Protecting yourself Online

Protecting the Naked Child with Griffeye

Fri, 28 Feb 2025 12:42:25 GMT

Technology plays a tremendous role in children's lives. Knowing how to protect them is essential

Over the past forty years of doing some hard-core IT stuff and some not so hot stuff, the one part that was not so hot was investigating child pornography.

One needs to understand the psychology, or mindset, of those that commit sexually motivated crimes. I have learnt about the typologies and patterns of behaviour of sex offenders. Exploring the relationship between paraphilia such as exhibitionism, voyeurism, fetishism and criminal acts. I have reviewed and dissected real case examples to gain insight into offender modus operandi.

Technology plays a tremendous role in our children's lives. Understanding the ways children are interacting online allows for more open communication. Also, increasing awareness of the opportunities to mitigate threats posed by the individuals seeking to exploit them.

This post might sound like a product punt… It is, yes, but for an extremely good reason.

It involves the exploration of investigative strategies to address the relationship between child sexual abuse and child sexual abuse materials (child pornography), as well as gathering new tools and resources for the most comprehensive case outcomes.

There was a recent arrest of a man found with child pornography videos and photos on various electronics devices. Several electronic devices suspected to contain child sexual abuse material were confiscated. A forensic analysis of these devices was conducted on scene by cybercrime experts, and an estimated 10 million child pornography images and videos were detected.

When handling high volumes of images captured in this type of crime two important factors come to mind.

Firstly, speed matters. Digital evidence investigators know they are always working against the clock. They also know case-solving often hinges on timely data gathered from technology devices. Efficiency is especially crucial for child sexual assault material (CSAM) cases. Without timely investigation, children could remain in harmful situations and perpetrators could abuse new victims. With fast recovery, analysis and sharing, law enforcement officers are poised to rescue and repeat.

Secondly, abusive material takes its toll in an ever-evolving technology landscape, a constant challenge is the sheer volume of data: a large child exploitation investigation may pit capable examiners against hundreds of thousands, or even millions, of media files. Even more problematic, however, is the content of those images and videos. To protect the innocent as well as the protectors, law enforcement units should ensure its team has access to tools that emphasize both safeguarding the public and promoting officer wellness.

Over the last two-decade Risk Diversion has been involved in various cases involving child pornography and have assisted law enforcement in combating other related crimes dealing with vast amounts of images. One of the solutions used by Risk Diversion is the Magnet Griffeye platform, which is designed to interconnect investigators, streamline information sharing, and enable investigators to build on each other’s case work. It allows access to a powerful set of analytical features, capabilities, and flexible workflows for a seamless and efficient experience. Some of the powerful takeaways of Griffeye is its ability to quickly find and match all images and videos featuring different individuals, and search between the data to identify matching faces of suspects or victims. It can rapidly and accurately review hours of video footage in a fraction of the time using advanced filtering capabilities such as motion and facial, and object-based searches.

Some key takeaways about Magnet Griffeye:

Gain a clear indication of where to begin your investigation and identify the most relevant data for the case.
Save valuable time and effort through pre-categorization of known data, duplicate stacking, and correlating metadata and visual attributes in your media files.
Utilize AI tools like Brain and Thorn.AI to automatically detect CSAM in large media sets, as well as other classes and objects.
With T3K.AI CORE* you can effortlessly detect and categorize media related to various content types such as extremism, terrorism, narcotics and more.
Quickly find and match all images and videos featuring different individuals, and search between the data to identify matching faces of suspects or victims.
Rapidly and accurately review hours of video footage in a fraction of the time using advanced filtering capabilities such as motion, facial, and object-based searches.
It allows minimize exposure to harmful material with a build-in wellbeing feature.

With the help of companies like Risk Diversion and Magnet Griffeye we support all efforts to route out this criminal act.

Until next time, working together works.

The Increasing Growth in IoT Digital Forensic Investigations

Thu, 28 Nov 2024 12:50:09 GMT

Looking at the growth of IoT (Internet of Things) in Digital Forensics

The existing lack of skilled professionals and worldwide deficit of cybersecurity resources in a tech-driven society will surprise CISOs and cybersecurity experts when the subsequent generation of cybersecurity achieves its maximum capability. Not too long ago I remember the first malware infected smart TV, then two white hat hackers made waves when they pulled off a remote hack of a car on the highway, turning on the wipers, blasting the radio, and finally, killing the engine to bring the vehicle to a complete stop. With an estimated 20 billion IoT devices globally and with an average of 70% unsecured IoT devices it is not surprised to see the increase in digital forensic analysis done on compromised devices.

IoT, short for Internet of Things, is just a fancy term for smart devices that can connect to the Internet. These devices can be baby monitors, vehicles, network routers, agricultural devices, medical devices, environmental monitoring devices, home appliances, DVRs, CC cameras, headset, or smoke detectors and my Garmin watch.

Critical Infrastructure will be main targets and ransom demands will increase, as cyberattacks rise, they will turn “uninsurable.” This will no longer be a data privacy concern but rather reputational harm, critical service interruptions, and even fatalities.

In light of the increasing cyberattack threats in the past year, businesses must revamp their cybersecurity methods in the IoT sector as AI introduces unparalleled weaknesses. “Although IT hardware and software security has improved significantly in recent years, IoT security has lagged behind,” We have witnessed extensive attacks utilizing IoT, such as IoT botnets; I recall the 1Tb DDOS Mirai malware attack leveraging IoT devices.

Throughout the years, we have evolved from computer forensics, then transitioned to mobile devices, and now include smartwatches, drones, and vehicles parked in the parking lot.

In the realm of security, weaknesses frequently exist at the crossroads of the physical and digital realms. Threat actors excel at taking advantage of the most vulnerable point in the security chain, and grasping this is essential for developing a strong security defense strategy that covers all weaknesses – whether physical or digital. The link between the two is increasingly difficult to ignore. More than often, we are seeing a lack of security alignment between the digital and physical world.

In most of our forensic analysis on IoT exploits we are seeing less security harden on the manufacturing hardware layer than before, this mainly due to mass production and quick to market strategies. The older Chip sets used in the design has never taken security into consideration.
The use of SDR and IR technologies are part of exploiters toolbox, better know as the pocket hacker. Hope you prepared for the generation of cyber henchmen.

Cybercrime and the Significance of Electronic Media Taken from Damaged Devices as Evidence in Crime Investigations

Fri, 15 Nov 2024 06:00:31 GMT

Incorporation of digital evidence in crime investigations

In an effort to fight cybercrime and to collect relevant digital evidence for all crimes, law enforcement is incorporating the collection and analysis of digital evidence into their case dockets and investigating departments.

Digital forensics essentially involves a three-step, sequential process:

Seizing the media.
Acquiring the media; that is, creating a forensic image of the media for examination.
Analyzing the forensic meta data of the original media. This ensures that the original media are not modified during analysis and helps preserve the probative value of the evidence.

Large-capacity media seized as evidence, such as computer hard drives, cell phones and external drives, may be 1 terabyte (TB) or larger. This is equivalent to about 17,000 hours of compressed recorded audio. Today, media can be acquired forensically at approximately 1.5 gigabytes (GB) per minute.

The forensically acquired media is stored in a RAW image format, which results in a bit-for-bit copy of the data contained in the original media without any additions or deletions, even for the portions of the media that do not contain data.

This means that a 1 TB hard drive will take approximately 11 hours for forensic acquisition. Although this method captures all possible data stored in a piece of digital media, it is time-consuming and creates backlogs.

Some new ways of committing crimes are through electronic devices and the only evidence in these cases is electronic evidence. The very nature of data and information stored in electronic form, unlike traditional ones, makes it easier to manipulate.

Several forensic Models or Standing Operating Procedures (SOP) have been created to address various levels of investigative complexity. Risk Diversion has developed various training models which require uniformity during an investigation.

Even with law enforcement, there are instances where "evidence not being admissible in the court of law" happens occasionally. This highlights the necessity for developing a thorough process model for digital forensic inquiry. To ensure that the search and seizure is conducted in the proper forensic manner the correct SOP must be followed.

The SOP is crucial so that the process is applicable in various investigations. However, it may be insufficient to support novice digital forensic practitioners. It might sound like flying an airplane which may only involve three steps: take-off, fly, and land. An experienced pilot may not have any problem completing the task even if unforeseeable circumstances occurred; novice pilots, however, are more likely to ask additional questions to gather more detailed information regarding the flight.

Applying the scenario in a digital forensic investigation - if a person is given an order to collect information from a system according to the order of volatility, it is assumed that the person knows the order of volatility and can execute the task without error so that enough evidence is gathered.

Similarly, a process model should be comprehensive to provide insight into the entire investigation process and to support and improve the usability for digital forensic practitioners.

Digital forensic evidence deals with the collection of digital evidence from the cybercrime scenes and other scene scenarios.

The cybercrime scene is one computer (or more computers) that attacks another computer (or more computers) through some means. It is important that the evidence material provided from the crime scene can be used as evidence and to be completed in the context of the investigation case. There are three types of forensics that refer to computer systems and electronic evidence. Evidence does not have to be created from a computer, but from something else we always associate with a computer, for example from a printer, a router, tablets, smart watch and drones.

The first type is the traditional digital forensics is the collection of digital evidence from a computer, disk or from a device that includes a computer or is considered to be able to create or process electronic (digital) data.

The second type of digital forensics is cyber-forensics or network forensics . It involves gathering evidence showing that certain digital data has crossed through a medium between two points in the network. The evidence collected in this way is always collected by making conclusions from a device in the path.

For example: physically we cannot see the data passing on the Internet. However, a sniffer can be used to record packets of data as they are sent and to get an interpretation of that data packet. Or we need to make a comparison between the sender's and the receiver's receipts from the two devices that are considered to have been transmitted between them and to conclude the transfer from the records. Most often you need to make a direct collection of data from the hard disk.

Forensic analysis of software that deals with identifying the author, on the part of the software code of the code itself.

Digital forensics provides the provision of relevant electronic evidence necessary for the process of proving the criminal offense before the court and the guilt of the perpetrators.

Hardware Chip-off involves extracting evidence from devices that have damaged hardware components that cannot be recovered by using normal software methods.

