International Journal of Advanced Research in Basic Engineering Sciences and Technology (IJARBEST)

Forensics Computing Technology to Combat Cybercrime

E.Saraswathy, T.Latha Maheswari PG Scholar, Dept of Master of Computer Application Sri Krishna College of Engineering and Technology, Coimbatore, India

Abstract: The advent of technological revolution requires. However, there is added complexity due in communications and information exchange to the technical nature of computer based has created sophisticated form of crime, cyber technology and has added another dimension with crime. Cybercrimes have more severe economic impacts than many conventional crimes and like digital evidence. As greater emphasis is placed on any other crime, these cyber crimes should be digital evidence, it becomes increasingly critical brought to justice. The process of gathering that the evidence be handled and examined electronic evidence of a cyber crime is known as forensic computing. This paper addresses the properly. technical aspects, while at the same time providing insights which would be helpful for the II. CYBERCRIME LANDSCAPE legal profession to better understand the unique issues related to computer forensic evidence when Cyber crime is typically described as any presented in the court of law. criminal act dealing with computers or computer

Keywords— Cyber Crime, Computer Forensics, networks. It is also called by other names (e-crime, Electronic/Digital Evidence, Piracy,. computer crime or Internet crime in different jurisdictions), which have roughly the equivalent

meanings. The characteristics of cyber criminals, I. INTRODUCTION cybercrime victims, and law enforcement agencies

have created a vicious circle of cybercrime. Figure1 Cyberspace has no specific jurisdiction; shows this circle’s key elements. therefore, criminals can commit crime from any Cybercrimes are structurally unique in three main location through computer in the world leaving no ways: evidence to control [1]. When someone ―steals‖  They’re technologically and skill- data from cyber space or uses information for intensive. unintended purposes, it is called cyber crime. With the increase usage of computer technology, cyber  They have a higher degree of globalization crime is on the rise. Like any crime, cyber Crime than conventional crimes. should be investigated and prosecuted where  Given the Internet’s global nature, necessary. Computer forensics describes the cybercrimes entail important procedural practice of retrieving evidence in the form of data and jurisdictional issues. from a computer that relates to a crime in a manner Cybercrimes includes but not limited to: that meets the requirements of the given a legal  Theft of telecommunications services;  Communications in furtherance of System. Computer forensics evidence needs to be criminal conspiracies; handled with the same care that physical evidence

ISSN(Online) : 2456-5717 91 Vol. 3, Special Issue 26, March 2017 International Journal of Advanced Research in Basic Engineering Sciences and Technology (IJARBEST)

 Information piracy, counterfeiting and storage in the future. Data stored on these devices, forgery; while potentially of tremendous value in the  Dissemination of offensive material; investigation, prosecution and prevention of crime,  Electronic money laundering and tax presents unique challenges to detectives and evasion; prosecutors because of its potentially volatile  Electronic vandalism and terrorism; nature. Electronic data is fragile. It can easily be changed or eliminated by cyber criminals. This  Sales and investment fraud; means that the data must not be compromised in  Illegal interception telecommunications; any way. It must be able to be proven that the data  Electronic funds transfer fraud. is a true representation of what happened, that it Regardless of the definitions, the use of cannot have been modified in any way, either by computers and the Internet in the commission of the intruder themselves, or the collection and crimes require investigators applying cyber examination tools. In other words, the chain of forensic techniques to extract data for those custody must be established (Sommer, 1998), Mc investigating these cases, prosecuting these cases Kemmish (2001) identifies three distinct types of and passing the ultimate judgment regarding the forensic computing: disposition of offenders and the redress of victims. A. Digital Evidence Recovery – Involves the examination of electronic devices for information III. FORENSIC COMPUTING relating to a crime, and the processes involved in Computer forensics refers to the legal collecting relevant data. processes, rules of evidence, court procedures, and B. Cyber/Intrusion Forensics – Involves detecting forensic practices used to investigate e-Crimes [2]. computer security breaches, identifying and Specifically, computer forensics is the application preserving digital evidence. of scientific, forensically sound procedures in the C. Forensic Data Analysis – Involves identifying collection, analysis, and presentation of electronic anomalies in large data sets that may indicate data. For computer evidence to be accepted in a illegal or improper acts. court of law, the forensic investigation process must identify, preserve, examine, and document IV. METHODOLOGY AND DIGITAL any computer evidence retrieved [3]. Computer EVIDENCE

