E-Cyborg: The Cybercrime Evidence Finder

Abstract Today, cybercriminal activity has grown

terrifically as there are growing numbers of internet
users and also social networking site. The victim are not
limited to adult but also child, not only involve personal
attack but also involve the organization or country. The
need for finding evidence is crucial as cybercrimes are
also need to be treated as physical crimes. In this paper
we discuss a mechanism to find cyber evidence that
integrate Intrusion Detection System (IDS) and firewall
system called Evidence Cyborg (E-Cyborg). E-Cyborg is
to provide a solution that can assist network forensic in
their cybercrime case. Based on several testing on the
system simulation, the system is able to produce high
quality of evidence. Hence, the investigation task
becomes more efficient and effective.
Keywordscybercrime; network forensic; digital
evidence.
I. INTRODUCTION
As the internet usage grown massively,
cybercrime has also increased rapidly. Various tools
such as desktop computers, mobile devices and other
digital devices are used in cybercrime. Furthermore,
various medium can be used in committing such
crimes, for example email, web browser, social
networking site, instant messaging, peer-to-peer and
file exchange software and the list goes on. To find
highly quality evidence is a crucial process and it is
not an easy task to find evidence that can be used in
court as the evidence might be tempered or modified.
In fact, there are many tools to find evidence however,
appropriate tools are needed to ensure the evidence
meet the legal criteria which will discuss further in the
next section. Research by Erin et.al [4] mentioned that
evidence collection methodology need to be improved
so that the efforts in terms of time and cost will be
balanced with the requirements as well as demands
from legal community. On the other perspective, there
is legal issue regarding collected evidence. The need
for legal consideration and cyber law is a must to
ensure the evidence found is valid for further action
and investigation. Considering this issue, we believe
that there is need for finding admissible evidence so
that the evidence collection process is not a vain and
the evidence is valid for hearsay.



In this paper we consider IDS and firewall
mechanism to be integrated in the framework. The
structure will be examined and enhanced so that we
are able to find and classify possible evidence for
further investigation process. Based on our
observation, by utilizing IDS and firewall mechanism,
we could solve the problem of getting high quality
evidence that admissible in court for further
investigation. For this reason, this research will
propose a new mechanism called E-Cyborg to find
useful evidence.

In general, there are three main process: evidence
collection, evidence identification and classification
and result documentation. Details of this framework
will be described in section 3.
II. BACKGROUND
A. Cybercrime
In general, every cybercriminal activity has its
own objective and mission. Thus, there are many
consequences associated with cybercrime. According
to Schell and Martin (2004), cybercrime can harm
human being and property [17]. Cybercrimes
committed against human being include cyber stalking
and cyber pornography whereas cyber attack such as
phreaking and infringing intellectual property rights
can harm property. Besides, there are other additional
classification on cybercrimes: against organization and
society [18]. Cybercrimes against organization include
unauthorized access to computer system, Denial of
Service (DoS) attack, virus attack and data diddling.
Finally, cybercrimes against society include forgery
and web jacking. Fig.1.1 illustrates cybercrimes
categories.

In addition, cybercrime can cause loss to the
consumer. As reported by Norton in 2012, the average
loss from cybercrime is USD 197 per victim and in
every second, 18 adults become victim [18]. The value
of loss due to cybercrime is definitely terrifying. In
Malaysia specifically, as reported in The New Straits
Times by Abu Hassan Alshari Yahaya, the assistant
governor of Bank Negara Malaysia, the loss
Eviyanti Saari
School of Computer Science
Universiti Sains Malaysia, USM
Penang, Malaysia
eviyanti@fskik.upsi.edu.my
Aman Jantan (Assc. Prof, PhD)
School of Computer Science
Universiti Sains Malaysia, USM
Penang, Malaysia
aman@cs.usm.edu.my
2013 8th International Conference on Information Technology in Asia (CITA)
978-1-4799-1092-2/13/$31.00 2013 IEEE
in internet banking due to fraud was 3.4 million in
2011 and 3.2 million last year [16]. Even though the
amount is decreasing, however the number is still high
and worrying.

