Course: Information Security Select a recent cybersecurity incident that occurred within the last two years. In...

Cyber crime offending can be technically complex and legally intricate. Rapid
advancements in the functionality of information communication technologies (ICTs) and
innate disparities between systems of law globally are stark challenges for first responders,
investigating authorities, forensic interrogators, prosecuting agencies, and administrators of
criminal justice. It is critically important to explore factors impeding investigation and
prosecution of cyber crime offending to raise awareness and expose these barriers to
justice.
It is increasingly unclear whether cyber crime refers to legal, sociological,
technological, or legal aspects of crime and a universal definition remains elusive.

The relatively anonymous and faceless nature of cyber crime complicates issues
associated with victimology and cyber crime reporting. There
exists widespread misunderstanding among communities about the nature of cyber crime
and capacity of law enforcement to apprehend offenders. A number of factors impact the
low proportion of cyber crime acts that are brought to the attention of police

Many cyber crimes are sophisticated and well-conceived, requiring police to apply
technological expertise and deductive reasoning to unravel complex .

The theft of $69 million worth of bitcoins from a Hong Kong-based exchange highlights
the continuing challenges around keeping large quantities of digital currency out of
the reach of hackers.
The Bitfinex theft represents the largest loss of bitcoins by an exchange since Japan's infamous Mt Gox lost 744,408 BTC in early 2014 (worth $350m),
a breach that would ultimately cause it to cease operations.

At press time, the value of the 119,756 BTC stolen from Bitfinex stands at roughly $66m,
or about 18% of what was lost by Mt Gox.

Given the size, the theft has sparked confusion and frustration among market traders
and observers since it was announced.

Sources close to the exchange have largely avoided offering comment on whether the
119,756 BTC stolen represents the full extent of the hack, and Bitfinex itself has
yet to publish any findings from its ongoing internal investigation.One of the most
direct impacts of the Bitfinex hack could be seen in the price of bitcoin, which
plunged after the news broke.Prices fell by nearly 20%, tumbling as low as $480 USD
before recovering.

Mt. Gox blamed the loss on a security issue called transaction malleability. But
Japanese prosecutors charged CEO Mark Karpeles in September 2015 with embezzlement
for allegedly transferring some funds from the exchange into accounts he controlled.
It remains unknown who stole the majority of the bitcoins, and Mt. Gox is still in
liquidation proceedings.

Transaction Malleability
While transactions are signed, the signature does not currently cover all the data in
a transaction that is hashed to create the transaction hash. Thus, while uncommon, it
is possible for a node on the network to change a transaction you send in such a way
that the hash is invalidated. Note that this just changes the hash; the output of the
transaction remains the same and the bitcoins will go to their intended recipient.
However this does mean that, for instance, it is not safe to accept a chain of unconfirmed
transactions under any circumstance because the later transactions will depend on the
hashes of the previous transactions, and those hashes can be changed until they are
confirmed in a block (and potentially even after a confirmation if the block chain is
reorganized). In addition, clients must always actively scan for transactions to them;
assuming a txout exists because the client created it previously is unsafe.

A bitcoin is actually just a secret number. To transfer a bitcoin, a person must verify
a planned transaction with a private encryption key. But if the private key is stolen,
the attacker can steal the bitcoin.

Because all bitcoin transactions are recorded in the public blockchain, it is possible
to follow the movement of stolen coins. Bitcoins are transferred between 34-character
alphanumeric addresses, which appear in the blockchain.

Bitcoin addresses don't reveal information about who controls the funds. But stolen
funds are often difficult to convert to fiat currency. Exchanges usually have strict
identification requirements for account holders to comply with anti-money laundering
regulations. Suddenly cashing out a large quantity of stolen bitcoins at a reputable
exchange from a closely watched bitcoin address is unfeasible.

Bitcoin marketplaces employ a variety of methods to protect their vaults and the
private keys for the bitcoins. But the companies are highly attractive targets because
stolen bitcoins can be nearly impossible to recover. Unlike bank wire transfers,
bitcoin transactions are irreversible.

Raising the level of security around bitcoins invariably makes the virtual currency
more cumbersome to access, which is why exchanges must make difficult trade-offs.

"There is a balance between security and convenience," says Antony Lewis, a
Singapore-based adviser on blockchain technology. "Customers say they want security,
but their behavior suggests they prefer convenience. Exchanges who cater to this and
put private keys on online machines put themselves at a higher risk of attack."
The typical cybercrime investigation begins like most other investigations with a citizen complaint. Perhaps a local individual has been defrauded of several thousand dollars on an Internet auction site, and he or she contacts your agency.

Your first step in such an investigation is to find the Internet protocol (IP) address of the individual who defrauded the citizen who filed the complaint. An IP address is a series of numbers and letters that is attached to every piece of data that moves on the Internet. When the auction crook set up his or her auction, that code was registered with the auction company.

Big dot-com companies like Web auction sites have their own security specialists. So once you have identified the host of the auction site, you will probably work with the company’s security people to gain access to the IP address of the Internet Service Provider (ISP) used by the person who set up the bad auction. They may cooperate fully, or you may need a subpoena, warrant, or court order just for the IP address.

Anyone who has an Internet account knows that the ISP is a subscription service that grants the user access to the Internet. What most people, including many crooks and cops, don’t know is that ISPs have records of everything a subscriber does on the Internet.

That’s the good news for investigators. The bad news is that the records are digital information with a very finite existence. In other words, if you’re investigating a cybercrime involving the Internet, you better move fast.

How fast depends on the policy of the ISP in question. Large ISPs often keep their data for as much as 30 days, but that’s not true in all cases. Data storage is a major cost center for ISPs, and some save money by dumping the data very quickly.