evidence is entirely different. It cannot be seen, Any criminal investigation follows procedures touched or smelled and it often lasts for only very which vary from one country to another, but the short periods of time. Computers typically store computer forensics investigator should follow these data in three ways, magnetic, semiconductor, and steps: optical. Other less common data storage methods  Secure and isolate. include magneto-optical disk storage, optical  Record the scene. jukebox storage and ultra-density optical disk  Conduct a systematic search for evidence. storage. Potentially significant new developments

in technology suggest that techniques like phase-

change storage, holographic storage, and use of Phase 1 should be to freeze the scene of crime in molecular memory may become methods for data

ISSN(Online) : 2456-5717 92 Vol. 3, Special Issue 26, March 2017 International Journal of Advanced Research in Basic Engineering Sciences and Technology (IJARBEST)

order to prevent the ICT context from being kind of information and where it can be found in modified before digital traces are collected, and to the system and network is mandatory knowledge avoid giving the malicious person a chance to for digital investigators? Any computer systems modify or destroy evidence [4]. The goal of phase 1 information and communication device (electronic is to avoid the destruction or the dislocation of components, memory devices, hard discs, USB crucial data. sticks, etc.) or information it contains, are potential The investigator must classify resources to targets or instruments of crime. Each software or determine which system must be removed from the data execution or transaction leaves digital traces. scene. Identifying traces and collecting them Digital traces are volatile and rapidly removed comprises the second phase (phase 2), and this from servers. Digital evidence is even more should be followed by the data safeguarding and difficult to obtain because ICT transcends preservation phase (phase 3). At this stage, data can international boundaries [7]. In such cases, success be analyzed (phase 4) and subsequently presented depends on the effectiveness of international in a comprehensive way for non-experts and legal cooperation between legal authorities and the speed experts (phase 5). The purpose of any investigation with which action is taken. One of the most is to discover and present facts that contribute to important features is the duration during which establishing the truth. It is not enough to be a good Internet Service Providers (ISP) keep information computer specialist, he should be aware of the legal concerning user subscriptions and activities (IP framework and constraints in order to perform a addresses, connection data, etc.). The retention useful computer investigation. If this were not the period, during which data is available in order to case, the results of the investigation could be retrieve someone’s identity from his IP address, compromised and thrown out by the court because varies from one country to another [8]. Legal of an insufficient or incorrect evidence-gathering systems must give law enforcement agencies the process. A common vocabulary between police appropriate authority to access traffic data. force, justice and forensics should exist. Procedures Countries should improve international cooperation should be set up in order to increase computer and be able to share critical information quickly, investigation performance and reliability [5]. The otherwise digital evidence may disappear. For resulting investigation report should be easily Instant Messaging services and Peer-to-Peer or comprehensible and must describe in detail all the Internet Relay Chat facilities, logs and historical operations performed and procedures followed in content of communications are kept for only a few order to gather electronic evidence. Investigators days. An IP address identifies a computer, not a with an understanding of information and person and criminals use false or stolen identities communication technologies should use in [9]. It is always very difficult to establish the conjunction with effective international identity of a person on the basis of an IP address, cooperation, so as to uncover the criminal’s email or web addresses or a digital trace. ―How identity. Digital information can help to validate or can particular digital information be linked to its dismiss a witness statement, to prove that a specific physical entity? Once the IP address of a system action was performed at a given time, to determine involved in a criminal activity has been identified, how a crime was committed, to reveal links the next step is to investigate ―The physical between an offender and a victim, [6] etc. Which entity? When searching for digital evidence, many

ISSN(Online) : 2456-5717 93 Vol. 3, Special Issue 26, March 2017 International Journal of Advanced Research in Basic Engineering Sciences and Technology (IJARBEST)