Using the Chip-off method when collecting evidence from damaged electronic media uses four simple steps.

It is important for computer forensics investigators to understand the vast array of digital devices that they may encounter at a crime scene. This knowledge is essential because each device needs to be handled differently, and investigators must maintain and update different power and data cables over time. Moreover, with each device there are different types of evidence associated with each device and a different methodology needed to acquire evidence from these devices.

Finally, the handling of computer hardware in an investigation has legal ramifications. Evidence must be seized and handled in accordance with standard operating procedures that follow the law. Ultimately, the process by which you acquired the evidence is just as important as the evidence itself.

Magnet AXIOM Cyber 8.2 with Magnet Copilot Artificial Intelligence

Thu, 14 Nov 2024 13:06:54 GMT

An Introduction by Risk Diversion

Risk Diversion is always looking for innovative ways of improving quicker processing of digital forensic cases. Magnet Forensics surprised with their latest release of AXIOM Cyber 8.2 which includes Artificial Intelligence called Magnet Copilot. Free early access has been introduced to the AI tools as part of AXIOM Cyber 8.2.

Since the release of ChatGPT (Chat Generative Pre-Trained Transformer) by OpenAI on 22 November 2022, it took only two months to reach 100 million users. To give a comparison, it took TikTok nine months, Youtube 1.5 years, Instagram 2.5 years, and Facebook 4.5 years to reach the same number of users.

Magnet Forensics realised that there are huge benefits to incorporate AI into AXIOM Cyber, especially with digital forensics, as Business is adopting AI in general, therefor introduced Magnet Copilot.

Magnet Copilot is a cloud-based integration tool which assists examiners with complex tasks. Data uploaded to Copilot goes to a secure US-based server which is operated by Magnet Forensics. Uploaded data will expire and be deleted after seven days of inactivity. None of the uploaded data will be used to train AI models or be used to improve AI models.

Copilot can be launched from the AXIOM Cyber dashboard. Once logged into the Copilot account, a popup box will appear, starting at the Q&A section. The examiner can select either a single conversation, a selection of images, or a selection of one or more of the following artifacts:

360 Safe Browser Archived Keyword Search terms

Bing Toolbar – Search History

Chrome Archived Keyword Search Terms

Chrome Keyword Search Terms

Edge Archived Keyword Search Terms

Edge Keyword Search Terms

Google Searches

Opera Archived Keyword Search Terms

Opera Keyword Search Terms

Opera Search Field History

Parsed Search Queries

Edge Chromium Keyword Search Terms

Once the data is uploaded, the examiner can ask questions about it and Copilot will answer those questions or will reveal relevant artifacts. Responses through this interface include citations for the case, data to validate the results, and investigate further. Q&A conversations are limited to a single session but can be saved for future reference. Results are based on the context provided.

The next feature is the detection of deepfake and synthetic media which are being used for, amongst others, identity theft and fraud. Deepfake technology has advanced significantly, making it easier for individuals with malicious intent to create highly convincing fake videos or audio. This can be used for various fraudulent activities including impersonating someone, spreading misinformation, or manipulating public opinion.

The image analysis capabilities allow an examiner to determine the likelihood that an image was generated using one of the more common generative AI models: Stable Diffusion, Midjourney, or DALLE-3. In some cases, Magnet Copilot can also produce EXIF data which reveals the prompts that were used to create the image.

For the analysis of videos, Magnet Forensics has partnered with Medex Forensics to determine where video files originated, if they are camera original content, and if they were edited or generated with tools such as Face Swap or Reface. Once the Medex analysis has been completed, the examiner has the option to save the report in PDF format to add to the case.

Filter Builder allows an examiner to easily build complex filters simply by typing a query. Entering a question in plain language into the chat bar, will automatically build the filter using advanced filtering capabilities to quickly narrow down on the key results.

Since the emergence of AI, which is considered a threat, Risk Diversion considers it as an opportunity for establishing trust in critical video evidence from investigation to prosecution.

Risk Diversion Tackles Cyberbullying in a Digital enabled World

Thu, 01 Aug 2024 09:06:01 GMT

Cyberbullying - causing harm through the use of digital technology

While some people are bullies both in real life and online, there are others who only become bullies in the digital space. Why is this the case? Why would someone bully others online when they would never do that in their everyday life? There are multiple possible explanations for this behaviour. Arlin Cuncic, the author of The Anxiety Workbook and founder of the website About Social Anxiety thoroughly explains how and why cyberbullying is a serious social issue.

In general, cyberbullying is a recent issue with increasing numbers of people using the Internet. Much of the focus of research is on how cyberbullying affects the victim, without a lot of focus on how to cope with cyberbullying, how to reduce cyberbullying, or what to do if you are a cyberbully yourself.

Cyberbullying refers to the use of digital technology to cause harm to other people. This typically involves the use of the Internet but may also take place through mobile phones (e.g., text-based bullying). Social media is one of the primary channels through which cyberbullying takes place, including Facebook, Instagram, TikTok, Snapchat, and more.

Taking all the above reasons into consideration Risk Diversion has created a digital platform to assist victims of cyberbullying. Our digital forensic analysts are certified professionals capable of dealing with a multitude of different forms of cyberbullying.

There are various forms of cyberbullying. These can include: Flaming (or roasting) which refers to the use of inflammatory language and hurling insults at someone or broadcasting offensive messages about them in the hopes of eliciting a reaction.

Outing involves sharing personal or embarrassing information about someone on the Internet. This type of cyberbullying usually takes place on a larger scale rather than one-to-one or in a smaller group.

Trolling refers to posting content or comments with the goal of causing chaos and division. In other words, a troll will say something derogatory or offensive about a person or group, with the sole intention of getting people riled up. This type of cyberbully enjoys creating chaos and then sitting back and watching what happens.

Name Calling involves using offensive language to refer to other people.

Cyberbullies may spread false rumours by making up stories about individuals and then spreading these false truths online.

Cyberbullies may send explicit images or messages without the consent of the victim.

Some cyberbullies will repeatedly target the same people through cyberstalking, cyber harassment, or physical threats.

Victims of cyberbullies often have some common characteristics that tend to repeat themselves:

Teens and young adults are the most at risk.
Girls are more likely to be victims of false rumours being spread and being the recipient of explicit images.
People who are gay, lesbian, bisexual, or transgender.
Those who are shy, socially awkward, or don't fit in easily.
People from lower-income households.
People who use the Internet constantly are more likely to be victims of online bullies.

Our forensic analysts have conducted numerous investigations into cyberbullying assisting victims of most forms of harassment.

If you are a victim of cyberbullying, know that you are not alone and there are options to help. If you need assist, you can visit us at www.riskdiversion.co.za or contact us on hello@riskdiverion.co.za.

Supplementary - Hiding in Cloud, you can run but not hide

Fri, 28 Jun 2024 08:49:42 GMT

Magnet AUTOMATE with brilliant features

Have you heard of Magnet AUTOMATE yet? This blog may repeat some of the featured services. However, Magnet AUTOMATE is loaded with new features to cut waiting times on acquiring media, but also with automatic processing of images to make the forensic examiner’s workload much easier.

Gone are the days of linear acquisitions. Multiple nodes can be deployed to acquire and process media in parallel. And all are automated thanks to workflows which must be configured beforehand. Once configured, the workflows will automatically acquire and process the media.

Magnet AUTOMATE is a platform that an organisation can use to create a distributed workflow for digital forensic applications. Magnet AUTOMATE can help make evidence discovery more efficient by automating the steps between tasks, such as acquiring forensic images, searching the evidence source with AXIOM Process, and post-processing steps such as creating reports. You can integrate just about any application into your workflow provided that it has a command-line interface (CLI) or application programing interface (API).

AUTOMATE Essentials is a streamlined offering of Magnet AUTOMATE, which installs one controller and one node on a computer. It also includes several default workflows and configures default Magnet Forensics applications so that you can start creating cases right away.

AUTOMATE Advanced provides the workflow building and automation functionality from Magnet AUTOMATE, while being tailored towards enterprise usage with its ability to acquire evidence from remote computers and the Microsoft cloud platform.

AUTOMATE also fully integrates with many third-party forensic tools which have command-line interfaces (CLI’s). Another feature is the “Watch Folder” which is being used to start processing automatically once it senses that an image was uploaded.

Another feature is the importing of XML for those third-party tools who might not have a CLI but with an export function to XML.

With AUTOMATE Advanced, acquisitions can be made remotely on the same network from a server, computer or laptop. Even volatile acquisitions like RAM can be made.

The Dashboard displays the status of all a processed, active or completed.

As in the previous blog, Cloud acquisitions can be made from a host of social media applications, bearing in mind that Warrant Returns will be required for some of the applications to request evidence. What is a Warrant Return? A warrant return is essentially a report submitted by law enforcement officers to the court that issues the warrant. It serves as an official record of the execution of the warrant, documenting the actions taken, evidence needed to be collected, and any arrests which will be made.

Magnet AXIOM can acquire data from the following platforms and services:

* Amazon Web Services

* Azure

* Apple

* Box. com

* Dropbox

* Facebook

* Google

* IMAP/POP

* Instagram

* Lyft

* Mega

* Microsoft

* Microsoft 365

* Slack

* Twitter

* Uber

* WhatsApp

Magnet AUTOMATE allows investigations to be completed in shorter timeframes by automatically acquiring and processing media, allowing investigators to use the information more timeously.

Hiding in Cloud, you can run but not hide

Mon, 10 Jun 2024 05:47:37 GMT

Conducting digital forensics investigations using cloud-based services

Moving to the cloud is giving organisations of all shapes and sizes the ability to move faster, be more agile, and innovate their businesses. The shift to cloud computing has completely transformed how we work, communicate, and collaborate—and is fast becoming a necessity to stay competitive in today’s digital world.

If you are considering moving to cloud-based services and solutions, it’s not only important to understand the basics of cloud computing and how it can help you accelerate your digital transformation, but also its advantages and limitations. The digital transformation has raised the need for integrated forensic analytics in the cloud.

