First Responder

Forensic investigation in a Virtual Environment and hidden crime information detection
November 17, 2017
Expert 1
November 20, 2017

First Responder

The training program “First responders” according to the training programme that is developed by Cybersecurity and Cybercrime investigation Centre of Dublin College University (UCD CCI), is adapted in cooperation with L3CE, Ekonominės konsultacijos ir tyrimai (EKT) and Vilnius County Police Headquarters (VCP). Training programme is dedicated to law enforcement officers who investigate or are related with solving ICT use for criminal purposes. The main objective of this programme is to equip the participants with knowledge about IT and their abuse, cybercrime evidence collection, and instructions on how to effectively react to the reports on cybercrime. Moreover, the trainees will be introduced with seizure and handling of electronic evidence. This training programme also contains a component for training of trainers how to deliver course First responders – what training methods, practical exercises to be used, how to perform the testing and examination of gained knowledge and skills. First responders course systematically acknowledging with basic how computers work, jargon buster, cybercrime business model, Tor and Darknet, psychology of child abuse, how malware infects, how Freetool for first responders could be used, search basic and LDF for first responders, what are CCIU requirements, how does network, Ips & domains work, what are Email headers, ASP request, ebay& paypal, Facebook, Google search and how all these affecting victims and how the crime could be committed. The theoretical knowledge presentation is followed by demonstration of Freetool that tackles to detect and search of footprints and cyber evidences. The training also includes the introduction into OSINT– what are OSINT tools and resources, exif, the main OSINT principle “follow the Money” explanation followed by demonstration and analysis of the OSINT case study. The topic on introduction to computers, peripheral devices & networking covers the various components of modern computers, expansion cards, Ethernet expansion cards, input and output hardware, RAM (random access memory), SSD (solid state drives), hard disk drives (HDDs), auxiliary storage (floppy disks, optical disks, flash drives, magnetic storage, RAID (redundant array independent disks), the principles of connecting to other computers, the main numeral systems used by computers and networks, how do computers process data, the main encoding systems ASCII (American Standard Code for Information Interchange) and Unicode, cryptography overview, time zones and converting to UTC. Topic on Jargon Buster allows for participants to understand and describe understand and describe the most common attack vectors such as computer worms, Spyware, DDoS attack (distributed denial-of-service attack), phishing, vishing and the hallmark features of these scams, schemes “man in the middle and watering hole attack, Cross-Site Scripting (XSS) attacks, zero day attack, Botnet. The crime prevention advices are also presented. This topic includes the practical exercise for participants on phishing. Cybercrime business model topic cover the list of prominent cybercrime marketplaces, categories of cybercrime business models (commercial model, organised model, outsourcing model, mentor-apprentice model) followed by “Topfox” case study, theft chain, exploitation of affiliate marketing, customer service, legitimate merchant account and webmoney for committing of cybercrime, roles and types of money mules, the chain how the fraud works. The topic on deep internet covers the deep web, the underground internet, the onion router (Tor), the mechanism how Tor works, what are Tor hidden services, how to access Tor and what are Tor investigation tools for law enforcement. Introduction into psychology and Child Sexual Exploitation (CAM) is relevant to understand patterns and behaviour of criminals on internet. The types of child sexual exploitation are presenting such as contact sexual abuse, trafficking for sex, recording sexual abuse, trading recorded material, grooming and inappropriate attention. Based on psychology (Finkelor theory) the four preconditions for child sex offending are explained such as motivation, overcoming internal inhibitors, overcoming external impediments, overcoming victim resistance and how this goes throw the internet into the mix. The key topic is on search and seizure guidelines that explain the principles for the seizure of electronic evidences, on demonstration how to identify, seize and transport electronic evidence and how identify portable and removable storage media. The good practice principles for electronic evidence are presented. Detail description of steps to be taken covers pre-search preparation process, crime scene investigation process and related legislation. Pre-search phase preparation includes the presentation of the main principles, actions for pre-search preparation such as appointment of officer in charge, distribution of roles scene secure team appointment, equipment preparation, application to CCTV (Closed Circuit Television), search briefing background