problems arise, including these: Which elements integrity of evidence. Like any material trace, a may contain pertinent information for the case digital trace must satisfy certain criteria which being investigated? include documentation of the trace and the history  How can the relevant data to be seized be of the trace handling and must answer the identified? following questions:  What are the procedure rules to be  Who gathered the evidence? followed?  How was the evidence collected?  How can data be collected, stored and  Where was the evidence found and preserved? amassed?   How can data be safeguarded? How was the evidence stored, authenticated, protected and analyzed?  How can digital data be preserved as  Who handled the evidence? From whom evidence for a potential hearing? did he receive it?  How can data be copied from its support  How the evidence is kept safe? How is it to another one in order to analyze it authenticated? How is it locked up? Who without modifying it? has access to it? Who took it out of storage  How can a copy be authenticated? and why?  How can the original data be preserved? By applying best practices and existing  How can it be guaranteed that the process guidelines, what is really needed in the of copying the data did not modify it? investigation by cyber scene crime investigation,  How can files that have been deleted be could improve and develop the investigator's recovered? efficiency, helping to be accepted by legal and To answer these questions, some computer technical professionals. forensic tools and procedures should be used by trained and competent experts but their V. CONCLUSION standardization is also an issue On the other hand, Without appropriate measures to combat criminals could be tracked by active cybercrimes, the vicious circle’s elements reinforce communication monitoring and live surveillance each other resulting in more and serious [10]. Telephone, e-mail or instant messaging cybercrimes. No pure technological solution exists eavesdropping is possible to collect information for such security-related problems, but combining related to communication content or non-content technological and non-technological measures are such as e-mail headers or IP addresses. In fact, needed to combat cybercrimes. At the criminals can also be identified through undercover technological level design of database and network investigation when investigators join instant and their implementation is crucial. Nontechnical messaging (IM) services, peer-to-peer networks measures are behavioural measures like, a simple (P2P), Internet relay chat (IRC), newsgroups, etc. training strategy aimed at creating awareness to lure criminals [11]. The chain of custody is a among consumers, employees, and the public about very important concept when dealing with cybercrimes. Developing national technological investigation, forensic science, evidence and the and manpower capabilities, enacting new laws, execution of law and it helps to preserve the promoting a higher level of industry-government

ISSN(Online) : 2456-5717 94 Vol. 3, Special Issue 26, March 2017 International Journal of Advanced Research in Basic Engineering Sciences and Technology (IJARBEST)

collaborations, and pushing for international cooperation are critical to combating cybercrime. [7] Choi, K. (2008). Computer crime victimization Given cybercrimes’ global nature, international and integrated theory: An empirical assessment. institutions especially carry enormous power that International Journal of Cyber Criminology, 2(1), we must harness to fight such crimes example, the 308-33. International Telecommunications Union (ITU). Investing in training people, law enforcement [8] Bachmann, M. (2007). Lesson spurned? authorities and investigators could also enhance Reactions of online music pirates to legal nations’ abilities to fight cybercrimes prosecutions by the RIAA. International Journal of Cyber Criminology, 1, 213-227.

REFERENCES [1] Cyber Crimes: A New Challenge, Deputy [9] Jason Michael Solomon, Computer Forensics: Controller (Technology), CCA, Ministry of The Persistence of Data in Physical Memory Information Technology, India, 2002. University of Western Sydney, 2006.

[2] Danquah, P., & Longe, O. B. (2011). An [10] Marc Rogers, 'Security Perspectives Computer Empirical Test of the Space Transition Theory of Forensics: Science or Fad?' (2003) Vol. 5, No. 65 Cyber Criminality: The Case of Ghana and Security Wire Digest. Beyond. African Journal of Computing & ICTs. 4(2), 37-48. [11] Kevin Mandia, Chris Prosie and Matt Pepe, Incident Response & Computer Forensics, Second [3] Bossler, A. M., & Holt, T. J. (2010). The Effect Edition (2nd ed, 2003). of self-control on victimization in the cyber world. Journal of Criminal Justice, 38, 227-236.

[4] Berg, S. E. (2009). Identity theft causes,

correlates, and factors: A content analysis. In F.

Schmalleger & M. Pittaro (Eds.), Crimes of the

Internet (pp., 225-250). Upper Saddle River, NJ: Pearson Education, Inc.

[5] Finley, L. (2009). Online pharmaceutical sales and the challenge for law enforcement. In F. Schmalleger & M. Pittaro (Eds.), Crimes of the Internet (pp. 101-128). Upper Saddle River, NJ: Pearson Education, Inc.

[6] Britz, M. T. (2008). Computer Forensics and Cyber Crime: An Introduction. Upper Saddle River, NJ: Prentice Hall.

ISSN(Online) : 2456-5717 95 Vol. 3, Special Issue 26, March 2017