Digital forensic investigation

Modern electronic means are the main driver of developments in our time and are represented by the use of computers and networks. Thanks to the modern technologies on which #information_technology is based, its impact has become positive and has constituted a qualitative shift in the lives of individuals and societies. It is noted that various industries are now relying primarily on their workforce to use computer systems, due to their speed, time-saving, and accuracy in collecting, storing, and processing information.

Scientific and technological progress is closely linked to the legal progress that accompanies them, as it preserves them, ensures their protection, and provides solutions to problems that may arise in connection with their use. While technological progress has become a building tool and the basis of all development processes due to rapid access to information and knowledge, this positive aspect of the information age does not diminish its negative effects, which are represented by the misuse of information systems and their illegal exploitation that harms the interests of individuals and groups, which has led to the emergence of new patterns. From crime, a term called cybercriminals who carry out illegal acts called electronic crimes on computer networks has emerged to attract attention.

These smart crimes arise and occur in exceptional circumstances and are committed by smart and malicious people who have the tools and technical knowledge that wreak havoc at all economic, social, cultural and security levels, as they aim to reveal personal secrets or defame them, companies or individuals with the intention of harming their personal or financial reputation, or seeking revenge. Or stealing money, or laundering and transferring it from one account to another, or destroying information, or difficulty contacting the attacker, or using e-mail.
What is #Digital_Forensic_Investigation?

Legal jurisprudence has defined #cybercrime in different ways and has not been given a unified definition, but what is certain is that the computer and the Internet are a major tool in its implementation.

As for #digital_criminal_investigation, it is a legal activity related to the procedures for controlling crimes, searching for their perpetrators, and collecting the data required by the investigation and criminal case that leads to the arrest of the offender and his compliance before the courts.

 The investigation goes through three stages:

• The stage of collecting evidence by the judicial police responsible for investigating crimes and their perpetrators.
• The preliminary investigation stage carried out by the investigating judge or the Public Prosecution to initiate a criminal case or to close the investigation due to insufficient evidence.
• The final investigation stage is the trial stage.
  
   Malak Al-Faseel
  , in an interview with the expert in the field of digital forensic investigation, Professor Malak Al-Faseel, said, “Digital forensic investigation is a science that aims to collect, analyze, and evaluate the evidence present in devices and includes the possibility of retrieving data in the event of its loss.” Its purpose is to “use it as a means to convict a person or entity in several operations, such as unauthorized access to devices, electronic impersonation, theft operations, as well as murder crimes, and so on.”

  – When does the #digital_criminal_investigation intervene?
  There are several cases that may require the intervention of #digital_criminal_investigation:

• When the target party feels a difference in the efficiency of its devices or systems, it resorts to digital forensic investigation to evaluate the hack and find any suspicious records or operations on the device.

•   In the event that there is an Information Security Operations Center department, it is possible that a specific attack will be detected by them on a specific device, and an initial analysis will be carried out at the level of its devices, and then the case will be submitted to the #Digital_Forensic_Investigation Department to complete the analysis process at the level of all devices in the entity.

•  They are notified by regulatory authorities of the presence of a suspicious contact and then the necessary analysis is carried out by the department itself.

  – What are the procedures for #digital_criminal_investigation?

• When communicating with the #Digital_Forensic_Investigation Department, the work begins with the following:
  – Identifying and understanding the type of attack, and from here it begins collecting records and taking a backup copy of the devices to work on it.
  – containment It is necessary to scan all devices to know the extent of the spread of this attack and try to understand the techniques and all files related to it.
  – eradication Here, files related to the attack are removed, for example, when there is a suspicious file, it is deleted. Also, in the event of communication with a suspicious address, a request is filed to prevent access to this address.
  – Recovery Here, the devices are returned to their previous state through the use of backups. It must be ensured that the backup copies do not contain the causes of the attack. For example, if they use a vulnerability present in the backup copies, we cannot use them.
  – lessons learned Here we review what happened and how to avoid it from happening in the future.

  A report must be written for each stage, detailing all the evidence that was found through the analysis.

  – What are the ways to file a complaint?
  There is no specific program for the entity in case one wants to file a complaint, but there are several matters related to this issue:

   ⁃ There is a Haseen platform provided by the #Cyber_Security Authority, which is considered a platform that collects the latest technologies and suspicious files, and if there is a unit, they can be uploaded there.
   
  – After your investigation, will the case or lawsuit be transferred to the court and a ruling will be decided?
   Some countries have legislative bodies that force them to file any crime that occurs during a certain period, an example of which is the GDPR in Britain

• The analysis report is delivered by the #Digital_Criminal_Investigation Department to the target party, which is authorized to approve the ruling if they want to refer the case to court or not.

  – What qualities must an investigator have in this field?

•  He must have analytical skill

•   He is familiar with the nature of device operations so that he can differentiate between a real attack and a normal device operation

•  He holds specialized certificates in this field such as GCFE / GCFA

•  Up to date on the latest technologies used by the criminal

  – Is there any connection between a military investigator and a cyber or digital security investigator?

• There is a strong relationship, as there is a department in the military corps, which is the Criminal Investigation and Digital Investigation Department, and is specialized in these operations.

  – Can the aggressor or criminal re-enact his act as is the case in other investigations?

• If the targeted party does not take into consideration the fifth step, which is (lessons learned), then it is possible that the criminal will repeat the same crime.  

Written by a group of students at Princess Noura University:

Al-Jawhara Abdullah Al-Majali

Manal Suwaid Al-Mutairi

Gram Rajeh Al Khudair

Hadeel Abdullah Al-Bishri