Growing digital data volumes are driving the need for more sophisticated software solutions and infrastructure to support digital investigations. Leveraging the cloud can help law enforcement agencies and other investigative bodies to adapt quickly, enabling secure, scalable solution deployments while at the same time helping to maintain data security and regulatory compliance.

Cloud services have advanced a lot in recent years. Cloud service models are better understood and supported, and governments are beginning to develop cloud usage policies and guidelines.

Risk Diversion uses AXIOM Cloud to triage fast and simple by retrieving selected data from the Cloud using Office 365 administrative credentials, finding important evidence faster, and recovering more evidence from deleted or unallocated space — including evidence of malicious acts of deletion. Key pieces of evidence in these cases include email, Google Suite, Microsoft® Office® 365 documents, and messaging services such as Skype for Business and Slack. However, obtaining forensic artifacts from these data sources isn’t without its challenges. Obtaining data from cloud services or encrypted machines/devices, along with demonstrating malicious intent vs. inadvertent access, can be especially difficult.

AXIOM’s ability to retrieve selected data from the Cloud using Office 365 administrative credentials has been crucial to finding important evidence faster. So, too, is AXIOM’s ability to recover more evidence from deleted or unallocated space — including evidence of malicious acts of deletion.

Malicious intent is easier to establish using Connections in AXIOM. The graphically linked connections between artifacts found in the cloud and those found on computers (e.g. jump lists, LNK files, MRU lists, etc.) helps examiners to visualise file activity, including creation, access, transfer, and deletion. Finally, showing this kind of activity through AXIOM’s flexible exporting and reporting options help examiners to present case findings to stakeholders such as HR or legal teams.

Increased data from mobile devices is being stored in the cloud, from 3rd party apps storing data in the cloud-to-cloud backups. And mobile devices are offering more access to the cloud via login tokens for cloud account acquisitions. But how can you tell if there may be data available in the cloud? How do you utilise data from the phone to obtain additional data from the cloud? How do you leverage mobile data from cloud sources when you don’t have access to the phone?

As cloud services become the new normal for nearly all businesses, it’s critical that your forensic tools support the ever-evolving landscape. Learn about how Magnet AXIOM Cyber can help accelerate your internal investigations across Office 365, Slack and more. Risk Diversion will demonstrate how AXIOM can work directly with Office 365 for the collection of email, OneDrive data, SharePoint, and Audit Logs. We will also demonstrate how to incorporate Microsoft Teams conversations into the AXIOM investigations through the Office 365 Security and Compliance Centre. In addition, we will discuss methods for investigations involving Slack using both direct acquisition as well as Slack Corporate export packages.

Computing in the cloud is remarkably similar to utilizing locally hosted computers, and you can expect similar levels of performance. A cloud-hosted machine can be configured to perform similarly to a high-end forensic workstation deployed on-premises. One major advantage of cloud-hosted machines is more flexible resource allocation. With cloud-hosted solutions, you can dynamically scale up your resources and performance as your needs change. For example, you easily can allocate multiple VMs to handle different tasks with different processing requirements to optimise performance and reduce costs. Additional resources can also be quickly and easily added so you can maintain consistent performance as data volumes grow—achieving this on-premises will require you to purchase, install, and maintain additional hardware resources yourself. Cloud-hosted solutions also allow you to maintain high availability and uptime and enable simple disaster recovery procedures more easily.

Cloud billing is flexible, but that flexibility comes with a lot of information and gives an organisation a lot of room to reduce overall complexity and costs. Your proposed budgets would no longer need to consider items like emergency hardware maintenance or replacement—only usage. Much like your monthly electric bill, costs for cloud services can go up or down depending on usage. As you understand your usage—for example, how much data you need to upload per month—it becomes easy to forecast your organisation’s short and long-term costs. The difficulty is often how to estimate costs before average usage is known. For this reason, cloud service providers usually offer a variety of billing tools to not only estimate monthly billing, but also cap and even reduce costs. If usage increased dramatically for a particular month these billing tools make it easy to see why and estimate costs going forward. You could then use such data to justify additional budget or limit service usage for that billing cycle.

Part of the Risk Diversion and Magnet Digital Investigation Suite, Magnet REVIEW enables digital forensic labs to securely share and collaborate on the review of all digital forensic evidence with investigators and other agency stakeholders from anywhere via a single platform. Easily find the evidence that matters with an intuitive interface and powerful analytics views and collaborate agency-wide to complete your investigations more efficiently and effectively. Deploy REVIEW on Microsoft Azure to easily scale up resources while maintaining security and compliance.

Gone are the days when the forensics investigator could pop out the hard drive of an on-premises server for a forensic image and simply analyse it for clues on what happened. Hands-on evaluations of physical evidence, formerly the norm in forensic investigations, are now the exception. Today’s cloud-based network can be located anywhere — for cloud infrastructures, servers must be in the same country as where the data was created, but that’s as specific as the law gets.

Risk Diversion has recognized the need that new digital forensics tools and techniques are necessary to uncover electronic evidence for processing into actionable intelligence for cloud-based data breaches, ransomware attacks, and other cases of malfeasance.

When the Answers You Need are Tied to the Mobile World, Who Can Help?

Fri, 24 May 2024 07:52:50 GMT

Delving further into Mobile Forensics

Most digital forensic investigators are experts at data recovery from smartphones, mobile phones, tablets and other personal digital devices. Deleted emails, text messages, pictures, GPS and location data can all be forensically obtained for use as evidence. iPhones and iPads, Android phones and tablets, and Windows devices like the Surface, are all fair game for our forensic examiners.

The mobile phones of the future are expected to be even more closely embedded in our day-to-day lives than ever before. Predictions about the direction of smartphones from futurists and industry experts range from having moderate involvement to literally running our lives.

One thing’s for certain: the technology involved in mobile phones and mobile networks has developed rapidly over the last few years. In the current trajectory the future is going to be an exciting ride.

What will the smartphone look like in 10 years? The most likely answer, I’m afraid, is one of two options: it’s either completely unknowable or disappointingly predictable.

The story of the smartphone thus far began with technological breakthroughs paired with ingenuity (Camera + Data = social media) but eventually evolved into a yearly cadence of iterative improvements (better camera). The digital forensic investigator will be faced with new challenges of extraction of evidence if not equipped with proper forensic tools.

Even with iterative updates, smartphones will be radically better than they are today, and they’ll be different in some ways, too. The screens will be brighter and fold in different ways, the cameras will be so advanced that they’ll threaten to obviate even higher-end SLRs, and the digital assistants inside them will be smarter.

Whatever happens, the iterative path for smartphones will inevitably mean each phone launch will be less exciting than the last — a trend we’re already familiar with today. But that doesn’t mean that phones will become less important or impactful. Instead, they’ll become more familiar and (forgive another pun) part of the fabric of our culture. They will follow yearly trends that will be a lot more about style than function.

Following the trends will include advanced digital forensic tools, allowing you to access some of the most challenging and secure devices, as well as perform unlimited unlocks and extractions using state-of-the-art unique exploits from cell phone forensic providers like MSAB.

Because of the increasing levels of security and encryption in many of the latest mobile devices, law enforcement and other organisations require new techniques to access mobile data. They often encounter some devices that cannot be extracted using standard cables and methods. Here’s where product like XRY Pro come in. With this software suite of high-level exploits, you get premium level phone access capabilities to ensure you can access some of the most difficult-to-breach devices.

XRY Pro is the perfect solution for experienced users who want to perform unlimited unlocks and extractions using their own equipment. Specialised on-demand training to understand the exploits and unlock their full potential is highly recommended. XRY Pro would also be the likely product used in the future with an AI enhanced engine.

The typical digital forensic tools would more than likely have advanced software with the latest exploits and FDE, FBE and Secure Startup support. Ram Brute Forcing Exploit of phones.

Because of increasing levels of security and encryption in many of the latest mobile devices and future phone enhancement, law enforcement and other organisations will require new techniques to access mobile data. They often encounter some devices that cannot be extracted using standard procedures and methods. Here’s where a product like XRY Pro comes in.

With this software suite of high-level exploits, you get premium level phone access capabilities to ensure you can access even some of the most difficult-to-breach devices. Digital forensic software developers need to keep up with new advancements. Investigators need digital forensic tools to keep up with current and future technology. Forensic investigators face the challenge of evolving threats and increasing data volumes. The skills of the investigator would need to radically adapt to the advancement of new cell phone technology.

Artificial Intelligence and Machine Learning (ML) are revolutionising the field of digital forensics. These technologies enable software to process vast amounts of data, detect patterns, and predict potential threats with greater accuracy and speed. AI-powered tools can perform automated data categorization, anomaly detection, and even recognize previously unknown digital artefacts.

AI can find keywords, patterns, and sentiment in large amounts of text data, like chat logs or emails. AI and ML techniques do various tasks in digital forensics, like analysing images, audio, text, and user behaviour. By reducing manual labour and expediting investigations, AI and ML are becoming essential components of the digital forensic toolkit.

The future of digital forensic software looks bright with advancements in AI, ML, automation, and cybersecurity measures. These innovations will empower investigators to handle the challenges of modern-day cybercrime effectively. Forensic investigators can stay prepared by staying updated with new technologies and utilising advanced tools. This will enable them to protect digital assets, find evidence, and apprehend cybercriminals. As technology continues to evolve, digital forensics will remain at the forefront of the fight against cybercrimes and adoption to new cell phone technology advancement.

To make sure you don't struggle in the future with this when on-scene or in a lab, make sure you choose the proper forensic tools that are certified to pull evidence from devices that you come across most often. That’s why it is important to build a digital forensic toolkit. Also, make sure you choose a software provider that regularly releases new versions of their software, so you are always using the latest tools that are evolving with the market.

Discovering The World of Forensic Speech Analysis

Mon, 13 May 2024 07:00:20 GMT

Exploring the complex and fascinating world of Speech Analysis

The world of Forensic Speech Analysis is complex and fascinating. Risk Diversion and Phonexia offers a comprehensive portfolio of cutting-edge speech recognition and voice biometrics technologies ready to meet any commercial and governmental scenarios. Powered by the latest advancements in artificial intelligence, acoustics, phonetics, and voice biometrics science.

What is Forensic Speech Analysis?

