Cyber Crime Investigation Tools and Techniques ExplainedReading time: 16 minutes
Investigating a crime scene is not an easy job. It requires years of study to learn how to deal with hard cases, and most importantly, get those cases resolved. This applies not only to real-world crime scenes, but also to those in the digital world.
As new reports come to light and digital news agencies show cybercrime on the rise, it's clear that cybercrime investigation plays a critical role in keeping the Internet safe.
Traditional law enforcement government agencies are now called upon to investigate not only real-world crimes, but also crimes on the Internet. Many well-known federal agencies even publish and update the "most wanted" list of cyber criminals, in the same way we've seen traditional criminals listed and publicized for years.
That's why today we'll answer the question, "What is a cybercrime investigation?" and explore the tools and techniques used by public and private cybercrime investigation agencies to deal with different types of cybercrime.
- What is a cyber crime investigation?
- Who conducts cybercrime investigations?
- Cybercrime investigation techniques
- Top 12 cybercrime investigation and forensic tools
What is a cyber crime investigation?
Before jumping into the "investigation" part, let's go back to the basics: a digital crime or cybercrime is a crime that involves the usage of a computer, phone or any other digital device connected to a network.
These electronic devices can be used for two things: perform the cybercrime (that is, launch a cyber attack), or act as the victim, by receiving the attack from other malicious sources.
Therefore, a cybercrime investigation is the process of investigating, analyzing and recovering critical forensic digital data from the networks involved in the attack—this could be the Internet and/or a local network—in order to identify the authors of the digital crime and their true intentions.
Cybercrime investigators must be experts in computer science, understanding not only software, file systems and operating systems, but also how networks and hardware work. They must be knowledgeable enough to determine how the interactions between these components occur, to get a full picture of what happened, why it happened, when it happened, who performed the cybercrime itself, and how victims can protect themselves in the future against these types of cyber threats.
Who conducts cybercrime investigations?
Criminal justice agencies
Criminal justice agencies are the operations behind cybercrime prevention campaigns and the investigation, monitoring and prosecution of digital criminals. Depending on your country of residence, a criminal justice agency will handle all cases related to cybercrime.
For example, in the U.S. and depending on the case, a cybercrime can be investigated by the FBI, U.S. Secret Service, Internet Crime Complaint Center, U.S. Postal Inspection Service or the Federal Trade Commission.
In other countries such as Spain, the national police and the civil guard take care of the entire process, no matter what type of cybercrime is being investigated.
National security agencies
This also changes from one country to another, but in general, this type of agency usually investigates cybercrime directly related to the agency.
For example, an intelligence agency should be in charge of investigating cybercrimes that have some connection to their organization, such as against its networks, employees or data; or have been performed by intelligence actors.
In the U.S., another good example is the military, which runs its own cybercrime investigations by using trained internal staff instead of relying on federal agencies.
Private security agencies
Private security agencies are also important in the fight against cybercrime, especially during the investigation process. While governments and national agencies run their own networks, servers and applications, they make up only a small fraction of the immense infrastructure and code kept running by private companies, projects, organizations and individuals around the world.
With this in mind, it's no surprise that private cybersecurity experts, research companies and blue teams play a critical role when it comes to preventing, monitoring, mitigating and investigating any type of cybersecurity crime against networks, systems or data running on 3rd party private data centers, networks, servers or simple home-based computers.
The wide range of cybercrime investigated by private agencies knows no limits, and includes, but is not limited to, hacking, cracking, virus and malware distribution, DDoS attacks, online frauds, identity theft and social engineering.
Cybercrime investigation techniques
While techniques may vary depending on the type of cybercrime being investigated, as well as who is running the investigation, most digital crimes are subject to some common techniques used during the investigation process.
Background check: Creating and defining the background of the crime with known facts will help investigators set a starting point to establish what they are facing, and how much information they have when handling the initial cybercrime report.
