006) Developments in the Global Law Enforcement of Cyber-Crime. Policing: An
International Journal of Police Strategies and Management, 29, 408-433.
12
13. Chaikin, D. (2007) Network Investigations of Cyber Attack: The Limits of Digital Evidence. Crime Law
Society Change, 46, 239-256.
Choo, K., McCusker, R., & Smith, R. (2007) The Future of Technology-Enabled Crime in Australia.
Trends and Issues in Criminal Justice, 341, 1-6.
Chow, K, P., & Shenoi, S. (Eds) (2010) Advances in Digital Forensics VI . Luxenberg, Austria:
International Federation for Information Processing.
Commonwealth Government. (2001) Cyber Crime Act 2001. Retrieved 12th May 2012, from
http://www.austlii.edu.au/au/legis/cth/consol_act/ca2001112/sch1.html
Cowdery, N. (2008) Emerging Trends in Cyber Crime. New Technologies in Crime and Prosecution:
Challenges and Opportunities. 13th Annual Conference. Retrieved 10th May, 2012, from
http://www.odpp.nsw.gov.au/speeches/IAP%20-%2013th%20Annual%20Conference%20-
%20New%20Technologies.pdf
Drummond, D. (2010) A New Approach To China. Google: Official Blog. Retrieved 19th May, 2012,
from http://googleblog.blogspot.com.au/2010/01/new-approach-to-china.html
Grabosky, P. (2007a) Requirements of Prosecution Services to Deal with Cyber Crime. Crime Law
Society Change, 47, 201-223.
Grabosky, P. (2007b) The Internet, Technology, and Organised Crime. Asian Criminology, 2, 145-161.
13
14. Information Warfare Monitor & Shadowserver Foundation. (2010) Shadows in the Cloud (White Paper).
Retrieved 5th May, 2012, from http://www.nartv.org/mirror/shadows-in-the-cloud.pdf
Kanellis, P., Kiountouzis, E., Kolokotronics, N., & Martakos, D (2006) Digital Crime and Forensic
Science in Cyberspace. Vancouver: Idea Group Inc.
Libicki, M. (2009). Cyberdeterrence and Cyberwar. California: Rand Corporation.
McQuade, S. (2006). Understanding and Managing Cybercrime. Massachusetts: Pearson Education.
National Computer Forensic Institute. (2009) Network Intrusion Responder Program. Retrieved 22nd
May, 2012, from http://publicintelligence.info/NITROstudentV2.pdf
New York Computer Forensic Services. (2012) Common Mistakes Made During a Computer Forensic
Analysis. Retrieved 20th May, 2012, from
http://www.newyorkcomputerforensics.com/learn/common_mistakes.php
PricewaterhouseCoopers. (2012) CyberCrime: Protecting Against The Growing Threat. Events and
Trends, 256.
Rowlingston, R. (2004) A Ten Step Process for Forensic Readiness. International Journal of Digital
Evidence, 2, 3.
Sandoval, G., & Wolverton, T. (2000) Leading Web Sites Under Attack. Retrieved 11th May, 2012, from
http://news.cnet.com/2100-1017-236683.html
14
15. Schreier, J. (2011) PlayStation Network Hack Leaves Credit Card Info At Risk. Retrieved 13th May,
2012, from http://www.wired.com/gamelife/2011/04/playstation-network-hacked/
Search Security. (2012a) Botnet: Zomie Army. Retrieved 20th May, 2012, from
http://searchsecurity.techtarget.com/definition/botnet
Search Security. (2012b) Hactivism. Retrieved 20th May, 2012, from
http://searchsecurity.techtarget.com/definition/hacktivism
Shipley, T., & Door, B. (2012) Forensic Imaging of Hard Disk Drives- What We Thought We Knew
Viewed. Retrieved 5th May, 2012, from http://articles.forensicfocus.com/2012/01/27/forensic-
imaging-of-hard-disk-drives-what-we-thought-we-knew-2/
Smith, R., Grabosky, P., & Urbas, G. (2004) Cyber Criminals on Trial. New York: Cambridge University
Press
Stevens, S. (2009). Internet war crimes tribunals and security in an interconnected world. Transnational
Law and Contemporary Problems, 18(3), 657-709.
Taylor, P. (1999) Hackers: Crime in the Digital Sublime. Sussex, UK: Psychology Press
The Council of Europe (2012) Convention on Cybercrime. Retrieved 12th May 2012, from
http://conventions.coe.int/Treaty/en/Treaties/Html/185.htm
15
16. Thornton, J. (1997) The General Assumptions And Rationale Of Forensic Identification In Modern
Scientific Evidence: The Law And Science Of Expert Testimony. St. Paul: West Publishing Co
United Nations. (2012) United Nations Convention against Transnational Organized Crime and the
Protocols Thereto. Retrieved 21st May, 2012, from http://www.unodc.org/unodc/en/treaties/CTOC/
Vacca, J. (2005) Computer Forensics - Computer Crime Scene Investigation. Massachusetts: Charles
River Media, Inc
Whitman, M. E., & Mattord, H. J. (2012) Principles of Information Security. Melbourne, Victoria:
Cengage Learning.
Williams, M. (2000) EBay, Amazon, Buy.com Hit By Attacks: Network World Fusion. Retrieved 13th
May, 2012, from http://www.networkworld.com/news/2000/0209attack.html
Wisniewski, C. (2012) 600,000+ Macs Are In This Botnet, Including 247 in Cupertino. Naked Security.
Retrieved 19th May, 2012, from http://nakedsecurity.sophos.com/2012/04/05/mac-botnets-gaining-
traction-using-drive-by-java-exploit/
Zetter, K (2012) Microsoft Seizes ZeuS Servers in Anti-Botnet Rampage. Retrieved 18th May, 2012, from
http://www.wired.com/threatlevel/2012/03/microsoft-botnet-takedown/
16