Forensic speech analysis involves the detailed analysis of audio, from sources such as a phone call, voicemail message or covertly recorded conversation. This aims to produce a reliable phonetic profile of a speaker to determine their identity.

How does it work?

Phonexia Voice Inspector (VIN) is highly intuitive.

VIN offers several features that strongly support the work of voice forensic experts:

* A standalone application with a complete easy-to-use Graphical User Interface (GUI).

* Automatic comparison of questioned recording (unknown speaker recording) against a suspected reference speaker (group of recordings) with a known speaker i.e. 1:1 identification and 1:N identification.

* Implemented speech technologies: Speaker Identification, Speaker Diarization, Phoneme Recognizer, Voice Activity Detection and Speech Quality Estimation.

* A search for repetitive sound patterns across all recordings in audio due to the automatic phonemic transcription.

For VIN to analyse speech, population sets needed to be created. A population set must have at least ten (10) voice recordings of a specific language, with recordings being separated for men and women as well for young and old. Each voice recording gets its own voiceprint, like a fingerprint. For testing purposes, population sets for Afrikaans Male / Female, SA English Male / Female, and Sepedi Male were created. The population sets essentially calibrate VIN for that specific language, sex, and age groups.

Once the population sets are created, the next step is to look for a “suspect” voice recording. As an example, one found and used was of Gayton McKenzie, leader of the Patriotic Alliance, where he spoke in a restaurant in Afrikaans, with lots of background noise. A YouTube video where Mr. McKenzie had an interview in English with someone was also found and used with the video and audio were separated so that the audio could serve as the control voice recording (speaker’s voice recording).

In VIN, a case is created with accompanying descriptions; add the “suspect” voice recording to the case, create a speaker (who can be a suspect), select the population set, add the control voice recording(s) (YouTube audio), and then execute VIN.

What was the result in this case?

The result was astonishing, since one voice recording was in Afrikaans, and the other in English. VIN matched the two voice recordings as coming from the same person, despite the background noise from the restaurant and the two different languages.

Above is an example of precious results, indicating a very good match.

The Evidence, i.e., the similarity score of the Questioned and Suspected speaker recordings, is the information of most interest. However, the Evidence itself is a score from the SID technology which is not necessarily calibrated for the specific case. To provide results in accordance with forensic science and practice, the Evidence is evaluated with respect to two complementary hypotheses:

Hypothesis 0: The Suspected speaker is not the source of the Questioned recording – this hypothesis is represented by the non-Target scores.

Hypothesis 1: The Suspected speaker is the source of the Questioned recording – this hypothesis is represented by the Target scores.

The Evidence value for a particular combination of a Questioned recording and Suspected Speaker is drawn as a black vertical line in the PDF plot, where it intersects with the Target and non-Target distribution curves, in blue and red, respectively.

What’s the conclusion?

There is a huge market for forensic speech analysis, and we are excited to unveil the latest version of Phonexia Voice Inspector—state-of-the-art voice comparison software specifically designed for forensic experts. Its fifth generation offers a significant leap in voice analysis accuracy, marking a significant milestone in the field of forensic voice comparison and speaker identification.

Digital Forensics at 32000 Feet Above Sea Level

Mon, 06 May 2024 07:40:00 GMT

Digital Forensics in Aircrafts

If you’re an aircraft buff, chances are good that you’ve wondered what all those antennas were. How do the pilots communicate with people on the ground? Where does aircraft Wi-Fi come from? Which antennas do they use for what? Some of these questions have some interesting answers, but none of them are complicated or difficult to understand.

On a recent return flight from Cape Town, I was thinking of the possibilities of collecting evidence from a typical Boeing 747, not only the available “Black Box” data, but more about the devices providing information and data to the Black Box.

I have successfully collected evidence from various devices for forensic purposes, among but not limited to mobile phones, computers, wrist watches, motor vehicles, motorcycles, drones and many different IoT devices. Airborne and Sea going vessels are two categories which requires some exploring.

Not knowing much about aircraft, I started to think about the areas which I had some knowledge about. On any aircraft, often on its belly, you will find dozens of antennas that are used, each for a different purpose. Called aerials by a lot of pilots who have been in the business for a while, these antennas are there mostly to help the pilots communicate with other people, and most of them look like lightning rods or other interesting protrusions.

Aircraft antennas can have many different shapes and sizes, which are determined by the manufacturer itself. Antennas, however, are formed more for their function than anything else, and their shape and placement are usually determined by their directional qualities and the frequencies they use to operate. Essentially, these antennas need to be certain shapes and placed in certain spots on the aircraft to operate correctly.

Thinking of so many antennas on an aircraft, they must be connected to some intelligent devices that provide crucial information and are exploitable. The first antennas that come to mind were the common radio communications antennas. They are there for effective communication, mounted on either the top or bottom of the aircraft.

The way they work is simple, and their placement is crucial to them being efficient in their purpose. For example, the radio feeding the top antenna usually works best for communicating while the aircraft is still on the ground, while the one feeding the antenna on the bottom of the aircraft will usually work best when the aircraft is in the air. All aircraft would have a HF, VHF radio with the capabilities of AM and SSB transmissions. Primary use is for voice communications. Low exploitable risk unless another transmitter is transmitting on some frequency close to the receiver. (Jamming communications). The using of SDR is becoming more popular in aircrafts due to the small size, multiply features and intelligence in the radio. This also brings new risks and the introduction of added software vulnerabilities.

The next common antenna that come to mind was the GPS transmitting less than five watts of power, GPS antennas result in signals that are usually very weak. Because of this, most GPS antennas consist of built-in amplifiers that are designed to boost the signal for the receiver. In addition, the GPS frequency is very high, usually in the gigahertz band, which requires that the GPS antenna be attached to the very top portion of the fuselage. For decades, the Global Positioning System (GPS) constellation has reigned supreme as the world’s go-to navigation tool, guiding everything from aircraft carriers to Uber drivers.

Other communication antennas can cause interference with GPS antennas, which means that the two antennas should be placed as far away from each other as possible. More than likely one of the most important communication devices used on an aircraft, can be exploited by spoofing the IP. Malicious actors can deliberately disrupt or manipulate the signals, leading to inaccurate or misleading positioning information.

When it comes to landing the Marker Beacon, antennas come to mind. The antenna is on the bottom of the aircraft because, to receive any signal, the antennas must be almost directly over the transmitting ground station. The outer marker, which normally identifies the final approach, is located on the same course/track as the localizer and runway centreline. The antenna is highly directional and is pointed straight forward towards four to seven nautical miles. The beacon frequency is a low powered transmitter and could be jammed by a nearby transmitter by using the same frequency to exploit the marker beacon.

Next up is the Nav Antennas, almost always found on the vertical tail. Nav antennas come in three main types. The cat whisker has several rods jutting out from each side of the stabiliser at 45- degree angles. It is a good antenna to have when you’re flying low because it cannot receive signals from the side. A second type, the dual blade, has antennas on either side of the tail. A third type of Nav antenna, the towel bar, is a balanced loop antenna that can easily receive signals from all directions. Towel bar antennas are found on both sides of the tail of the aircraft and are often required for area navigation (RNAV) systems. While those early VOR/DME RNAV systems are very rare these days, the location coding of phantom waypoints is still used throughout aviation. Today, the RNAV umbrella encompasses many different technologies, from GPS/GNSS satellite- based systems to VOR or DME ground-based systems. Since different technologies have different accuracy levels, some standardisation has been introduced to clarify what RNAV technologies can be used, and when. This is especially important for IFR operations. GNSS is being introduced throughout the world: Potentially to meet performance requirements for all phases of flight, improvement of safety and efficiency of air navigation. Identified vulnerabilities of this system are mostly GNSS interference events which have been traced to onboard systems, unintentional interference (e.g. spurious emissions) or harmonics of VHF communications equipment and the out-of-band and spurious emissions from satellite communications equipment. Portable electronic devices can also cause interference to GNSS and other navigation systems and spoofing to the intentional corruption of the navigation signals to cause aircraft to deviate and follow a false flight path. Because of the low power of GNSS signals, it is possible for low power transmitters to jam the GNSS signal. While there have been no recorded instances of intentional jamming directed at civil aircraft, the possibility of intentional interference must be considered and evaluated as a threat.

The Radio Altimeters antennas, which looks like 150mm-square plates, are placed on the bottom of the aircraft. They are usually either a single- or dual-antenna system, and the radar signal is transmitted straight down and literally bounces off the ground. Radio Altimeters include high frequencies and, therefore, require a secure electrical bond with the skin of the aircraft.

A Radio Altimeter can determine the distance above the ground by measuring the time between the transmission of the signal and when the signal is received. Again, the secure bond of the antenna is a must; otherwise, the system talks to itself and causes false readings. Large aircraft are often fitted with radar or Radio Altimeters which measure height AGL when near the ground. These are often connected to callout systems and coupled to Autoland and other automation systems. Standard callouts in the cockpit of radio altimeter equipped aircraft include 2,500 feet, 1,000 feet, 500, 100, 50, 40, 30, 20, and 10 feet. Radio Altimeters are a great help when over the runway at an airport and help cue the pilot for their landing flare.

Most civil and military aircraft use Radio Altimeters to measure the aircraft’s altitude and feed this information to other aircraft systems such as landing and collision avoidance systems. The Radio Altimeter is instantaneous and accurate but gives no indication of high ground ahead. It is not possible, within the frequency allocation (4200-4400 MHz), to change the frequency (FM) indefinitely. Radar altimeter interference from 5G signals can take the form of loss of radar altitude information or, worse, incorrect radar altitude information unknowingly being generated. Altitude information derived from radar altimeters has been deeply integrated into aircraft systems and automation, with the latest aircraft using it to change aircraft handling qualities and prepare systems such as ground spoilers and thrust reversers for deployment prior to touchdown. This is in addition to radio altimeter use for Autoland.

The UHF antennas are utilized mostly for distance-measuring equipment (DME) and transponders. UHF aircraft antennas are only around four inches long and are always found on the bottom of the aircraft. They can be used for both DMEs and transponders, and their two main types are blade and spike antennas. Spike antennas should only be used for transponders, while blade antennas work best with DMEs. As an example, DME frequencies are paired to VOR frequencies and a DME interrogator is designed to automatically tune to the corresponding DME frequency when the associated VOR frequency is selected.