Information gathering: One of the most important things any cybersecurity researcher must do is grab as much information as possible about the incident.
Was it an automated attack, or a human-based targeted crime? Was there any open opportunity for this attack to happen? What is the scope and impact? Can this attack be performed by anyone, or by certain people with specific skills? Who are the potential suspects? What digital crimes were committed? Where can the evidence be found? Do we have access to such evidence sources?
These and other questions are valuable considerations during the information gathering process.
A lot of national and federal agencies use interviews and surveillance reports to obtain proof of cybercrime. Surveillance involves not only security cameras, videos and photos, but also electronic device surveillance that details what's being used and when, how it's being used, and all the digital behavior involved.
One of the most common ways to collect data from cybercriminals is to configure a honeypot that will act as a victim while collecting evidence that can be later be used against attacks, as we previously covered in our Top 20 Honeypots article.
Tracking and identifying the authors: This next step is sometimes performed during the information-gathering process, depending on how much information is already in hand. In order to identify the criminals behind the cyber attack, both private and public security agencies often work with ISPs and networking companies to get valuable log information about their connections, as well as historical service, websites and protocols used during the time they were connected.
This is often the slowest phase, as it requires legal permission from prosecutors and a court order to access the needed data.
Digital forensics: Once researchers have collected enough data about the cybercrime, it's time to examine the digital systems that were affected, or those supposed to be involved in the origin of the attack. This process involves analyzing network connection raw data, hard drives, file systems, caching devices, RAM memory and more. Once the forensic work starts, the involved researcher will follow up on all the involved trails looking for fingerprints in system files, network and service logs, emails, web-browsing history, etc.
Top 12 cybercrime investigation and forensic tools
Cybercrime investigation tools include a lot of utilities, depending on the techniques you're using and the phase you're transiting. However, know that most of these tools are dedicated to the forensic analysis of data once you have the evidence in hand.
There are thousands of tools for each type of cybercrime, therefore, this isn't intended to be a comprehensive list, but a quick look at some of the best resources available for performing forensic activity.
SIFT is a forensic tool collection created to help incident response teams and forensic researchers examine digital forensic data on several systems.
It supports different types of file systems such as FAT 12/16/32 as well as NTFS, HFS+, EXT2/3/4, UFS1/2v, vmdk, swap, RAM dta and RAW data.
When it comes to evidence image support, it works perfectly with single raw image files, AFF (Advanced Forensic Format), EWF (Expert Witness Format, EnCase), AFM (AFF with external metadata), and many others.
Other important features include: Ubuntu LTS 16.04 64 bit base system, latest forensic tools, cross compatibility between Linux and Microsoft Windows, option to install as a stand-alone system, and vast documentation to answer all your forensic needs.
Best of all, it's open source and completely free.
The Sleuth Kit
Written by Brian Carrier and known as TSK, The Sleuth Kit is an open source collection of Unix- and Windows-based forensic tools that helps researchers analyze disk images and recover files from those devices.
Its features include full parsing support for different file systems such as FAT/ExFAT, NTFS, Ext2/3/4, UFS 1/2, HFS, ISO 9660 and YAFFS2, which leads in analyzing almost any kind of image or disk for Windows-, Linux- and Unix-based operating systems.
Available from the command line or used as a library, The Sleuth Kit is the perfect ally for any person interested in data recovery from file systems and raw-based disk images.
This software is one of the most complete forensic suites for Windows-based operating systems. It's widely supported for almost any version of Windows, making it one of the best in this particular market and letting you easily work with versions such as Windows XP/2003/Vista/2008/7/8/8.1/2012/10*, supporting both 32 Bit/64 Bit. One of its coolest features is the fact that it's fully portable, making it possible to run it from a memory stick and easily take it from one computer to another.
Its main features include: ability to perform disk cloning and imaging, read partitions from raw image files, HDDS, RAID arrays, LVM2 and much more.