“There’s no law that requires people to maintain the data,” says Koenig. “Once we sent a subpoena to an ISP, requesting their records, and their answer was, ‘Sorry. We only keep our records for 30 minutes.’”

Because ISPs would rather dump data than store it, Koenig says one of the most important weapons in a cybercrime investigator’s arsenal is a letter requesting that the ISP preserve the data until the investigator can secure a subpoena, warrant, or court order requiring the ISP to turn over its records.

The preservation letter does not legally require the ISP to turn over its records. But many ISPs will cooperate with a request to preserve data.

Once you get the records from the ISP, you’re probably in business. In order to subscribe to the service, the auction thief had to give personal information like his or her physical address. Yes, they can use false information and fake credit cards, but even that information can be valuable.

Here or There

When you have an address and a name for the suspect, your investigation is likely to involve another agency. Cybercrimes are not like in-person physical crimes. The victim is often in another state from the suspect. And that means you may work for the Dallas Police Department and suddenly need to serve a warrant in Reno.

Experienced cyber police say that jurisdictional disputes are rare occurrences during cybercrime cases and that other agencies are likely to cooperate with your investigation.
Bit by Bit

After a suspect’s computer and various hard drives have been seized, it’s time for the computer forensic specialists to go to work. These folks are the real computer experts among cybercrime investigators, and their work is extremely specialized. It’s so specialized that many agencies that have cybercrime detectives farm out forensic examination to federal agencies or multiagency task forces.

Koenig says computer forensics is a matter of knowing what you’re looking for and knowing how to find it. “People think we look at the entire hard drive, but it doesn’t work that way. If you come to me and say, ‘find everything on a computer,’ I’ll tell you that I’ll retire before I complete that job. If you printed out every piece of data on a 120GB hard drive you’d have enough paper to fill up a football stadium with stacks 8 feet high and you’d still be printing.”

For this reason, among others, Koenig cautions against computer “fishing expeditions.” Such attempts at trolling for evidence are even more complicated by the fact that computer crime cases often involve multiple machines.

“We worked a school hack that involved 500 computers,” says Koenig. “But we knew specifically what we were looking for and we seized only two computers.”

Once the computers are in police custody, a forensic specialist makes what’s called a “true copy” of its hard drive. A “true copy” is made by using software to create a bit-by-bit image of the drive. If the investigator merely made a standard copy of the drive through a backup program or by dragging and dropping the drive, the copy would not include deleted files, temporary files, and other normally superflous data that could prove critical to the investigation.

The true copy of the data can be examined using a number of computer forensics software programs. And while Koenig says these are essential tools for cybercrime investigators, he’s not a big fan of what he calls “plug-and-play forensics,” arguing that computer forensic examiners need to know much more about what they are doing than just how to use a software application.

This is one reason why many agencies and even cybercrime task forces send their forensics work to outside experts. Another reason is that computer forensics requires money for hardware.

For example, if you take down a child pornography ring selling high-res video and images, you’re going to need a fast computer with lots of memory and imaging software to catalog all of the evidence. Also, you can’t just have one type of computer. Your agency may have only Windows platform systems, but if you are investigating a credit card fraud suspect who uses a Macintosh, you’re going to need a comparable Mac and Mac software to examine his or her hard drive.

Foreign Connections

Despite the challenges presented by cybercrime and a public perception that most computer criminals never get caught, cybercrime investigators say they have more success than people might think.

Koenig argues that Internet crime can sometimes be easier to track than actual physical crime. “If you take a false check into a bank and the security camera is not pointing at you when you pass it, then there’s no trail to you. But you can’t do anything online without leaving a trail. You can try to spoof that trail and make it harder for me to track you, but on the Internet there’s always a trail,” he explains.

Unfortunately, the Internet is a global communications system and often the trail of a cybercriminal leads to Russia, a former Soviet Republic, or to Africa. And that complicates an investigation.

But it doesn’t make it impossible. Levine says many cases have been successfully prosecuted overseas, especially in Russia. “Russia has actually been very good at cooperating on cybercrime cases,” he says.

Other overseas havens for cybercriminals have been less cooperative. “We are less likely to see cases come to successful resolution when they do end up in an African country or one of the former Soviet republics,” Levine admits. “But we are seeing increased awareness and cooperation.”

And that cooperation with Nigeria and Belarus may not be as critical as some people think. Koenig argues that the majority of cybercrime is really made in the U.S.A., regardless of the perpetrator’s country code.

“The majority of the bandwidth is still in the United States,” explains Koenig. “Let’s say you want to set up a site that sells child porn. You can go to Kosovo or Belarus and hide from the law, but they have very few Internet connections, and what they do have is very expensive and not very fast. It’s hard to hide like that and be in business.”

Stone Walls

Because of help from foreign governments and because foreign investigations often curve back to the United States, an investigation that leads overseas is not a dead-end. But there are some cases that run smack into a stone wall.

Cybercrime investigators are understandably hesitant to tell people how to get away with criminal acts on the Internet. But they will divulge that the best way to get away with a computer crime is to be lucky enough to have the evidence of your act disappear.

“The only time I come up against a stone wall and have no place to go is when the ISP logs have expired,” says Koenig. “But if the logs are there, then 99 percent of the time I will get you.”

It is, of course, the other one percent of cases that fascinates the public and is the stuff of movies and TV. But do supersmart cybercriminals really exist?

Absolutely, says Kelly. “If a suspect is really smart and knows the Internet and knows the various ways around being identified, it makes it extremely difficult and, in some cases, impossible to catch him.”

Kelly quickly adds, however, that such cases are extremely rare. “There are not that many people out there who are technically savvy enough to know the ins and outs of covering up the trail,” he says.