and targets, search team appointment. The crime scene investigation process covers on-site analysis, on-site computer response team, appointment of equipment officer and transport team, case information search site intelligence, search methodology, photographing / sketching scene, evaluation for “live” analysis, live forensics; on-site live computer systems, response team, on-site observations and transporting evidence. LDF (live data forensics) for first responders focuses on how to examine historical data from web browsers, to perform basic Live forensic operation, what to do and what don’t, what are ACPO Guidelines, how to record activities and ensure compliance with the Law, what is ‘Post Mortem’ (cold) forensics. The topic is followed by exercises on “live analysis”, what is private browsing: Firefox, Google Chrome, Internet Explorer, Safari, how to analyse e-mails and IM chats, what are evidence of e-mails and IM chats. Basic on encryption is presented – knowledge and observation. Training course knowledge is supported by Freetool demonstration and exercise. The topic on internet enable the participants to discuss the history of the Internet and covers items such as principles of the internet, internet protocols, TCP/IP architecture and protocol suite, IP addresses, network addressing, network addressing capabilities, reserved IP addresses, circuit switched vs. packet switched, packet header information, TCP/IP and packet switching, the internet – the real view, additional notes on IP addresses, ipv6 addresses, connecting to the internet, what is a HTML file, creating and opening a HTML file, mypage.html, web pages – image issues, correcting our code, web pages and colours, adding colour to our web page, extending HTML, web browsers, browser statistics, Firefox 5.0, web servers, what is HTTP, how to send a HTTP request, cookies, top level domain names & country codes, domain names, IP and e-mail addresses, managing the domain name server system, Regional Internet Registries, how do you get a domain, hosting options, web pages and web servers, web site statistics Introduction into identity theft includes definition of identity theft, how data used to commit identity fraud or obtain personal information, what information at social networking sites could be used for fraud, what are ID theft & Cyber-bullying, phishing for data, a phishing scam, publicly available personal information, impersonating the Dead, information collected at e-commerce sites, database hacking, insider threats, identity theft online, social engineering, using personal information to defraud financial institutions, selling personal information, how to protect against identity theft. The topic is followed by practical exercise on incident response task. The topic on auction fraud and online payment systems covers items such as online auctions, making money from auctions, analysis of case studies on different types of frauds such as auction for sale (PlayStation 2 Original Box and Receipt), non-delivery of purchased items (the Rotten Apple), misrepresentation, shill bidding as well as other types of auction fraud (overpayment fraud, black-market/counterfeit goods, bid siphoning, second-chance schemes). To this topic is related investigation of in payments systems. This investigation topic covers eBay’s privacy policy, information that eBay can provide, using payment systems to protect your money, what is PayPal, sending and receiving money via PayPal, PayPal e-mail scams, escrow services and fictitious ‘escrow’. The topic is followed by examples and introduces the LEP (Law Enforcement Portal) – tool for registered Law Enforcement officers to obtain eBay user information without the need of faxing a data request, Law Enforcement eRequest System (LERS). Network Investigation: e-mail headers, online groups and social networking, Newsgroups, Usenet News, Google Groups, News Programs, Usenet newsgroups, Usenet Headers. Facebook Investigations topic allow to understand the Facebook data request process, present a list the information to include in a data request, how does it work an access the Facebook activity log, how to download an injured parties/suspect Facebook account, what does it mean to “preserve” records, what are account preservation requests, data requests process, identifying Facebook profiles, Facebook graph, information to include into records, data received for basic subscriber information, data requests statistics, Mlat, accessing fb activity log, activity log, picture info, downloading a Facebook account, download process, index.html, messages, security tag, photographs. The introduction into OSINT covers definition of OSINT, explains the relevance of OSINT for law enforcement and presents the sources of OSINT, tips for success, safe surfing and evidencing OSINT. This topic is followed by exercise 1: Using ECHOSEC.net. The basic on Google Search presented: Quotation Marks and Search Term, Google Operators, Sites, “Linkto:”, Google Search Tools, Google Alerts, images.google.com, Google Operators Guide. The training programme is tailored both for in the class-training and learning remotely.

Comment on this FAQ

Your email address will not be published. Required fields are marked *