It also offers advanced detection of deleted partitions on FAT12, FAT16, FAT32, exFAT, TFAT, NTFS, Ext2, Ext3, Ext4, etc., as well as advanced file carving, and file and directory catalog creation.
CAINE is not a simple cybercrime investigation application or a suite, it's a full Linux distribution used for digital forensic analysis.
It works from the live CD, and can help you extract data created on multiple operating systems such as Linux, Unix and Windows.
File system, memory or network data extraction, CAINE can do it all by combining the best forensic software that runs on both command-line and GUI-based interfaces.
It includes popular digital crime investigation apps such as The Sleuth Kit, Autopsy, Wireshark, PhotoRec, Tinfoleak and many others.
PALADIN is a bootable Linux distribution based on Ubuntu and developed by SUMURI.
The PALADIN Toolbox helps streamline numerous forensic tasks, truly offering “forensic tools galore”—over 30+ categories with over 100 tools, including The Sleuth Kit and Autopsy. This veritable forensic lab on a disk is available in both 64- and 32-bit versions, making it one of the most popular suites of its kind. Used by law enforcement, military, federal, state and corporate agencies, PALADIN is the perfect ally for any computer crime investigator.
Widely used in computer forensics and incident response, ProDiscover Forensic has the capabilities needed to handle every aspect of a forensic investigation. This digital forensic product helps investigators quickly and efficiently uncover files and collect, process, protect and analyze data, as well as create evidence reports.
ProDiscover’s product suite offers investigators a wide array of diagnostic and evidence tools to explore evidence and extract relevant investigation artifacts. Its features include extensive automation, cloud forensic, memory forensic, previews of files without altering data on disk including metadata, and examining data at the sector level.
Digital Forensics Framework
Known as DFF, the Digital Forensics Framework is computer forensics open-source software that allows digital forensics professionals to discover and save system activity on both Windows and Linux operating systems.
It allows researchers to access local and remote devices such as removable drives, local drives, remote server file systems, and also to reconstruct VMware virtual disks. When it comes to file systems, it can extract data from FAT12/16/32, EXT 2/3/4, and NTFS on both active and deleted files and directories. And it even helps to inspect and recover data from memory sticks including network connections, local files and processes.
Oxygen Forensic Detective
This tool is one of the best multi-platform forensic applications used by security researchers and forensic professionals to browse all the critical data in a single place.
With Oxygen Forensic Detective you can easily extract data from multiple mobile devices, drones and computer OS, including: grabbing passwords from encrypted OS backups, bypassing screen lock on Android, getting critical call data, extracting flight data from drones, user information from Linux, MacOS and Windows computers. It also supports IoT device data extraction.
Open Computer Forensics Architecture
Known as OCFA, Open Computer Forensics Architecture is a forensic analysis framework written by the Dutch National Police Agency. They developed this software in pursuing the main goal of speeding up their digital crime investigations, allowing researchers to access data from a unified and UX-friendly interface.
It has been integrated into or is part of the core of many other popular cybercrime investigation tools such as The Sleuth Kit, Scalpel, PhotoRec and others.
While the official project was discontinued some time ago, this tool still being used as one of the top forensic solutions by agencies from all over the world. There are many other related projects that are still working with the OCFA code base, those can be found at the official website at SourceForge.
Bulk Extractor is one of the most popular apps used for extracting critical information from digital evidence data.
It works by extracting features like URLs, email addresses, credit card numbers and much more from ISO disk images and directories or simply files—including images, videos, office-based and compressed files.
It's a tool that serves not only for data extraction, but for analysis and collection as well. And one of its best attributes is its wide support for almost any OS platform, including Linux, Unix, Mac and Windows, all without problem.
Written in Perl, this forensic tool developed by Phil Harvey is a command-line-based utility that can read, write and manipulate metadata from several media files such as images and videos.
