05 March,2016 by Tom Collins
A friend of mine who works in the legal system introduced me to the Locard principle and is it relates to crime investigation. Locard principle contends that the crime perpetrator introduces something to the crime scense and leaves something at crime scenes. These two phenomena can be added to forensic evidence. I wanted to know how you apply this idea to cybercrime .
Cybercrime has unique characteritics which distinguish it from "traditional" crime. For example , if someone is using a mobile phone as an endpoint to connect into a network and steal data from a database,is it possible to connect the crime with a particular individual ?
There is a challenge on the forensics expert to widen the scope of a crime scene. The target object may be a database server , but the crime scene could be international. The forensic investigator may need to visit multiple locations.
Trace logs such as the default trace are available on database servers, oS, routers , switches, mobile phones etc, but mapping a unified profile is not a trivial exercise . Firstly, there is the proble of aggregating the logs,Secondly, different layers of permission may be required across national borders. The individual maybe in one country , the ISP could be another country , the database server may be in a third country and then once data is packaged it could move anywhere.
Another complication is bots. These can be intsalled on a serrver with instructions, and then let to execute on target server(s) at future points in time. These will use the credentials\authentication of the server. This further adds more layers
It's something to think about when capturing traces and what information is retained for troubleshooting historical situations
Powershell Script – How to get windows logs events with Get-WinEvent for a date range
Powershell Get-EventLog and Event Log messages - SQL Server DBA
How to determine who deleted a SQL Server database
This is only a preview. Your comment has not yet been posted.
As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.
Having trouble reading this image? View an alternate.
Posted by: |