Friday, May 07, 2010


Computer security invariably demands investigative skills from its practitioners. The basic premise, in both the digital and physical worlds, is that intrusions demand a reaction and this is in form of an investigation. There are obviously differences between investigating a house burglary and an online theft of credit card numbers. However there are five similar basic concepts that a cyber-crime investigator and a police detective have to abide by.

Before examining these fundamentals it is prudent to remind ourselves what is meant by the word investigation. It is a systematic, minute, and thorough attempt to ascertain the facts about something complex or hidden. Another definition states that an investigation is a detailed systematic search to uncover facts and determine the truth of the factors (who, what, when, where, why and how) of accidents. This definition outlines the fundamentals any computer investigator should adhere to if they are to investigate cyber crime.

The first fundamental is asking Who was involved. Knowing who might have been involved or contributed to an online breach creates the opportunity to gather more information and stitch a suspect profile. Knowing the types of people involved is also valuable when determining whether the breach originated internally or externally.

The second fundamental is asking What happened. All details that are relevant should be gathered, such as details that provide links to other information and/or that indicate necessary corrective action and/or that provide tracking evidence.

The third fundamental is asking When did it happen. The time at which a hacking attempt happened can reveal important elements in the evolution of the event. A hacker who consistently probes for network access points at certain times provides clues about his location.

The fourth fundamental is asking Where did it happen. The place of the actual event often reveals important facts. Which server was targeted, which data was copied and such facts often point to the motive of the attack.

The fifth fundamental is asking Why did it happened. Asking why should reveal new information on a level closer to the root causes. Asking why repeatedly often reveals new information that would otherwise not be uncovered.

The sixth and final fundamental is asking How did it happen. This is the core of the cyber investigation because how a cyber-crime is committed provides vital clues about the offender. For example an intruder that hacks your network behind multiple proxies (computers) and retrieves password protected logs reveals the technical expertise of the intruder.

For any aspiring cyber crime investigator these fundamentals should be guiding principles. They apply across sectors and professions that are the subject of any investigation.

No comments: