A classroom tested introduction to cyber investigations with real-life examples included
Cyber Investigations provides an introduction to the topic, an overview of the investigation process applied to cyber investigations, a review of legal aspects of cyber investigations, a review of Internet forensics and open-source intelligence, a research-based chapter on anonymization, and a deep-dive in to multimedia forensics. The content is structured in a consistent manner, with an emphasis on accessibility for students of computer science, information security, law enforcement, and military disciplines.
To aid in reader comprehension and seamless assimilation of the material, real-life examples and student exercises are provided throughout, as well as an Educational Guide for both teachers and students. The material has been classroom-tested and is a perfect fit for most learning environments.
Written by a highly experienced author team with backgrounds in law enforcement, academic research, and industry, sample topics covered in Cyber Investigations include: - The cyber investigation process, including developing an integrated framework for cyber investigations and principles for the integrated cyber investigation process (ICIP) - Cyber investigation law, including reasonable grounds to open a criminal cyber investigation and general conditions for privacy-invasive cyber investigation methods - Perspectives of internet and cryptocurrency investigations, including examples like the proxy seller, the scammer, and the disgruntled employee - Internet of things (IoT) investigations, including types of events leading to IoT investigations and new forensic challenges in the field - Multimedia forensics facilitates the understanding of the role of multimedia in investigations, including how to leverage similarity matching, content-based tracing, and media metadata. - Anonymization networks discusses how such networks work, and how they impact investigations? It addresses aspects of tracing, monitoring, evidence acquisition, de-anonymization, and large investigations
Based on research, teaching material, experiences, and student feedback over several years, Cyber Investigations is ideal for all students and professionals in the cybersecurity industry, providing comprehensive subject coverage from faculty, associates, and former students of cyber security and digital forensics at the Norwegian University of Science and Technology (NTNU).
Table of Contents
1 INTRODUCTION 1
1.1 INTRODUCTION 1
1.2 CYBERCRIME AND CYBERSECURITY 2
1.2.1 Cybercrime 2
1.2.2 Cybercriminals and Threat Actors 2
1.2.3 Cybersecurity 3
1.2.4 Threat Modeling - Cyber Kill Chain and MITRE ATT&CK 4
1.3 CYBER INVESTIGATIONS 5
1.3.1 Digital Forensics 5
1.3.2 Digital Evidence 5
1.3.3 Attribution 6
1.3.4 Cyber Threat Intelligence 6
1.3.5 Open-Source Intelligence (OSINT) 7
1.3.6 Operational Avalanche - A Real-World Example 7
1.4 CHALLENGES IN CYBER INVESTIGATIONS 8
1.5 FURTHER READING 10
1.6 CHAPTER OVERVIEW 10
1.7 COMMENTS ON CITATION AND NOTATION 11
1.8 EXERCISES 11
2 CYBER INVESTIGATION PROCESS 13
2.1 INTRODUCTION 13
2.2 INVESTIGATION AS INFORMATION WORK 14
2.3 DEVELOPING AN INTEGRATED FRAMEWORK FOR CYBER INVESTIGATIONS 15
2.4 PRINCIPLES FOR THE INTEGRATED CYBER INVESTIGATION PROCESS (ICIP) 18
2.4.1 Procedure and policy 18
2.4.2 Planning and documentation 19
2.4.3 Forming and testing of hypotheses 19
2.4.4 The dynamics of ICIP 20
2.4.5 Principles for handling digital evidence 21
2.4.6 Limitations 21
2.5 ICIP’S PROCEDURAL STAGES 22
2.5.1 Investigation initiation 22
2.5.2 Modeling 26
2.5.3 Planning and prioritization 29
2.5.4 Impact and risk assessment 33
2.5.5 Action and collection 35
2.5.6 Analysis and Integration 38
2.5.7 Documentation and presentation 43
2.5.8 Evaluation 50
2.6 COGNITIVE AND HUMAN ERROR IN CYBER INVESTIGATIONS 51
2.6.1 Cognitive factors 52
2.6.2 Cognitive biases 52
2.6.3 Countermeasures 54
2.7 SUMMARY 56
2.8 EXERCISES 56
3 CYBER INVESTIGATION LAW 58
3.1 CYBER INVESTIGATION IN CONTEXT 58
