CYCS200 INVESTIGATIONS -- week 11

cycs 200. information security investigations

what is online investigation?

the process of collecting, analyzing, and validating digital information to support cybersecurity or law enforcement work.

what is the purpose of online investigation?

understand cybercriminal behaviour, collect evidence, and protect systems.

an example of online investigation?

tracking a phishing attack back to the originating IP and server

what is a cyber incident?

any event that threatens confidentiality, integrity, or availability of information. 

categories of cyber incidents?

• unauthorized access

• malware infection

• data breach

• network intrusion

ex. ransomware attack encrypting a company’s payroll system

what is a threat actor?

any individual or group responsible for malicious cyber behaviour

types of threat actors?

• hactivists

• cybercriminals

• nation-state actors

• insider threats

ex. insider leaking customer records for money

motives and techniques of a hacker group?

motives:

• politics

• challenge

• revenge

• activism

techniques:

• DDoS

• defacement

• intrusion

ex. anonymous attacking a government portal during protests

goal, common scams, and techniques of a fraud group

goal: financial gain

common scams: 

• romance scams

• CRA scams

• investment scams

techniques:

• social engineering

• phishing

• fake payment links

ex. scam email claiming tax refund requiring credit card details

name some law enforcement agencies in canada

• RCMP national cybercrime coordination

• CSIS (Canadian Security Intelligence Service)

  • responsible for gathering, processing, and analyzing national security information from around the world and conducting covert action within Canada and abroad

• CSE (Communications Security Establishment)

  • provides the government of Canada with information technology security and foreign signals intelligence

their roles: investigate, respond, coordinate, gather intelligence

charter rights and privacy

police searches require:

• reasonable grounds

• judicial authorization

exception ex: police acting without warrant to prevent imminent harm

search warrant exceptions

1. consent

• the consent must be voluntary and given by someone with the proper authority

2. exigent circumstances

• emergency situations that allow law enforcement to conduct a warrantless search or seizure when it is impractical to obtain a warrant.

  • imminent threat to public safety

  • imminent destruction of evidence

  • imminent escape of a suspect

  • mobile vehicles

3. plain view

• allows police officers to seize evidence without a warrant if they are lawfully in a position to see the item and its incriminating nature is immediately apparent (officer sees hacking tools visibly on desk)

digital evidence what are you

information stored or transmitted in digital form that may be relevant to investigations

types of digital evidence

• logs

• emails

• social media posts

• network packets

ex. web server log showing external brute force attempts

investigative workflow step by step

1. identify evidence sources

• find out where the digital evidence lives

  • laptops, phones, tablets

  • cloud storage

  • email accounts

  • server logs

  • network traffic logs

  • usb drives

  • socmed accounts

2. preserve data

• before touching anything, the original evidence must be protected so it can’t be altered, overwritten, or corrupted. 

  • disconnect the device from the network

  • capture snapshots of volatile data (RAM)

  • lock user accounts to prevent logins

  • use write-blockers to prevent modifying storage devices

3. forensic imaging

• creating a bit-for-bit exact copy of the data from the device or system

  • do not analyze the original device, but the copy

  • imaging includes deleted files, hidden partitions, slack space, metadata

4. analyze evidence

• looking for

  • malware

  • unauthorized logins

  • file transfers

  • sus emails

  • artifacts of user activity

  • deleted data

  • timestamps and log correlations

• rebuilding what happened, when it happened, and who did it

5. interview witnesses

• employees who noticed weird activity

• IT staff who managed affected systems

• victims targeted in phishing attacks

• witnesses who saw suspicious behaviour

6. execute warrants

• if the investigation expands, law enforcement may need:

  • search warrants for devices

  • warrants for cloud service providers

7. produce reports for court

• investigators document everything in a way that judges, lawyers, and non-tech people can understand

  • what was collected and how

  • chain of custody

  • tools used

  • findings (screenshots & logs)

  • timeline of events

  • conclusion about what happened

email investigations techniques

what to extract:

• header metadata

• sender IP

• SPF/DKIM validation

tools: MXToolbox, Email tracker pro

ex. header reveals sender actually from Nigeria, not CRA

open source intelligence (OSINT)

intelligence gathered from publicly available sources

users: police, journalists, analysts, ethical hackers

challenge: verification and authenticity

ex. tracking suspects social media photos for location clues

OSINT methodologies

1. triage (simple search)

• googling a name, email, or company

• checking social media profiles

• looking at public news articles

• searching usernames on common platforms

2. deep search (advanced operators)

• google dorks (site:, filetype:, intitle:, inurl:)

• specific government/public databases

• checking breach data (HaveIBeenPwned, LeakCheck)

• archived sites (Wayback Machine)

3. automation (tools/scripts)

• scrape, correlate, and visualize data automatically

  • python scripts that check multiple websites

  • tools that map relationships, IPs, leaked data, etc

tools: maltego (maps relationships b/w people, emails, IPs, companies), shodan (search engine for internet-connected devices), spiderfoot (automated OSINT scanner)

social media investigations

platforms: facebook, instagram, tiktok, reddit

challenges: privacy settings, manipulation, false identities

definition: sock puppet - fake account used for investigation

ex. officer using sock puppet to join criminal groupchat

geolocation data

identifying the physical location of a device

• IP addess

• GPS

• wifi networks

ex. tracking criminal using IP logs from VPN exit nodes

EXIF data in photos

: metadata embedded in photos (GPS, time, camera type)

• identify location

• confirm timeline

ex. kidnapper’s photo reveals exact coords of hideout

video evidence and verification

video clues:

• background noises

• landmarks

• language and accents

verification tools: InVid, Forensically

deep web vs dark web

DEEP WEB

• not indexed, private databases

DARK WEB

• requires tor; hosts illegal markets

ex. dark web marketplace selling stolen gift cards/credit cards

what is tor?

: anonymity network using onion routing

benefits: privacy, protection from tracking

risks: criminal activity, malware

real case: FBI deanonymizing child exploitation sites on Tor

dark web investigations

steps:

• use VM (virtual machine)

  • software-based, emulated computer that runs on top of a physical machine, or ‘host’

• use VPN (virtual private network) 

  • creates a secure, encrypted connection between your device and a remote server, masking your IP address and protecting your online data

• use isolated environment

risks: malware, illegal content exposure

ex. investigators tracing bitcoin transactions

protecting investigators

backstopping methods:

• fake identity

• secure browsers

• strong OPSEC

ex. cyber investigator masking identity when entering forum

investigative documentation

notes must include:

• date/time

• actions taken

• tools used

• screenshots

reason: court admissibility

case study — phishing attack

scenario: employee receives fake bank alert.

investigation:

• header analysis

• link sandboxing

• IP tracing

outcome: email linked to foreign crime ring

case study — social media harassment

evidence:

• screenshots

• metadata

• account creation timeline

outcome: suspect identified through OSINT and IP logs