Key Elements in Cybercrime Investigations: Part 1

By 0
Key Elements in Cybercrime Investigations: Part 1


Digital forensics has been defined as the “process of identifying, preserving, analyzing and presenting digital evidence in a manner that is legally acceptable in any legal proceedings Computer related incidents are increasing in number and severity in recent times. The purpose of this paper is to provide an overview of digital forensics techniques for conducting computer crime investigations. The paper presents various forms of cybercrime and electronic evidence. It briefly discusses the techniques to obtain evidence from internet and web resources.

Electronic Evidence

Electronic evidence is data relevant to an investigation that is transferred by or stored on an electronic device. This type of evidence is found when data on any physical device is collected for examination Electronic evidence has the following properties: It may be hidden, like fingerprint evidence or DNA evidence: It can be broken, changed, damaged, or cracked by improper handling; therefore, precautions must be taken to document, gather, safeguard, and examine these types of evidences. 

Electronic information is usually stored on magnetic or optical storage devices. Hard drives, including removable drives and laptop drives, often contain significant information in hidden files. Computer systems—PCs and network servers in which electronic data are organized, stored, deleted, and accessed—should not be ignored. All e-mail servers and their backup schedules are also critical, and any Internet-related files should be obtained from Internet service providers or specific network servers.  

Computer Components Where Evidence is retrieved

Based on the type of crime committed, an investigator can retrieve evidence from various components of a computer system as well as other electronic devices connected to a computer. A computer system generally consists of the central processing unit (CPU), motherboard, memory, case, data storage devices, monitor, keyboard, and mouse. Digital evidence can be found in files that are stored on memory cards, hard drives, USB drives, other removable storage devices, and media such as floppy disks, CDs, DVDs, cartridges, and tapes.  A hard drive is an electronic storage device that stores data magnetically. A computer hard drive can record every activity done on a computer.

A thumb and memory card are removable electronic storage devices that are used in many devices where evidence can serve as evidence. Another device where evidence can be retrieved is answering machine. The machine stores voice messages, time and date information, and when messages were left. To find the evidence, an investigator should check the voice recordings for deleted messages, most recent numbers called, messages, recorded phone numbers, and tapes or digital recording data.

Digital cameras have been a major source of evidence in most e-crime cases in recent time. To find the evidence, investigators check the stored images, removable media, and time and date stamps of the images. To find the evidence, an investigator should check the card expiration date, user’s address, card numbers, and user’s name.

Other electronic devices from which evidence can be collected are:  Fax machines; MP3 players; Pagers messages, and phone numbers; Printers; Removable storage devices (tapes, CDs, DVDs, and floppies); Telephones; Modems; Scanners; Copiers; Smart cards, dongles, and biometric scanners.

Social Media Sites Investigations: Most people spend a lot of time using them every day. As a result, some evidence of most crimes can be found online. That’s why more and more evidence can now be found in Social Networking sites, web browsers, emails, peer to peer software, etc.

Social networks are quickly becoming what “traditional” instant messengers were just a few years ago. More and more communication is migrating from public chat rooms and private messengers into online social networks. Communications extracted from social networks can be extremely valuable to forensic investigators.

Despite the rise of instant chats and social networks, e-mail is still a major carrier of important information, which is especially true for corporate environments. With many online and offline e-mail clients, it is too easy to overlook essential evidence without approaching it properly.

Web Browsing History: Web browsing is a popular activity. Analyzing Web browsing history, bookmarks, cached Web pages and images, stored form values, and passwords gives keys to important evidence not available otherwise. Web browser cache may contain images with illicit content, as well as JavaScript-based malware that may be responsible for some suspicious-looking activities. Internet activities such as Google searches can be discovered and analyzed, often helping solve less than obvious crimes.

Peer-to-Peer and File Exchange: Software clients such as the popular Torrent exchange software may contain essential evidence, including illegal images or videos and stolen, copyrighted, and intellectual property. Information about files being downloaded, shared, and uploaded can be a substantial addition to the collected evidence base.

Images: Still images and video files should be analyzed for their content. Forensic tools can help investigators automate the analysis by detecting things such as pornography, human faces, or scanned images of text documents saved as picture files.


When a computer incident occurs, the attacked organization responds with a set of predetermined actions. Applying digital forensics techniques and protocols and looking at the above sources of evidence aid to uncover the actions of the criminal.

Author: Sam O. Aduafo, Member of Institute of ICT Professionals, Ghana, CyberGhana and||; Stephen Hasford: Member of Institute of ICT Professionals, Ghana, Technical Director, Ghana National Youth in Cybersecurity Technology (NYCT) Program|| 0268672979