Failure to Follow Procedures Scuppers Cybercrime Prosecutions
Digital forensics requires diligence if perpetrators of cyber crime are to be brought to book. That was the message from Yusuph Kileo, a cyber security and digital forensics expert from Tanzania, and board member, Africa ICT Alliance (AfICTA). He was speaking on 16th May 2017 at the ITWeb Security Summit 2017 at Vodacom World in Midrand.
The majority of cyber crimes go unpunished because investigators fail to follow the proper procedures, said Kileo.
Digital forensics is a process of recovering, interpreting and investigating electronic data. "All this is done by preserving the original evidence in its most original form."
Before starting the investigation, he said organisations must make sure they have skilled professionals; have a work station and data recovery lab; enter into alliance with a local district attorney; and define the methodology that they will use.
Digital forensics investigators also need to obtain a search warrant – a written authorisation to carry out an investigation. "Who should issue a search warrant? This depends on the country where the investigation is conducted," said Kileo.
When collecting the evidence, investigators must strictly adhere to the guidelines and privacy policies of the organisation they are working with, as well as the legal jurisdiction, he added.
Kileo urge delegates to take into account the nature of the case, instructions from the requester, what additional tools and expertise that might be need, and how the evidence is acquired.
“When you begin a case, there might be unanticipated challenges that weren’t obvious when applying a systematic approach to your investigation plan. For all investigations, you need to plan for contingencies for any unexpected problems you might encounter” – Said Kileo.
He emphasized on a standard evidence custody form to track the chain of custody of evidence for your case and to document everything throughout investigation by maintain a journal to keep notes on exactly what is when handling evidence.
“We should always critique our own work to determine what improvements have been made during each case, what could have been done differently, and how to apply those lessons to future cases.” He added.
"The final report must also have Internet-related evidence, such as Web site traffic analysis, chat logs, cache files, e-mail, and news group activity. Techniques used to hide or mask data, such as encryption, steganography, hidden attributes, hidden partitions and file name anomalies are also required."
As judges usually do not understand computing language and procedures, it's vital that the report explains the computer and network processes, he added. "The investigators should provide explanation for various processes and the inner working of the system and its various interrelated components."
Finally, professional conduct determines credibility, ethics, morals and standards of behaviour, Kileo concluded.