Tech

.

Digital evidence gathering

When a cyber-attack occurs, it is necessary immediately to isolate the attacked device – to stop the internet connection and if the device is a part of a wider network of devices, then to stop the network connection. The attacked device must not be plugged out, turned off or reset, nor should there be any changes entered, all in order to save the integrity of data on the disc at the time of the attack. Only when an identical copy of disc at the time of the attack is made – disc imaging, used for further investigation, then the device may be switched off.

In such cases, the priority is to limit the damage – stop the attack, establish a regular operation of the system and process the case. Beside CERTs and technical support, competent public bodies have a crucial role, too, as they are in charge of high-tech crimes. In Serbia, it is the Department for High-Tech Crime within the Ministry of Interior and a Special Prosecution Office for the Fight against High-Tech Crimes. These two bodies are located in Belgrade, whereas police stations and prosecution offices around the country still do not have staff working on high-tech crimes. Therefore, in order to be efficient, it is best to send reports directly to the bodies in Belgrade.

When reporting an attack, it is important to submit as much evidence and details as possible, all in order to provide competent bodies with information sufficient for a quick reaction. Various information about the attack may be useful for a cyber investigation:

Links/URL addresses


In case the links are identified and relevant for the attack, they should be provided in their original and full form. For example, in case of death threats or other illegal actions occurring on social networks, forums and similar portals, the report should contain an integral link of the account that sent a threat, of the text of the threat and similar.

Screenshot


If the criminal offence is found in the very content – text, image or a video – it can be recorded by making a screenshot or a print-screen. Most keyboards of PCs have a key for such action: PrtSC, and the image of the screen is copied in a program for processing pictures. Mobile phones also have the option of a screenshot by using several keys and it is automatically saved in the gallery folder. If there are several segments of a criminal offense, then it is necessary to make a screenshot of each of them individually or to make a video of the entire process (for example: multiple SMS-s, messages received via an application on a computer or phone, etc.).

Emails


The very content of the message is often insufficient to identify the attacker, that is, the location from which the email was sent. This is why it is good to save a copy of the email in an integral form containing metadata, i.e. email header. The instruction on how to collect email headers from different email clients can be found here.

Log files


Log files are data about operations occurring on a device at a certain time and they are most often necessary when a server is the target of an attack. These are texts in which a cyber investigation may discover digital traces of an incident, including important information about an attacker.

Call logs


If a criminal offense involves phone communication, the report must contain call logs issued by a phone operator. The data in call logs contains the time of the call and the number from which the call was made, which may make further investigation easier.