Besides the loss to the consumer, there are also
other measurements for cybercrime. Costs of
cybercrime include criminal revenue, direct losses,
indirect losses and defense costs [18]. Criminal
revenue refers to gross receipt from a crime, direct
losses include damage or harm caused by a
cybercrime, indirect losses is loss that affects the
society and defense cost is referring to cybercrime
prevention cost. Figure 1.2 and 1.3, depicted the cost
of cybercrime and cyber defense. It is clear that the
increasing number of cybercrime lead to worldwide
financial loss.


Furthermore, cybercrime can leave digital
evidence behind for forensic professional to
investigate. In fact, digital evidence has several roles
based on the Federal Bureau of Investigation (FBI) of
the Department of Justice in the United States, digital
evidence can function as target of crime, instrument of
crime, or repository of evidence that documents the
crime itself. Figure 1.4 depicts the three roles of digital
evidence.


The first role as target of crime for example a
device such as a computer, mobile phone and storage
are vulnerable and fragile. Thus, it can allow a person
who has malicious intent to attack the system. DoS
attack is one example that makes the particular
computer as the subject or target. Hacking other
person computer is another example of using computer
as target. The second role of digital evidence is as
instrument of crime. Digital evidence can be a tool for
committing crime or assisting attacker in their crime
agenda. Attacker can use computer in credit card
fraud, distribute child pornography, intrude other
system or steal information. The third role of digital
evidence is as repository of evidence. System log files
can provide valuable information as every activity in
the system is logged into the system. Drug trade is one
of the examples of the third role, possibly, all the
transaction are stored in the repository can be used for
investigation. It is clear that something has to be done
Fig.1.3 Cost of Cyber Defense
Fig.1.1 Cybercrimes Categories
Fig.1.2. Cost of Cybercrime
Fig.1.4 Roles of Digital Evidence
2013 8th International Conference on Information Technology in Asia (CITA)
to collect high quality evidence since there are three
different types of digital evidence that may create
different scenarios and problems during investigation
process.

B. Digital evidence
Collecting digital evidence requires extra effort as
forensic professionals need to carry out thorough
investigation as physical evidence, for example they
have to perform crime scene investigation and
photograph the crime scene. Besides, forensic
professionals also need to perform investigation and
analysis of digital related data and network traffic.
Both physical and digital evidence need to be handled
accordingly to ensure the integrity of evidence for
legal procedure. Basically, evidence is the proof that
can be used in legal proceeding. In other word,
anything related to the crime, or someone committed
the crime, or the victim of the crime can become or
give evidence. However, the evidence need to have
certain criteria in order to be used as evidence.

In general, evidence must comprise of five unique
features in order to be useful [2]. Failing to possess
one of these features, the evidence will not qualify for
further procedure in court. Evidence must be
admissible, authentic, complete, reliable and
believable. Figure 1.5 below depicts features of useful
evidence mentioned previously.

C. Law and Legal Issues
In general, there is legal issue regarding collected
evidence. The need for legal consideration and cyber
law is a must to ensure the evidence collected is valid
for further action and investigation. Considering this
issue, we believe that there is a need for collecting
admissible evidence so that the evidence collection
process is not a vain and the evidence is valid for
hearsay.
Another reason that motivate us to carry the
research is the need of using valid and authentic
evidences abide by legal authority besides protecting
digital evidence during investigation.

D. Evidence Collection Tools and Techniques
Every single second, a computer network is
overwhelmed with continuous and immense volume of
traffic that make collecting digital evidence not an
easy task. Appropriate tools for investigation are
vitally needed to assist forensic professionals in their
work and to ensure the reliability and admissibility of
the evidence in court. Research by Erin et.al [4]
mentioned that evidence collection methodology need
to be improved so that the effort in terms of time and
cost will be balanced with the requirements as well as
demands from legal community. The main reason for
this is the need for using valid and authentic evidences
abide by legal authority.

