Cybercrime

Criminals use tools like smartphones, laptops, and social media at some point when committing crimes. Digital evidence from these tools must be extracted so that it is admissible in court.

Cybercrime

Learning Objectives

You should be able to:

  • List common crimes using cybersecurity
  • Discuss major forensics activities

Crimes

The following are examples of crimes involving technology where technology is the focus. Some of the crimes target technology, while others merely use technology to facilitate crime.

  • Ransomware. Criminals install malware on a victim's device. The malware encrypts the data and holds the decryption key hostage. If the ransom is paid, the decryption key is (hopefully) sent to the victim.
  • Phishing. Email is used to obtain information from a victim.
  • Internet of Things (IOT) hacking. Devices like security cameras
  • Child sexual abuse material (CSAM). Illicit photos and videos are traded online.
  • Sextortion. Criminals obtain compromising photos or videos of people and threaten to release them unless the victim pays a ransom.
  • Digital theft. People download unauthorized material from the internet. Or, employees take trade secrets with them when they leave an employer.

In each of the above crimes, digital evidence is created. Law enforcement must be able to preserve that evidence if the crimes are to be prosecuted. Sometimes, the criminal resides in a foreign country. Prosecution is difficult when a criminal must be extradited. It seems that governments seek only the most notorious hackers for extradition and prosecution.

Ransomware

Ransomware is a type of crime that that deserves special attention. In a ransomware attack, the malicious actor holds data or computer access hostage until a ransom is paid. The ransom is usually paid in cryptocurrency, which is difficult to trace. Ransomware attacks are increasing in frequency and sophistication. Crypto ransomware leaves the data on the victim's device, but the data is encrypted with a key that only the attacker retains. If the victim pays the ransom, the attacker will (hopefully) decrypt the data, thereby restoring the victim's computer. In other ransomware attacks, the attackers exfiltrate the data and threaten to release it unless the ransom is paid. In this case, the data is not encrypted, but the attacker has a copy of it. The data may contain sensitive information that could cause embarrassment or financial loss. Sometimes, hackers steal customer data and delete it from the victim's systems. The hackers then demand a ransom to restore the data.

Organizations must decide whether to pay the ransom. There are no easy decisions. Victims who pay the ransom demonstrate that they are willing to pay, which might encourage the attackers to strike again. Some victims have paid the same ransom multiple times after failing to secure their systems. Victims who do not pay the ransom may lose their data. Some organizations have been able to restore their data from backups. Others have lost data permanently. For some organizations, especially small businesses, the loss of data can be catastrophic. A successful ransomware attack can put a company out of business.

Ransomed Data

Hypothetical Hospital Case

Consider the case of a hospital. Imagine that a patient is scheduled for brain surgery. The hospital stored the patient's medical records, including digital scans that the brain surgeon will use to save the the patient's life. The morning of the surgery, the hospitals systems are hit by ransomware. There is insufficient time to restore all data from backups. The hospital must decide whether to pay the ransom. If the hospital pays the ransom, the patient's surgery can move forward with all relevant data the surgeon needs. If the hospital does not pay the ransom, the surgeon takes a risk and the surgery is less likely to be successful. Should the hospital pay the ransom if the ransom was set to $100? What if the ransom were $100,000? What if the ransom were $5,000,000? What should the hospital do (assuming that the hospital lacks a time machine to go back and improve its security)? The clock is ticking.

Sextortion

People have been blackmailed for centuries. The internet has made it easier for criminals to blackmail individuals. In a sextortion case, the criminal obtains compromising photos or videos that they threaten to release. Often, these crimes begin on social media where the victim thinks they are talking to a friend, or potential friend. Criminals typically use fake account profiles with alluring photos and videos. Criminals establish rapport and convince the victim to send compromising photos or videos. Once the criminal has the material, they threaten to release it unless the victim pays a ransom. Many people pay the ransoms because of the potential embarrassment of the release of the material. Sadly, some victims have taken their own lives rather than suffer the embarrassment of having their friends and loved discover this part of what they thought was a private online life.

There are several tips for staying safe.

  • Verify the identify of people you meet online. Confirm that you're connecting with a friend's real account.
  • Do not send compromising photos or videos to people you meet online. Ever.
  • If you are a victim, stay calm. Report the crime to the police. Ask for help. You are not alone.

Chat Online

IoT Hacking

We have many devices in our homes connected to the internet. These devices are often poorly secured. Criminals can hack into these devices and use them to spy on us. For example, a criminal might hack into a security camera and view the video feed just for the fun of it. A criminal might hack into a baby monitor just to watch the baby sleep. Hackers might be curious what food is in your refrigerator. Hackers might also leverage these devices to launch attacks on other systems.

The following tips will help you secure IoT devices.

  • Change the default password on your devices. Many devices come with a default username and password (e.g., "admin/password"). Change the passwords to something secure.
  • Update the firmware on your devices. Like any computer systems, IoT devices might have bugs. Manufacturers release updates to fix these bugs, but you must install the updates.
  • Choose reputable vendors. A shady vendor might discover that its devices are insecure but not have the desire or resources to fix them. Vendors with their reputation on the line are more likely to fix security vulnerabilities.

Spy Camera

Digital Evidence

Digital evidence is often requested by courts, even when the crime does not involve the abuse of technology. Cell phone records might track a suspects location. A suspect's computer might contain a diary of their activities. A suspect's social media account might contain evidence of their intent. In custody battles, text messages might be used to show a parent's behavior. Increasingly, our cell phones, cars, websites, and other services are creating digital trails of our activities. This information can be subpoenaed in court.

Forensic Process

In court, judges enforce strict rules of evidence. Law enforcement must gather evidence in a forensically sound way so that the evidence can be admissible in court. There are five steps to this digital forensics process.

  • Identification. Officers must decide which devices and/or online services contain relevant case data. Warrants to search and seize equipment must be obtained. If officers catch somebody committing a crime, they sometimes have the authority to seize electronic devices. Officers often must obtain data from online services, such as Facebook or YouTube.
  • Preservation. Evidence must be securely stored. Hard drives are copied. The original is stored in a secure area, and all forensic activities occur on the copy. First, a cryptographic hash is taken of all files on the device. At the end of the investigation, hashes of the files can be compared to prove that the analysts did not change any files.
  • Analysis. The forensics data is analyzed to look for text messages, emails, documents, computer logs, and other data relevant to the case.
  • Documentation. Relevant information is laid out to explain the timeline of the crime.
  • Presentation. The information is summarized and presented. Forensics investigators might be asked to give testimony at trial.

I have spoken with several officers who have been involved in data forensics. Their jobs are rewarding but tough. They like the job for its mission of protecting people, but they often have to see or hear the worst things that humans do to each other.

Reflection

  • Is cybercrime an increasing problem?
  • Should the government have the ability to decrypt all data stored on your personal devices?

Key Terms

  • Ransomware: A type of malicious software (malware) that encrypts the victim's data or locks them out of their system, demanding a ransom payment to restore access. Ransomware attacks can cause significant disruption and financial loss to individuals and organizations. The attackers typically demand payment in cryptocurrency to maintain anonymity.
  • Digital Forensics: The field of forensic science that focuses on the recovery, analysis, and preservation of digital evidence from electronic devices. Digital forensics is used in investigations involving cybercrime, data breaches, and other incidents where digital data can provide crucial evidence. It involves techniques for extracting data from computers, mobile devices, networks, and other digital storage media.