An aircraft's DME interrogator uses frequencies from 1025 to 1150 MHz. DME transponders transmit on a channel in the 962 to 1213 MHz range and receive on a corresponding channel between 1025 and 1150 MHz. The likely vulnerability is time base attacks, DOSS attacks, GPS jamming, Spoofing and RAIM attacks. Aviation communication technologies being wireless, make access control mechanisms challenging. In addition, the broadcast nature of radiofrequency makes the system prone to various attacks. These attacks have become practical and easily accessible due to the escalation of software-developed radios (SDRs).

Aircraft communication is a critical aspect of aviation that ensures the safe and efficient operation of aircraft. The International Telecommunication Union (ITU) has assigned aircraft analogue voice dialogue in the High Frequency (HF) band between 3–30MHz and in the Very High Frequency (VHF) band at 118–137 Mhz. VHF signals are only line-of-sight but offer much better audio quality. This makes them ideal for aircraft communication where clear and immediate transmission is vital. In this context, VHF is often preferred despite its shorter range.

Advances in networking and semiconductor technologies, along with the ever-widening grid of interconnected and computationally capable products, have promoted the development of the Internet of Things (IoT) used in modern day aircraft. This development naturally poses more and more complex security challenges. One of the key attributes of IoT is that it makes heavy use of wireless communications to allow for mobility and ease of installation. It is important to note this is not just Wi-Fi, but all manner of other Radio Frequency (RF) protocols: Bluetooth, BTLE, ZigBee, Z-Wave, etc. The increasing ubiquity of such devices and networks promises to make life easier (smart locks, smart bulb, smart home appliances...). However, manufacturers often overlook the security in the implementation of these RF communication systems. This brought to mind the uses of the Software Defined Radio (SDR) vulnerabilities in IoT devices using an unknown RF protocol as the analysing frequency, demodulation and decoding RF signals used in the wireless IoT devices, jamming the target and replaying radio packets.

As wireless systems are becoming more complex, there is a shift towards implementing these systems completely in software and firmware rather than hardware. Software defined radios allow for quickly prototyping, testing, and deployment of flexible systems that can be upgraded in the field. However, since these systems are implemented in software, common coding mistakes in the signal processing modules can leave these systems vulnerable to traditional cyber-security attacks.

Utilizing Internet of Things (IoT) sensors, it collects essential data related to navigation, flight control, and communication systems. The data is constantly updated and made readily available to both pilots and ground control, allowing them to make well-informed decisions.

As software radios become more prevalent in the industry, the risk of these vulnerabilities existing and being exploited in production systems increases significantly. In many cases, wireless security research is focused on the security of specific protocols rather than vulnerabilities in the radios themselves.

Radio communications are used by many different devices to convey and receive data. Since wireless technology has been employed in recent terrorist acts and there are an expanding variety of attack vectors in the radio sector, spectrum forensics are crucial to obtaining intelligence, particularly while the crime is still being investigated and the attackers are still at large.

Most of the wireless acquisition tools on the market work either on Wi-Fi or Bluetooth protocols. Using software defined radio technology or SDR can allow to capture signals regardless of the protocol or modulation. The tools and methods presented by a digital forensic analyst provide the specification and experimental validation of the SDR technology for forensic investigation of potentially vulnerable wireless devices. The case studies reported used radio controls to simulate intruder attacks and walkie-talkies to simulate intelligence gathering during a monk terrorist attack.

Managing the demand for digital forensic examinations

Mon, 29 Apr 2024 05:32:14 GMT

The superhighways and byways of cyber space has enabled millions of IoT devices to be connected to the internet.

The superhighways and byways of cyber space has enabled millions of IoT devices to be connected to the internet, such as watches, cars, medical devices, lights, speakers, TVs, Drones are just a few to mention. These devices can function as smart objects, collecting data to make decisions by following live or pre-saved commands. This connection and exchange of data between devices and the internet is referred to as the Internet of Things (IoT). Risk Diversion offers state-of-the-art facilities for computer forensics, mobile forensics, video and audio forensics, cyber security, intelligence, and analytics of IoT smart devices.

With the growing sophistication and prevalence of digital devices such as mobile phones, computers, tablets, Nav-Sats, and domestic appliances, the extraction, analysis, and interpretation of digital data has become increasingly central to intelligence gathering and criminal proceedings.

The Internet of Things (IoT) has become a popular target for cybercriminals. IoT devices such as routers, IP cameras, smart locks, and connected doors are being exploited by hackers as a gateway for hacking and other cyberattacks. In addition, the IoT devices can be used as proxies for anonymity, making it difficult to trace the source of the attack.

The scientific community has developed a common digital framework and methodology adapted to IoT-based infrastructure to identify and classify connected objects in search of the best evidence to be collected. However, the difficulty in exploiting the IoT lies in the heterogeneous nature of the devices, the lack of standards, and the complex architecture.

However, the very extent of data available today challenges the ability of law enforcement agencies to turn seized devices into useful evidence. To date, most social science scholarships about forensics have concentrated on DNA profiling and its societal and ethical issues. In contrast, other forensic fields, including digital forensics, have had little analytical scrutiny.

Amped FIVE

Fri, 05 Apr 2024 07:44:13 GMT

Video and photo enhancement software

Amped Software is the creator of Amped FIVE, a video and photo enhancement program utilized by law enforcement officers to make photographic evidence clearer. The Amped team offers a virtual training program with an instructor who has workplace experience with the program. Samuel Abott was a thoughtful instructor who personally worked with law enforcement in his career before he became an Amped Software Instructor.

Amped Software has their own YouTube channel with useful videos on how to use their various products. Amped Software also has a blog with information on their various products. They also have videos and support portals readily available on their website - https://ampedsoftware.com/five .

Amped FIVE has over 140 filters and tools that can be used to analyze, restore, and enhance digital videos and images. It can make objects in images easier to see i.e., blurry number plates, faces from a distance. It can be used to lighten dark images so that subjects are easier to identify, and words are easier to read. Amped FIVE can also be used to capture scenes within lengthy videos that contain the evidence necessary to determine what occurred and who was involved. Tools and filters can be layered over each other and used together in different intensity levels to get the clearest version of the evidence possible.

Amped FIVE has a reporting feature that is accepted by government agencies, ISO- accredited laboratories, and legal systems worldwide. This feature uses scientifically validated algorithms to produce reports with all the processing steps, settings, and algorithms used in the analysis of the images and/or videos. It ensures the integrity of the video/image evidence so that it is admissible in court.

Amped FIVE can support most image and video formats whether it be from CCTV and DVR systems, bodycam footage, and mobile devices. If any files cannot be played, users can contact the Amped Software team who will analyze it and possibly be able to support the format in the software. Support for different file formats is constantly being updated.

Mobile and Cloud Data are Becoming More Important

Wed, 27 Mar 2024 07:10:50 GMT

Big changes are coming with new phones in 2024

Expect big changes to come with new phones in 2024 that stretch beyond the processor and camera upgrades we typically see each year. New AI-fuelled features could make phones much smarter, potentially turning them into capable personal assistants rather than pocket-sized portals to the internet.

It’s clear that smartphones will soon be getting even smarter. In the mid-2000s, mobile phones could only do a tiny fraction of the things that their modern counterparts are capable of. Now, thanks to several recent technological advancements, it looks as though there will be no shortage of new smartphone features in the future to keep us evermore attached to our little digital devices.

When you combine this emerging technology with other existing applications that can track things like blood-pressure and heart rate, it’s easy to see how smartphones could soon bring about a revolution in medical care.

There's no doubt that with the popularity of smartphones that can manage virtually every aspect of our lives, the trend in technology is to get more and more "connectivity" into smaller and smaller packages. Simultaneously, wrist watches have become a lesson in technological redundancy for many people. Ask a friend for the time of day and they're just as likely to glance at their smartphone as they are to look at an actual wrist-bound timepiece. The newest wave of smart watches aims to change all that.

Mobile devices are growing in importance and are vital to a range of investigations. So, what’s behind this growth? We can find some clues by examining the frequency with which mobile devices are used in different investigations. Phishing tops the list, well ahead of employee misconduct, which itself outpaces malware-infected endpoints, misuse of assets or policy violations, and data exfiltration or IP theft. As noted earlier, business e-mail communication is a pervasive threat, and most BEC frauds begin from the victim’s perspective with a phishing email. Similarly, many malware attacks also start with an email, which may contain a malicious attachment or link. A sizeable number of these emails will be opened on a mobile device and, with many organisations actively enabling BYOD, many devices used for such official activities are unmanaged. Compounding the risk, many unmanaged devices are jailbroken or rooted—making them more susceptible to malicious apps.

Digital investigations have really evolved over the years. Often, we’re looking at multiple pieces of evidence from not only the endpoint but also various logs, cloud, and mobile data as well. This inherently creates more complex investigations for examiners as they build incredibly detailed reports containing multiple pieces of evidence into a report for their stakeholders.

This has led to the need for mobile data collection and analysis to be improved. Mobile attacks are a growing threat, and a successful compromise can allow a threat actor to harvest credentials and sensitive information from the device itself, while also leveraging the device to access the organization’s wider IT environment.

To protect the organisation and employees, corporate digital forensic investigative professionals often need to gain access to communications and data on mobile devices, but the complexity and ever-growing diversity of mobile devices can present several challenges. A comprehensive and detailed data extraction can provide investigators with critical evidence and information, but a large group of DFI indicated that they are only able to extract limited data. For example, the inability to gain access to devices in question, and collect from devices remotely. Plus, in most corporate environments, team members will be unable or unwilling to surrender their mobile devices for an extended period. Mobile devices are becoming more important to corporate forensics.

Outsourcing investigations is considered cost effective and is often required. There are many reasons why an organisation would bring in a third-party service provider to perform or assist with DFIR activities.

The digital forensic investigation process is a complex and constantly evolving domain, but it’s never been more important for today’s organisations. The Cybercrime Act and the POPI Act have also contributed to the complexity. Digital forensics within corporate environments may originate with legal obligations and human resources issues, but the field’s future will be closely linked with cyber incident response—which itself should be a top-of-mind issue for leadership.