In order to deal with the evidences collected from
Internet, we have to examine the packet from
incoming and outgoing traffic. Network packet can be
captured by using network monitoring tools like
firewall, IDS, as well as other network devices. Thus
these can be the source of evidence.

E. Intrusion Detection System
In general, IDS is one of the tools that can be used
to collect evidence. This technique could improve
digital forensic evidence collection to be more
efficient and effective. IDS can be divided into two
categories, host-based IDS (HIDS) and network-based
IDS (NIDS). NIDS can be classified into two general
types known as signature based and heuristic based
[6]. Signature based system is the system that detect
threat based on the attack pattern matching. Heuristic
based systems is similar with anomaly-based systems,
detect attacks through deviations from a model of
normal behavior [7]. Basically, IDS is the application
that monitors network and purposely to detect network
attack. IDS will send alert to the network administrator
if there is an attack detected in the network. Any
attacks, events or activities like port sniffing and
packet scanning occur in the network will be stored in
the log files.

However, the evidence collected by the Snort
system is not accurate since the system faced a high
rate of false positive and false negative. These
problems caused by the limitation of signature based
technique that unable to detect new malicious code or
virus as supported by Garuba et al. [7] Therefore, the
real important evidence might be overlooked and non-
Fig.1.5 Features of Useful Evidence
2013 8th International Conference on Information Technology in Asia (CITA)
related evidence captured, hence, invalid evidence will
be presented in court.

Another open source intrusion detection system is
Open Source Host-based Intrusion Detection System
(OSSEC). OSSEC performs log analysis, and integrity
checking, Windows registry monitoring, root kit
detection, real-time alerting and active response [9].
OSSEC [9] can also be categorized in Log-based
Intrusion Detection System (LIDS) as it detects attacks
by analyzing logs from various sources for example
firewall and router. However the integrity of log files
has become the issue if the log files get edited by
intruders if they successfully infringe the system.

Since packets come continuously to network
system, it is impossible for us to investigate every
packet to find the most probable evidence by using
IDS, firewall, sniffer, and other tools. The large
amounts of network packet come and go from the
network system forcing us to devise a proper strategy
to filter or classify the packets as possible evidence or
not. For this reason, we will need an appropriate rule
set to classify them as well as to increase the accuracy
of the collected evidence. Various tools and techniques
for collecting evidence will be described in the
following section.

In general, various evidence collection tools and
techniques have been developed and implemented. A
research by Wang et al. [10] has introduced a
dynamical network forensics model based on artificial
immune theory and multi-agent theory. This
technique is to collect real-time evidence
automatically and to provide quick response to
network criminals. Moreover, the technique is to
overcome infeasibility in analyzing evidence due to
manually execution of forensic tool instead of
executes the tool automatically. However, this
technique intended to collect evidence for further
analysis rather than to classify the evidence according
to the level of evidence possibility. Thus, evidence
classification technique is also needed to produce high
possibility of evidence.

Other researchers use integration technique in
which multiple different approaches are used to
generate possible evidence. For example, the research
by Keppens et al. [11] has integrated symbolic crime
scenario abduction and Bayesian forensic evidence
evaluation to build decision support systems (DSS) for
crime investigation. This integration is useful for
differentiating competing crime scenarios by which
the resulting DSS is capable to formulate effective
evidence collection strategies. However, the weakness
of this approach is the inability to determine time and
space of the event in the built scenario since it is
important for forensic agent to prepare analysis based
on time and space as well.

There are also researches done on collecting
evidence by adopting forensic profiling system.
Research conducted by Yim et al. [12] for example,
proposed the evidence collection of Denial of Service
(DoS) attack in wireless environment by applying
WLAN Forensic Profiling System. However the rate
of packet collected that contain DoS attack by using
this approach is lower compared to general IDS. There
is the need to improve the efficiency of collecting
evidence so that the rate of packet collected will be
higher than general IDS thus the accuracy of possible
evidence also will improve.