3.2 THE MISSIONS AND SOME IMPLICATIONS TO PRIVACY RIGHTS 59
3.2.1 The police, law enforcement agencies, and national security service 59
3.2.2 Reasonable ground to open a criminal (cyber) investigation 59
3.2.3 The legal framework(s) 60
3.2.4 General conditions for privacy-invasive cyber investigation methods 60
3.2.5 The private sector cyber investigator 62
3.3 THE DIFFERENT MANDATES OF THE LEA, NIS, AND THE POLICE 63
3.3.1 Law enforcing agencies and the police 63
3.3.2 The national intelligence service (NIS) 65
3.4 JURISDICTION AND INTERNATIONAL COOPERATION 66
3.4.1 The eNIS and the principle of sovereignty 66
3.4.2 The iNIS and the LEA - international cooperation 67
3.5 HUMAN RIGHTS IN THE CONTEXT OF CYBER INVESTIGATIONS 68
3.5.1 The right to fair trial 69
3.5.2 Covert cyber investigation 69
3.5.3 Technical investigation methods (technical hacking) 70
3.5.4 Methods based on social skills (social hacking) 73
3.5.5 Open-source intelligence / investigation 76
3.6 THE PRIVATE CYBER INVESTIGATOR 77
3.6.1 Cyber reconnaissance targeting a third party 77
3.6.2 Data protection and privacy rights 78
3.7 THE WAY AHEAD 78
3.8 SUMMARY 79
3.9 EXERCISES 79
4 PERSPECTIVES OF INTERNET AND CRYPTOCURRENCY INVESTIGATIONS 81
4.1 INTRODUCTION 81
4.2 CASE EXAMPLES 81
4.2.1 The proxy seller 81
4.2.2 The scammer 85
4.2.3 The disgruntled employee 87
4.3 NETWORKING ESSENTIALS 88
4.4 NETWORKS AND APPLICATIONS 89
4.4.1 Operational security 90
4.4.2 Open sources 90
4.4.3 Closed sources 90
4.4.4 Networks 91
4.4.5 Peer-to-peer 91
4.4.6 Applications 92
4.5 OPEN-SOURCE INTELLIGENCE (OSINT) 92
4.5.1 Methodology 92
4.5.2 Types of open-source data 93
4.5.3 Techniques for gathering open-source data 93
4.6 INTERNET BROWSERS 95
4.6.1 HTTP, HTML, JavaScript and cache 95
4.6.2 Uniform Resource Locators (URLs) 96
4.6.3 Cookies and local storage 96
4.6.4 Developer tools 97
4.6.5 Forensic tools 97
4.7 CRYPTOCURRENCIES 98
4.7.1 Addresses and transactions 98
4.7.2 Privacy 99
4.7.3 Heuristics 100
4.7.4 Exploring transactions 100
4.8 PREPARATION FOR ANALYSIS 100
4.8.2 Visualization and analysis 103
4.9 SUMMARY 106
4.10 EXERCISES 106
5 ANONYMITY AND FORENSICS 107
5.1 INTRODUCTION 107
5.1.1 Anonymity 108
5.1.2 Anonymous communication technologies 112
5.2 ANONYMITY INVESTIGATIONS 129
5.2.1 Digital forensics and anonymous communication 130
5.3 SUMMARY 132
5.4 EXERCISES 132
6 INTERNET OF THINGS INVESTIGATIONS 135
6.1 INTRODUCTION 135
6.2 WHAT IS IOT? 136
6.2.1 A (very) short and incomplete history 136
6.2.2 Application areas 138
6.2.3 Models and concepts 142
6.2.4 Protocols 146
6.3 IOT INVESTIGATIONS 154
6.3.1 Types of events leading to investigations 156
6.3.2 Identifying an IoT investigation 158
6.4 IOT FORENSICS 160
6.4.1 IoT and existing forensic areas 160
6.4.2 Models 163
6.4.3 New forensic challenges 168
6.5 SUMMARY 175
6.6 EXERCISES 175
7 MULTIMEDIA FORENSICS 177
7.1 METADATA 177
7.2 IMAGE FORENSICS 179
7.2.1 Image trustworthiness 180
7.2.2 Types of examinations 180
7.2.3 Photography process flow 182
7.2.4 Acquisition fingerprints 184
7.2.5 Image coding fingerprints 189
7.2.6 Editing fingerprints 191
7.2.7 Deepfake creation and detection 195
7.3 VIDEO FORENSICS 202
7.3.1 Video process flow 202
7.3.2 Reproduction detection 203
7.3.3 Source device identification 203
7.4 AUDIO FORENSICS 208
7.4.1 Audio fundamentals 208
7.4.2 Digital audio recording process 211
7.4.3 Authenticity analysis 212
7.4.4 Container analysis 212
7.4.5 Content-based analysis 212
7.4.6 Electric network frequency 213
7.4.7 Audio enhancements 214
7.4.8 Other audio forensic methods 215
7.5 SUMMARY 216
7.6 EXERCISES 216
8 EDUCATIONAL GUIDE 219
8.1 ACADEMIC RESOURCES 219
8.2 PROFESSIONAL AND TRAINING ORGANIZATIONS 220
8.3 NON-ACADEMIC ONLINE RESOURCES 221
8.4 TOOLS 222
8.4.1 Disk Analysis Tools 222
8.4.2 Memory Analysis Tools 223
8.4.3 Network Analysis Tools 223
8.4.4 Open-Source Intelligence Tools 223
8.4.5 Machine Learning 224
8.5 CORPORA AND DATA SETS 225
8.6 SUMMARY 226
9 AUTHORS 227
10 WORKS CITED 231
11 INDEX 247