Viewed through this lens, a robust DFIR function—whether in-house, from a third party, or through a combination—becomes not an expense, but an investment in risk management and business continuity. Invest in a balanced DFIR portfolio that enables investigators to keep pace with ever - changing needs - Investigations for HR/internal issues and to support eDiscovery/litigation aren’t going away. At the same time, IR processes are increasingly reliant upon digital forensics to uncover data that is essential for helping the organization recover from cyberattacks, strengthen resilience, and demonstrate that reasonable safeguards were in place (i.e., to support cyber insurance claims).

Risk Diversion and our Magnet Forensic Partner claims meeting these concurrent and evolving needs requires a balanced approach that allows corporate DFIR practitioners to perform a variety of investigations and to keep pace with data extraction and analysis demands. Already, investigators collect from cloud and mobile data sources at about the same frequency as they collect from traditional computers—and there’s every indication that cloud and mobile data sources are only going to grow in importance. As data volumes soar, it’s imperative that DFIR professionals are equipped with modern tooling that can extract data—including full file system collections—from a range of sources, that makes it easy for investigators to combine sources into one coherent view. Using automated DFIR processes to manage risk increase quality and efficiency as today’s corporate DFIR professionals are under enormous pressure to conduct fast and thorough investigations. Unfortunately, the landscape in which they operate can be characterized by one word: more.

As in more investigation types, more investigations overall, and more data involved with each investigation. Automation is commonplace in the IT and security world, but it is relatively new to digital forensics. Nevertheless, automating forensics’ data extraction and transformation pipelines is already increasing the quality and efficiency of DFIR activities—and practitioners are adamant that they see tremendous value in automation investments. Strategically leveraging third-party service providers, many organisations already lean on third-party forensic service providers to assist with investigations, for a range of reasons. Security, IT, and HR leaders should work with their internal teams to determine the ideal role for FSPs and how best to leverage them.

Risk Diversion and AXIOM in the Fight Against Cybercrime

Wed, 20 Mar 2024 12:02:09 GMT

Discovering the Trust in Cybercrime Investigations

Cybersecurity has gone worldwide in the modern era, and large-scale, complicated cyberattacks are becoming increasingly common. Computer forensics assists in maintaining the integrity of digital evidence used in civil and criminal court proceedings. To combat cybercrime, Risk Diversion has created scientifically solid suggestions and proposals for the use of instruments for forensic investigation of computer tools and systems. Various forms of computer forensics have been recognized by Risk Diversion, including database forensics, electronic forensics, malware forensics, criminology of memory, mobile forensics, and network forensics. Already, cybercrime has developed into a very profitable industry that carries no risk. After all, cybercrime can bring in millions of dollars in revenue. For this reason, cybercrime ranks highest nowadays.

Responding to need to fight cybercrime Risk Diversion has formulated a robust digital forensics solution tailored to meet the needs of businesses and service providers that need to collect, analyze, and report on evidence from computers, cloud services, IoT, and mobile devices. Our tailored solutions are aligned with requirements of Section 26 of the Cyber Crimes Act.

Cloud storage and communication services have changed the way that teams communicate, share, and store information. Leverage admin or user credentials to access audit logs and examine employee cloud accounts without tipping them off about an ongoing investigation. AXIOM Cyber acquires and analyses data from corporate cloud storage services like AWS S3, EC2, and Azure in addition to other cloud sources including Microsoft 365, Google Workspace, Box, Dropbox, Slack, and iCloud.

The AXIOM solution provides the most comprehensive and powerful recovery, search, analysis, and reporting tools for Macs, PCs and Linux. Get actionable insights into activity and executables on the physical memory of an endpoint as well as the processes running only in memory - like advanced persistent threats (APTs) that leverage fileless techniques.

Whether a mobile device is BYOD or corporate-issued, AXIOM is an essential part of your toolkit for iOS and Android investigations. Comprehensive parsing and carving techniques find more artifacts like browser history, chats, emails, and documents. Easily visualize and present evidence by showing emails and chats in their original format that are often needed for HR internal investigations like employee misconduct or harassment cases.

Organizations of all sizes fall victim to cybersecurity threats every day. With an artifacts-first approach and built-in remote forensic acquisition, Risk Diversion helps you quickly understand security incidents so you can safeguard your agency in the future.

AXIOM Cyber enables you to perform remote collections of Mac, Windows, and Linux devices quickly and covertly to an AFF4-L forensically sound container. Automatically reconnect to the target if it goes offline and resume collections from where it left off. Using shared agents, multiple instances of AXIOM Cyber can collect from an endpoint without the need to deploy a different agent each time.

The artifacts-first approach immediately presents the data you need to work through your case with ease and efficiency. Get data from a variety of sources, including computers, mobile devices, and corporate cloud accounts. Then, utilize powerful Analytics features like Timeline, Connections, YARA rules and Magnet.AI to save valuable time and hassle.

Put together all the pieces of the puzzle by examining artifacts from the file system, cloud accounts, mobile devices, and memory when it comes to claims of workplace harassment, fraud, or misuse of corporate assets.

Accelerate and simplify early case assessment by giving eDiscovery partners the data that they need. Produce a load file containing data that has been culled, analyzed, and tagged for further review.

When it comes to data exfiltration cases, it’s critical to see the whole history of a file. Understand a file’s history across all evidentiary sources including Microsoft 365, Google Workspace, and AWS cloud storage.

Network intrusions, business email compromise, malware, and ransomware attacks can have catastrophic effects. AXIOM powerful toolset lets you understand how an incident occurred so you can prevent it in the future.

Increase the speed and efficiency of investigations by integrating your toolkit into streamlined automated workflows. Keep your lab running 24/7/365, even when you aren’t there. Fully utilize your existing resources to automatically image, process, and create exports for multiple data sources in parallel. Do more with the resources you have. Let examiners focus on high-value tasks like deep dive analysis and let technology handle the rest.

Because time-to-evidence is now guaranteed inside 48 hours, investigators can identify and act on relevant material quickly.

The investigator can now use the drag-and-drop workflow builder which makes it easy to develop efficient, automated workflows across your entire forensic toolkit, customized for each case type. Automatically collect from remote endpoints and select cloud sources (Microsoft Office 365, OneDrive, SharePoint, and Teams.)

Seamlessly integrate almost any tool from your toolkit, including forensic solutions, cybersecurity (XDR/EDR, SIEM, SOAR), mobile acquisition tools such as Magnet GRAYKEY or MAGNET VERAKEY, and business systems tools. Connect your tools via several methods, such as REST API, custom scripts, Watch Folders, and Workflow Plugins. For increased flexibility, you can also integrate your custom scripts.

Clear, visual dashboards help you quickly assess lab infrastructure health and provide key insights for smarter resourcing decisions. Easily report to management on the value of your lab investments by tracking overall throughput and efficiency metrics.

Easily adhere to standard processes by empowering your experts to design approved workflows for each case type. Forensic technicians or junior members of the team can then kick off the right workflow from a dropdown menu while experts focus their time on analysis.

XRY Advanced Features

Wed, 13 Mar 2024 07:27:30 GMT

Delving into the Newest Features of XRY

Vernon Fryer, one of our inhouse experts at Risk Diversion, is excited about deploying the latest XRY 10.7 which brings significant extraction and decoding capabilities to more mobile devices, with the total number of supported devices exceeding 45.600 and over 4400 app versions. The recent release is the latest major release of Apple’s iOS operating system for the iPhone. Concurrently the Android 14 is the latest major release of the Android mobile operating system.

The arrival of iOS 17 and Android 14 has ramifications for the mobile forensics industry, as they usher in some novel changes and features. As phone users continually seek updates and the phone giants comply, so must we and our products.

The precise and accurate OCR recognition in Apple Photos applies OCR and content recognition on all pictures in the media partition. This means that machine and handwritten text in pictures, as well as the content in images, is recognized and decoded to be searchable in XAMN.

This new feature will significantly enhance the speed and comprehensiveness of digital investigations. It will be easier and more precise than ever to perform keyword searches, content searching, to analyse pictures that contain text, find place names and so much more.

Fryer says in addition we are delighted to announce that we now offer selective extraction possibilities when you’re using an FFS. We’ve expanded our capabilities to now support app selection, meaning you can select from which specific apps to extract data for Full File System extractions. The benefits of this new feature are multifaceted.

It’s very valuable in cases where only a fraction of the data on the device is relevant to your case, and you want to speed up the data extraction process. While previously you might have waited for 40 minutes or an hour to perform a full file system extraction on a device, by extracting only the data from a specific app, you can now accomplish this feat in as little as two minutes.

Beyond the extraction speed, this new feature holds legal significance. In certain scenarios, you may encounter legal regulations dictating that you can only extract data relevant to your case. The ability to selectively extract data from specific apps of interest helps ensure strict compliance with these legal requirements.

This new feature is a game-changer when speed is of the essence and legal standpoints must be observed.

WhatsApp is, without a doubt, one of the most popular messaging platforms.

The new “Chat Lock” feature intended to make it easier to keep conversations more private. The locked chats can only be opened via biometrics. It’s not hard to see why this feature might appeal to criminals and individuals with malicious intent. So, we moved quickly and introduced support for this new feature. In the most recent version of XRY, locked chats are decoded.

Additionally, WhatsApp messages that have been edited are shown with the timestamp of when they were edited.

Fryer added, just like mobile devices, vehicles also keep track of a lot of data. So, it comes as no shock that nowadays vehicle forensics plays a substantial role in many DFIR investigations.

Given the growing demand for vehicle forensics, you’ll be pleased to know that Risk Diversion now supports the import of Berla iVe files for vehicle forensics data. This import decodes locations, routes, and vehicle events such as gear shifts or doors opened. It also decodes information from the vehicle’s entertainment system, such as any mobile devices that have been connected to the system.

Being able to investigate a mobile device and a vehicle in the same case within XAMN is going to prove extremely useful for digital forensics professionals going forward.

Until next time, Risk Diversion. Your partner in Digital Forensic.

