The duties of a computer crime scene investigator (CCSI) have evolved to keep up with the nature of cyber crimes.
This is according to Jacques Malan, director of Facts Consulting, who spoke at the sixth annual ITWeb Security Summit in Sandton this week.
He gave the attendees a glimpse of what types of investigations a CCSI carries out and described how information security principles are the cornerstone of successful investigation and prosecution.
Malan said the role of a CCSI has evolved to a point of developing pro-active measures and strategies for a crime investigation.
“One has to know that cyber crime is not just about hackers using the Internet as a tool of the crime,” he pointed out. This includes white-collar criminals, computer con artists, hackers, terrorists and network attackers.
Malan said security breaches have different motives such as industrial espionage, sabotage as well as terrorist-related activity. An investigator “should have the ability to think like the criminal, it is an important element of good crime detection”.
The investigations, he said, are usually complex, for example doing a forensic on malware attacks which were not detected by the anti-virus vendors. “This often includes investigations of identity theft and Internet-based tracing of communications.”
This may also include investigating application developers. “Bright people usually become disgruntled employees and in some cases decide to put something into the code that compromises the company.”
According to Malan, in a cyber crime investigation, CCSIs should extract electronic evidence in support of a criminal or civil case.
“We usually carry out fraud or corruption investigations, company resource misuse or abuse investigations and theft of intellectual property investigations.”
In the lab
When carrying out an investigation, a company should start by assessment, he said. “We make sure it's a security incident, and not something like a misconfiguration or testing. Sometimes we stumble upon a separate breach while investigating.
“We then do a containment if we find it is a security breach,” he explained. “We get together with the legal and operations teams and strategise.”
Here there is a fine balance between taking systems offline to preserve evidence and keeping company online, he said. “To do this, we have had to evolve technology to get forensic images from live systems because it's no longer viable to shut down systems.”
Malan said a CCSI also does eradication based on bug containment. “There's often no easy information about what the findings are. We have to have to sometimes reverse engineering to figure that out.”
Then there is a need to understand what a bug does, how it operates, and where it came from. “Based on that, we can look further to find variants on other machines. To get more information, we have to dissect code and strip it apart,” he said.
A CCSI also does recovery and sometimes has to rebuild the system from scratch, he pointed out.
Complex profession
Malan said in most cases investigations are carried out in an environment where there are lawyers, accountants and technical people.
“This is not easy because these experts speak a different language. As investigators, we have to find a way to communicate this information across all these different professions.”
A major challenge for a technical team from a technical, as well as legal point of view when carrying out an investigation is a delicate balance between preservation and extraction of evidence, he said.
“As a CCSI, one has to learn the legal as well as business concepts and understand the protocols.”
It is still difficult for a CSSI to carry out investigations because the legalities are still not clear, he said.
“Investigators have to come to their full right; in this domain we are in uncharted waters and the legal ponds are still very murky,” he said.
Malan warned that hi-tech criminals are a reality and they are everywhere. He recommended that if an organisation works with money, technology and people it would need an incident handling plan and investigation readiness.
When things go wrong, information security best practices will help you identify, contain and eradicate the threat as efficiently as possible. It will also support successful identification and prosecution of the identified perpetrators, he advised.
Share