From the above discussion, we observe several
problems faced by current tools and techniques:
inefficient [12] and inability to classify evidence based
on level of accuracy [6, 8, 10] and delay [13].
Arguably, there is a need for better and effective
technique that can facilitate evidence collection
process in the network to produce accurate evidence.
Since IDS is a tool, we believe that by manipulating
the IDS, we can solve problems discussed previously.
Moreover, the general mechanism of IDS can be
utilized in order to provide the best technique.

III. PROPOSED FRAMEWORK
In general, the proposed architecture as shown in
Fig.1.6 implements inference engine to ensure the
accuracy of evidence collected from the network
system. The inference engine implements rule-based
expert system by using forward chaining method. Set
of rules defined in the inference engine are used to
classify possible evidence to different category, i.e.
attack, malware and etc. First, packet from the
network system will be collected and classified by the
inference engine. Then the appropriate packet will be
channeled to appropriate class for further analysis.
Finally, the result will be stored in the evidence
repository for future use.


Fig.1.6 The Architecture

Firewall
Inference
Engine
Attack Analysis
Malware
Analysis

Evidence
Repository
Internet
2013 8th International Conference on Information Technology in Asia (CITA)
The framework consists of three main phases:
evidence collection, evidence identification and
classification and result documentation, as shown in
Fig.1.7.
Fig.1.7 The Framework

a) Phase 1: Evidence Collection
The first phase involves collecting packet from
the network system including real time and offline
information. We utilized FADS to capture all ingress
and outgress packets from the network system. FADS
is implemented using hybrid approach by combining
anomaly-based and signature-based IDS with adapting
distributed multi agent approach and data mining
engine. The rationale of using this approach is as
solution for problems faced by previous researchers:
such as the problem of false positive and false
negative alarm, to improve the accuracy and detection
rate as well as clustering the evidence captured for
further forensic task. Different rule set is needed by
different network users, thus the rule set need to be
configured thoroughly to achieve maximum
satisfaction result and highly accurate evidence. The
outcome from this stage is the log file that contains
compressed persistence filtered packet information
from FADS.
b) Phase 2: Evidence Identification and
Classification
At this phase, log analysis will be performed to
analyze logs gathered in the first phase. The log
analysis is to identify intrusion, that is whether the
information can be classified as intrusion or not. After
that, the intrusion will be classified according to the
level of evidence accuracy so that forensic
professionals will have smaller scope of evidence to
investigate and analyze. In this phase, all the process
will be done using inference engine for clustering
purpose. The outcome from this phase is the possible
evidence with high level of accuracy and will be
stored in the evidence data storage.

c) Phase 3: Result and documentation
Finally, report of the possible evidence will be
generated and documented for further action in court.
This process will take into account the custody form
that is the basic form for evidence description for
analysis.
IV. SIMULATION & DISCUSSION
Simulation for the proposed model conducted by
using system developed in our SRG lab. Fig. 1.8
depicted the screen shot of the simulation result for the
testing of the framework. There is a need for further
experiment and analysis in order to get precise result.
However, based on the results obtained shows the
classification technique can contribute in getting more
accurate possible evidence for network forensics.

Fig.1.8 The Screen shot
V. CONCLUSION & FUTURE WORKS
The main contribution in this paper is a
framework for collecting evidence that can classify the
most accurate possible evidence. This framework is
also designed to limit the collection of evidence
related information so that storage consumption will
be reduced. Besides, forensic professional task will be
more efficient and effective since the evidence already
filtered and classified according to level of possibility.
Besides, this research is also being able to contribute
in a wise economy by reducing storage space that can
reduce hardware costs.