The Changing World of IoT Forensics in Motor Vehicles

Mon, 04 Mar 2024 07:26:31 GMT

Exploring the Rapidly Evolving World of IoT Forensics in Motor Vehicles

Modern vehicles have complex internal architecture and is wirelessly connected to the Internet, other vehicles, and the smart city infrastructure. The risk of cyber-attacks and other criminal incidents along with recent road accidents fraud requires the need for more automotive digital forensics.

It is well known that increased complexity increases the risk of vulnerabilities and, thus, potential attack vectors. The vehicle is connected to the outside world via various connection interfaces giving rise to Vehicle-to-Everything (V2X) communication. Wireless connections occur via, e.g., 3G/4G/5G, WiFi, and Bluetooth, and physical connections via, e.g., OBD-II, USB, and ECU diagnostic ports. The communication is extensive considering the amount of data generated in the vehicle and the increasing communication with the outside world, such as with other vehicles, roadside units (RSUs), and with cloud-based services.

Risk Diversion believes that the lack of digital forensics guidelines and digital forensics mechanisms within the automotive industry is a valid concern. After numerous data extraction taken from various makes and models, we have identified that data generated in two areas, inside the vehicle, such as the infotainment module, and the latter, outside the vehicle, such as the cloud connection.

As more vehicle manufacturers strive to keep the high development pace aligned to gain an advantage over competitors has also resulted in a lack of security measures. As vehicles become more vulnerable to hacker attacks and the lack of standardization, e.g., data interfaces, recording units, data storage, makes forensic investigation between brands and vehicle models more. challenging.

Automotive forensics requires identifying, acquiring, and analysing data that potentially can be used as digital evidence. The relevancy of a particular data to a forensic investigation depends on the type of crime being investigated.

Breaches of automotive systems have been in the forefront of the global media for more than a year. Wired and wireless exploitation of vehicle systems has become a critical safety concern for the automotive industry.

A high volume of crimes involves a vehicle, and almost every crime involves a digital element. A connecting smartphone to a car via USB just to charge will still result in some phone data being stored on the infotainment system. Some of the artifacts found are:

1. Many vehicle systems have an event log, recording things like doors opening/closing, lights turning on/off, etc. These events are often accompanied by a timestamp and geolocation data.

2. A device’s contact list, or phonebook, is one of the first and most common things to be uploaded and stored on an infotainment system.

3. If a driver uses the infotainment interface to “delete” their device, that device information often remains in unallocated space and can be recovered.

4. Having access to a suspect’s connected vehicle is the next best thing behind having the actual phone itself.

5. Data can remain on a vehicle’s system for weeks, months or even years.

6. Vehicle forensic data compliments accident reconstruction data, allowing the investigator to create a robust recreation of what happened before, during and after an accident. However, in recent years, Risk Diversion noted the process of prosecuting offenders has become more sophisticated and now also encompasses the extraction of data from inside vehicles. From the mechanisms used to enhance the driving experience to inbuilt entertainment systems, all can assist in the detection of crime and can be admissible as evidence in court.

Risk Diversion Provides a Game Changing Solution for Vehicle Forensics

Wed, 21 Feb 2024 07:14:29 GMT

Vehicle Forensics: Cutting edge technology that changed the game

“As the rapid evolvement of automotive technology continues it is essential that investigators have tools that can keep pace with the global marketplace while maintaining an edge in digital forensics”. Risk Diversion’s offerings and expertise can provide customers with a truly compelling and comprehensive platform to rapidly, and effectively access a wider range of data in a manner never done before.

Risk Diversion is committed to supporting investigators worldwide by providing them with cutting edge technologies to solve a myriad of digital crimes.

Risk Diversion uses a vehicle system forensic tool that supports vehicles throughout the world. Our tools provide forensic examiners and investigators with a means to acquire and analyse data from vehicle systems quickly and intuitively.

Vehicle systems store a vast amount of data such as recent destinations, favourite locations, call logs, contact lists, SMS messages, emails, pictures, videos, social media feeds, and the navigation history of everywhere the vehicle has been. Many systems record events such as when and where a vehicle’s lights are turned on, which doors are opened and closed at specific locations, and even record audio from inside the vehicle.

Modern vehicles hold a lot of digital data within their computer systems. The average car today is equipped with intelligent computer systems and an estimated 300 million lines of code. Electronic Data Recorder (EDRs) show files created to determine whether a crash was severe enough to deploy airbags that could be retrieved as evidence. EDR are used to record just about all the information a car can give. The other computer common in cars now is the infotainment system, which is used for mobile devices, geolocation and much more. Our Berla tools extract information from here, however, there are many different infotainment systems that record different types of information.

The XAMN family of software used by Risk Diversion is a suite of analysis tools designed primarily for investigators to help them to work more efficiently. Once mobile data has been recovered using the XRY suite of tools, it is usually the investigator’s responsibility to locate and analyse the critical information. The XAMN suite of analysis tools helps to quickly identify that critical information, either to see the big picture or identify precise details in a huge dataset of mobile evidence.

XAMN tools are simple to use and therefore minimize the requirement for infrastructure and training. Every investigator can directly take advantage of the power of XAMN to solve crimes faster, resulting in financial savings and improved efficiency and crime detection for their organization.

Lockdown in South Africa

chantel@riskdiversion.co.za (Chantel Van Niekerk) — Thu, 16 Apr 2020 09:38:04 GMT

South Africa Under Lockdown

As the South African government has announced the extended lockdown to curtail the spread of the Corona virus (COVID-19), we would like to encourage everyone to adhere to the restrictions and guidelines set out to make our country safe. From our side, we have set-up operations so that our employees can work remotely to comply with guidelines of social distancing. During this period of off-site operations, we are confident that we will continue to provide excellent service and support that has been the hallmark of our company.

While everyone is working from home that comes with a host of new challenges. It does not have to be all doom and gloom, we believe that as a society we will come out stronger after this. We would like to use this time to re-establish connections with you our clients and partners to allow us to gauge what you want from us and that you are being serviced correctly as it pertains to your forensic needs. Our products range from remapping hard drives, retrieving data from cell phones and computers, CCTV footage retrieval and much more. Feel free to contact us at delton@riskdiversion.co.za to set up an online meeting. We would like to hear what new challenges you are faced with during this time and feel confident that we can provide a solution for you.

Your child and cyberbullying

Thu, 06 Feb 2020 07:18:15 GMT

We live in a world where information communication technology (ICT) is an integral part of our daily lives. During the last 3 decades, cyberspace has grown to a global network of more than 4.5 billion users from around the world. Cyberspace is available 24 hours a day, 7 days a week. We use it for work, education, business and social activities; however, the use of different kinds ICTs puts our personal information at risk.

According to a 2017 study done by Prof Elmarie Kritzinger, aimed to investigate the level of cyber safety awareness among school learners, the following findings were published of 503 high school respondents between the ages of 16 and 19, representing all races across the nine provinces.

99% of learners have cell phones;

98% of learners have access to the Internet through their cell phones;

63% of learners indicated that they had accessed inappropriate Internet material in the past;

65% of learners indicated that they were aware of cyberbullying at their school;

7.5% of learners indicated that they had been a victim of cyberbullying;

64% of learners indicated that their parents did not monitor their cell phone or internet activities;

86% of learners did not need permission from their parents to go online;

78% of learners did not have any parental guidance software installed;

35% of learners indicated that they were hiding some online activities from their parents; and

54% of the learners requested that cyber safety be included in their school’s curriculum.

Cyberbullying is fast becoming a bigger problem for young adults than drug abuse, with 20% of teenagers victimised and 51% of adolescents saying it is more vicious than face-to-face bullying.

Social media law expert Emma Sadleir said cyberbullying is different to traditional bullying because it is often faceless and more vicious.

“In the old days, it was just the immediate audience who would hear or see what was being done but now, everybody sees it on the internet, and it is permanent,” she said.

So, remember once something is posted to cyberspace, it becomes very difficult to undo posts and completely cover your tracks. There are always likes, shares and screenshots taken without you knowing.

Risk Diversion investigate mobile devices for evidence that was posted or created on the device that can assist to identify a cyberbully. Contact us today for more information!

Minimally invasive Drug & Alcohol Testing

Thu, 06 Feb 2020 07:10:29 GMT

Drug & Alcohol Testing for Mines, Schools and the Workplace

The minimally invasive oral fluid drug and alcohol test from OralTox’s collection process is easy to administer at mines, schools or the workplace while providing highly accurate results. Using oral fluid, the collector can oversee a donor as they provide the oral fluid sample. This reduces the likelihood of tampering or cheating as well as a donor challenge later in the drug testing process.

This was the case with a planned drug test at a school resulting in a learner trying to cheat the drug test by using a willing friend’s urine sample instead of his own. The friend’s urine sample was placed in a zip-sealed bag in the learner’s pocket and this could easily be used in the bathroom as a replacement for his own urine sample. Unfortunately, the friend’s urine tested positive for drugs and a lot of explaining had to be done by both the learners.

This same drug test can also be used for teachers or other personal that are suspected to be using drugs. Infringing on the privacy of a colleague is eliminated when using the oral fluid test from OralTox available from Risk Diversion. And if the test is negative, maybe your colleague is just tired.

Miners also tried to cheat a standard alcohol blow test by using mouth wash before a test, resulting in an inaccurate measurement of 100% alcohol in his blood.

Observed collection would have eliminated all the above-mentioned situations and removes administrative tasks including staffing allocation to ensure same gender collectors, testing anywhere removes the need for controlled/private restrooms or collection areas, etc.

If you would like more information about this minimally invasive drug and alcohol testing product, contact Risk Diversion today!

Useful Tips to Remove Malware from a Local Network

chantel@riskdiversion.co.za (Chantel Van Niekerk) — Thu, 31 May 2018 13:56:49 GMT

Last year, several South African companies’ systems were infiltrated by cyber-attackers. Many companies in South Africa are reported to have inadequate defenses and are highly vulnerable to cyber attacks. Here are some useful recommendations to remove malware from a local network put together by one of Risk Diversion's own Investigators.

1. Quarantine the network:

It is important to immediately disconnect the local network from the Internet once malware has been detected. This is to prevent further infection from an external source, or malware connecting to external sites.