ExifTool supports extracting EXIF from images and vídeos (common and specific meta-data) such as GPS coordinates, thumbnail images, file type, permissions, file size, camera type, etc.
It also allows you to save the results in a text-based format or plain HTML.
SurfaceBrowser™ is your perfect ally for detecting the full online infrastructure of any company, and getting valuable intelligence data from DNS records, domain names and their historical WHOIS records, exposed subdomains, SSL certificates data and more.
Analyzing the surface of any company or domain name on the Internet is as important as analyzing local drives or ram sticks—it can lead to finding critical data that could be linked to cybercrimes.
What can you do with SurfaceBrowser?
Get current DNS data
DNS records are an infinite source of intelligence when it comes to cybersecurity. They hold the key to all publicly exposed internet assets for web, email and other services.
SurfaceBrowser™allows you to view the current A, AAAA, MX, NS, SOA and TXT records instantly:
Analyze historical DNS records
A lot of criminals tend to change DNS records when they commit their malicious activities online, leaving trails of where and how they did things at the DNS level.
No matter what type of DNS record they used, you can explore any A, AAAA, MX, NS SOA or TXT record; we've got you covered.
Explore the WHOIS history timeline
When the attack is not directed at servers or apps but to domain names, it often involves the WHOIS data. For this kind of situation, the SurfaceBrowser™ WHOIS history timeline becomes your best friend, letting you visualize any changes at registrar level for all your WHOIS information.
This WHOIS history lets you jump backwards and forwards instantly, to get exact information about the domain registrar, WHOIS registrant, admin and technical contact in mere seconds.
Grab full IP block data
While investigating a digital crime that involves companies, networks and especially IP addresses, getting the full IP map of the involved infrastructure is critical.
SurfaceBrowser™ allows you to explore single IPs as well as full IP blocks, and you can filter IP ranges by regional registrar or subnet size.
Once you get the full list of IP blocks, you'll be able to get the full IP count for each one, unique user agents, RIR, hostnames involved, hosted domains, as well as open ports.
Explore associated domains
When investigating malware, virus, phishing domains or online frauds sometimes you'll be amazed to find that the incident you're investigating is not an isolated case, but actually related to others and acting as a malicious network that involves many domains.
How can you detect this? By using our Associated Domains feature.
Associated Domains enables you to explore domain names associated to the company or the main domain you're investigating, and easily filter the results by registrar, organization, creation and expiration year.
Where is it hosted? What's the email provider? When was it registered? What's the company behind all these sites? We have the answers you need.
When the results load, you'll see all the details, including hostname, Alexa rank, computed company name, registrar, expiration and creation date, mail provider as well as hosting provider.
Visualize the full subdomain map
Creating a curated and complete subdomain map of any and all apex domains is really easy. Our SurfaceBrowser™ Subdomain discovery feature enables you to get all this critical data in seconds; no manual scanning, no waiting, it's all in there.
Visualize the full picture of all the involved subdomains for any cyber attack, learn where they are hosted, which IP they are using and more.
Access reverse IP intelligence
Reverse DNS is one of the most valuable hidden treasures of cybersecurity, as seen in our How to use reverse DNS records to identify mass scanners blog post.
When you access this interface, you'll be able to get our massive store of rDNS intelligence data in your hands, to investigate and relate PTR records with IP addresses easily.
You'll also be able to filter by open ports and similar records.
Cybercrime investigation is not an easy science. It requires the right knowledge combined with different techniques and tools to jump into the digital crime scene effectively and productively.
Once you have all this in hand, you can properly analyze data and investigate the root cause, as well as track down the authors behind different types of cybercrime.
If you're working as a cybercrime investigator for a public or private agency, then it's your lucky day. SurfaceBrowser™ is the ultimate remote infrastructure auditing tool, one that combines cyber security intelligence analysis from all fronts: IP, domain, email, DNS records, SSL certificates and server side. Book a demo with our sales team today!