Using Traditional Forensic Techniques to Foil New Cyber-Crime Tricks

What has an ancient Chinese philosopher to do with modern information forensics? Plenty, according to Andrew Clark, director and co-founder, Inforenz, who spends much of his time as an expert forensics witness for the UK government, banks, and MNCs. In fact, it was Sun Tzus seminal work The Art of War that Clark modelled his information forensics strategies on.

Speaking on the second day of the CSI-Asia Computer Security Conference & Exhibition 2004 held in Singapore from Oct 20-22, Clark said that there are growing signs that computer-based crimes are becoming the province of international organised crime syndicates. He cautioned if that spiralled out of control, the effect of computer-based crime could seriously damage the critical infrastructure and trading situation of nation states.

However, the methods for nabbing a professional crime syndicate are nothing like that of catching a petty thief. It requires a set of well-thought out strategies, and as Clark testified, adversaries were at times "too smart for forensics practitioners". These involved planning for all situations, executing operations swiftly, nabbing the offenders with little effort, and being flexible to change tactics halfway.

An information forensic practitioner must plan for all situations, stressed Clark, and be prepared for the unexpected. "Just because we dont understand something doesnt mean it doesnt work," he said. The same thinking applies to strange techniques or strategies.

"Just because you havent heard about it doesnt mean it doesnt exist," said Clark, adding that sometimes investigators did not recognise what they were looking for anyway.

For example, in the 1940s, a group of Russian schoolchildren presented the US Ambassador with a wooden carving of the American state emblem. The gift was duly installed in the Ambassadors office in Russia. Little did they know that hidden in a tiny cavity within the gift was a non-electronic listening device that picked up sound waves, and transmitted all that was said to a listening post across the street from the US Embassy. When the US found out about the device after conducting a thorough sweep of the office in 1952, they were so incensed by the discovery that they complained to the UN sitting of 1960.

When waging war on organised crime, the team must be properly resourced and prepared. Delaying a seizure, or not providing early warning, would hand the offenders time to destroy important evidence, warned Clark. In extreme cases, subjects may have prepared "panic" measures to destroy evidence in the event of a raid. "If these are unknown at the planning stage, you could be caught out," he added.

Another approach is to be thorough. By preparing a case thoroughly and presenting the evidence properly and clearly, many guilty parties will plead at the first opportunity, observed Clark.

In terms of tactics, Clark advised that the team should not be so focused on executing the plan in its entirety when the situation does not warrant it. For instance, in the case of evidence sampling, different legal jurisdictions required different sample sizes, so being dogmatic in gathering evidence might not be wise.

Companies need to think beyond prescriptive approaches, and draw lessons from The Art of War, suggested Clark.