2. Close all suspected ports:

Once the malware infecting the network has been identified, you should start blocking all ports used by the malware. There are various sources that can be used to determine which ports to close based on the malware identified. Submitting a sample for analysis or checking the malware hashes on sites such as VirusTotal can help you determine the type of malware that you are dealing with. Just to be safe, we recommend that you use a clean machine isolated from the network to close the ports.

3. Scan all computers:

Scan all of the computers with a trusted antivirus that has the latest database updates. In the case where some workstations do not have the latest updates, updates should be transferred and installed via removable media. If the antivirus cannot detect the malware infection, a sample should be sent to malware specialists for analysis.

To track down the malware’s executable files, one can look at several traits, such as network traffic (malware files usually generate a large amount of network traffic and also occupy a lot of system resources), Windows System folders, orin the System Registry to identify the start-up keys for the malware files.

4. Quarantine infected computers

After scanning the computers with reputable malware removal tools, infected files should be detected and quarantined. You will then be able to safely remove all of the quarantined files. Always double check the quarantined files to avoid deleting important content.

5. Restart computers

After the files have been quarantined and deleted, restart the computers that have been infected and scan them again to make sure that all of the infected files have been removed.

6. Disable System Restore

In the case where some infected files ended up in the System Restore folders, it is necessary to temporarily disable System Restore and restart the computer to make sure the infected folders are removed.

7. Install a Firewall (if necessary)

If not already installed, install a firewall on the Internet gateway or on all workstations and configure it to block any ports used by malicious software(except for commonly used ports, such as port 80, which is used for normal internet connections).

8. Install Security Updates

To prevent future infections, make sure that the latest security updates, patches and service packs are installed on all workstations.

9. Change Passwords for Shared Resources

Some malware can spread to network shares whereas other types, such as Trojans, can intercept passwords. It is important to change passwords for shared network resources and important applications after a malware infection.

10. Reconnect Local Network and Internet Access

After ensuring all of the infected files have been removed, you can re-connect the computers to the local network and enable the Internet connection. Continued monitoring of network traffic is recommended in order to prevent re-occurrence of the event.

Protecting yourself Online

Mon, 19 Feb 2018 07:21:14 GMT

According to the Cyber Exposure Index, South Africa has the third highest number of cybercrime victims globally. South African citizens are most often hit with phishing and pharming attacks, which are committed to gain access to one’s identity. This is why it is so important to apply certain measures to reduce your risk of becoming a victim of identity theft.

Protect yourself online:

Update all things! Always make sure to install the latest security updates/patches. It is very important to update your operating system, applications and any software you are using. Many common cyberattacks often take advantage of flaws in outdated software, such as PDF readers and old web browsers. You should also update the firmware on your router and any devices you use that can connect to the internet. By keeping everything up to date, you lower your chances of becoming a victim of malware.

Don’t reuse passwords – rather make use of a password manager. Password managers are apps or browser extensions that generate strong passwords and keep track of them for you so you don’t have to remember everything – you only need one strong master password. The risk of a script kiddie reusing a shared password that has been leaked is greater than a sophisticated hacker targeting your database of passwords.

Some password managers store your passwords encrypted in the cloud, so even if the company gets hacked, your passwords will be safe. Some examples of good password managers include 1Password, Dashlane and LastPass.

Add an additional layer of protection to your accounts by enabling two-factor (or multi-factor) authentication. Two-factor authentication requires not only a password and username, but also some piece of information only known to the user. This can be a numerical code sent to the user’s mobile phone, or something the user has at hand- such as a physical token. Google Authenticator, DUO Mobile, or Authy are all good authentication apps for your smartphone.

Make use of security plugins, such as ad blockers, to protect yourself from malware embedded in advertising on some sites. HTTPS Everywhere is another useful browser plugin designed to force the usage of HTTPS automatically whenever possible. This will help protect against attackers trying to tamper with your connection to the site you want to visit or if they want to redirect you to a malicious website, because it forces your connection to be encrypted.

Make use of a VPN, especially if you are using the Internet in a public space, such as WIFI at coffee shops or at the airport– because you are sharing it with people you don’t know. Virtual Private Networks are a secure channel between your computer and the internet. If you use a VPN, you first connect to the VPN, and then to the whole internet, adding a layer of security and privacy. Freedome, Private Internet Access, NordVPN and Algo are some good VPN’s recommended by Motherboard.

Remember to disable macros: People with malicious intent can use Microsoft Office macros inside documents to spread malware to your computer. This is an old and easy trick often used to spread ransomware.

Don’t open attachments without precautions: Cybercriminals often embed hidden malware inside attachments such as Word docs or PDFs. Antiviruses occasionally stop those threats, but it’s better to use your commons sense: don’t open attachments (or click on links) from people you don’t know, or that you weren’t expecting. (And if you really want to do that, use precautions, you can save the file to Google Drive, and then open it within Drive, which is even safer because then the file is being opened by Google and not your computer.)

Back up your files: It is better to do it while you are disconnected from the network to an external hard drive, so that even if your files are destroyed or encrypted by ransomware, the backup won’t get infected

Try avoid using Flash, or change the settings on your browser so you have to click to run Flash each time. Adobe Flash is one of the preferred methods that cybercriminals use to attack users worldwide.

Don’t overexpose yourself for no reason: Be careful what information you post online. Ensure your Facebook, Twitter, and other social accounts are set on “private”, because personal information, such as your home address or high school can be used to gather more information via social engineering schemes. Attackers can gradually piece together information– the more personal information an attacker has about you, the more likely they are to gain access to one of your accounts.

Challenges during the investigation of cybercrime

Thu, 01 Feb 2018 10:14:52 GMT

Cybercrime is a type of crime that doesn’t receive the attention one might expect, due to the seriousness and magnitude thereof one would expect an almost daily news update on the various threats. These crimes are not only happening at the local station or at the cluster level but frequently on a national and most often on an international level. These crimes are costing our country hundreds of millions of rands each year. These funds are leaving our shores illegally. There are different types of cybercrimes and even the way of investigating them differs.

One such crime type can be categorized as eCommerce crimes, which is nothing less than fraud that is being committed by making use of a computer to either connecting to the Internet web pages, email accounts, chat rooms or online advertising and auction sites. It is estimated that in 12 months leading up to February 2017, R 37.1bn was spent on online shopping in South Africa. Some research revealed that up to 58% of adults that are using the Internet are involved in online shopping and it was forecasted that by 2018 R 53bn would be spent on online shopping in South Africa. This is due to the fact that the traditional way of doing business in shopping centers with your local community as clientele is getting too expensive for the number of customers you reach whilst .With eCommerce, one only needs access to the Internet and you have the whole world as your client. As technology advances the way we do our everyday business, so have detectives become more experienced in solving and investigating crime. Unfortunately, so did criminals, they have also become more technologically savvy in committing these crimes. Some examples of eCommerce crimes are “Non-Delivery of goods”, “Identity theft” and “Credit Card fraud”.

There is a myth doing the rounds between detectives that one needs specialized equipment and training to investigate eCommerce crimes. The truth is, one only really needs access to the internet, some experienced detectives and a willingness to conduct these types of investigations.

Some challenges investigators face during the investigation of any crime that has been committed by means of the internet is mainly the fact that you are working with an anonymous criminal. These criminals mostly use fake identities, fake or very little contact information, fake credit card information and are hiding their Internet Protocol (IP) addresses. These are the factors that contribute in identifying and linking a specific individual to the crime making it more difficult but certainly not impossible.

The most common online eCommerce crime that our normal public are exposed to, is when perpetrators advertise some merchandise on an online classified advertisement site. A Google search revealed that currently there are more than 20 such active sites in South Africa. The perpetrator would advertise something, followed by the innocent victim who would reply on the advertisement and thereafter make an EFT payment if they are interested in purchasing what had been advertised. Usually thereafter the advertisement would disappear and so also the perpetrator with the funds that the victim had paid. Sometimes the perpetrator would go as far as requesting a deposit and in a few days or weeks would request a further amount before disappearing with the money. In most cases there is no actual merchandise.

How can one identify these types of advertisements on the online sites? It’s easy by doing some research, math’s and proper intelligence (common sense)! The research we need to perform is trying to establish the amount of advertisements that a specific individual has placed on these online sites, the number of times their specific contact number was used on these sites as well as the amount of times a specific product was advertised by this specific individual. More research would reveal to the investigator the manufacturer suggested retail price for that specific item but also for a similar new item. One must furthermore calculate the average price for that specific advertised item in order to compare the offered price with other prices offering for the same item by other potential sellers. Then last but not least, try to establish if the picture posted of the merchandise is unique or maybe was previously used in other advertisements on the internet.

There is a saying, if something is too good to be true, it must be too good to be true…

Four things to consider during an e-commerce investigation:

Standard Deviation: A measure of the dispersion of a set of data from its mean. In other words, what is the deviation in the cost of the product of interest and where is the suspected fraudulent product’s price in relation to that.

Seller Analysis: How many ads are running for a specific seller and how many previous ads did he have. Is he using the same contact information for all of them?

Product Analysis: What is the cost for a similar product if it were to be bought from the manufacturer.

Tips for Digital Evidence: Document everything you come across. Make screen shots or alternatively make use of recording software to record all your searches and processes. Use an investigation account when gathering intelligence and not your personal account.

We at Risk Diversion provide training courses on Social Media and eCommerce Crime Investigations, feel free to contact us if you require any further information.

Forensic Image and Video Enhancement

Wed, 24 Jan 2018 00:00:00 GMT

Amped FIVE is the most complete image processing software specifically designed for investigative, forensic and security applications. Its primary purpose is to provide forensic investigators with a compete and unique solution to process and analyze digital images and video data in a simple, fast and precise way.

AMPED FIVE FUNCTIONS

SEE LICENCE PLATES BETTER
Process and analyze digital image and video data in a simple, fast and precise way.

PROCESS BODY WORN VIDEO
Undistort fisheye lens, stabilize footage, and protect victims with redaction.

Load images and videos in any format

Convert proprietary video to standard files

See licence plates, faces and anything else better

Generate a detailed scientific report

At Risk Diversion we provide investigative services and complete hands-on training courses on the use of Amped Five Software. Please contact us for more details.