ACKNOWLEDGMENT
This work was supported by MOSTI Science
Fund Grant No. 305/PKOMP/613144 and USM RUi
Grant No. 1001/PKOMP/817048, School of Computer
Science, Universiti Sains Malaysia, Penang, Malaysia.

REFERENCES
[1] Ashcroft, Daniels and Hart, Forensic Examination of Digital
Evidence: a Guide for Law Enforcement, National Institute
2013 8th International Conference on Information Technology in Asia (CITA)
of Justice, USA (April 2004).
http://www.ncjrs.gov/pdffiles1/nij/199408.pdf
[2] Brezinski and Killalea, Guidelines for Evidence Collection
and Archiving. RFC 3227 (Best Current Practice), Feb. 2002
[3] J. H. Wang, Cyber Forensics Issues and Approaches, book
chapter in book: Managing Cyber Threats: Issues,
Approaches and Challenge, edited by Kumar, et al, Kluwer
Academic Publishers, 2005.
[4] Erin E. Kenneally and Christopher L.T. Brown, Risk
sensitive digital evidence collection, Digital Investigation,
Volume 2, Issue 2, June 2005, pp. 101-119, ISSN 1742-
2876,DOI:10.1016/j.diin.2005.02.001,(http://www.sciencedir
ect.com/science/ article/B7CW4-4G7X9TV-
2/2/9ccac2eb911d64d2570dbcf9837c1d21)
[5] N. Liao, S. Tian, and T. Wang, Network forensics based on
fuzzy logic and expert system, Comput. Commun, 32, 17
(November 2009), 1881-1892.
DOI=10.1016/j.comcom.2009.07.013
http://dx.doi.org/10.1016/j.comcom.2009.07.013.
[6] M. Garuba, L. Chunmei, and D. Fraites,. Intrusion
Techniques: Comparative Study of Network Intrusion
Detection Systems, Information Technology: New
Generations, 2008. ITNG 2008. Fifth International
Conference on Information Technology: New Generations,
pp. 592 598, 7-9 April 2008.
[7] C. F. Pfleeger and S. L. Pfleeger, Security in computing (3rd
ed.). Upper Saddle River, NJ: Pearson Education. (2003).
[8] Y.H. Choi, J.H. Park, S.K. Kim, S.W. Seo, Yu Kang, J.G.
Choe, H.K. Moon and M.S. Rhee, An Efficient Forensic
Evidence Collection Scheme of Host Infringement at the
Occurrence Time, International Conference on Information
Security and Cryptology, pp.0-0, Dec. 2006
[9] B. Daniel, Cid, Log Analysis using OSSEC, URL:
http://www.ossec.net/ossec- docs/auscert-2007-dcid.pdf
[10] Diangang Wang; Tao Li; Sunjun Liu; Jianhua Zhang;
Caiming Liu; , "Dynamical Network Forensics Based on
Immune Agent," Natural Computation, 2007. ICNC 2007.
Third International Conference on Natural Computation,
vol.3, no., pp.651-656, 24-27 Aug. 2007
doi: 10.1109/ICNC.2007.345
URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnum
ber=4344592&isnumber=4344458
[11] Keppens, Shen and Schafer. "Probabilistic abductive
computation of evidence collection strategies in crime
investigation," Proceedings of the 10th International
Conference on Artificial Intelligence and Law, pp. 215-225,
2005.
[12] Yim, Lim, Yun, Lim, Yi and.Lim, "The Evidence Collection
of DoS Attack in WLAN by Using WLAN Forensic Profiling
System," In 2008 International Conference on Information
Science and Security, 2008.
[13] Luo Guangchun, Lu Xianliang, Li Jiong, and Zhang Jun.
MADIDS: a novel distributed IDS based on mobile agent.
SIGOPS Oper. Syst. Rev. 37, 1 (January 2003), 46-53. 2003.
OI=10.1145/881775.881780
http://doi.acm.org/10.1145/881775.881780
[14] Richard A. Wasniowski. "Multi-sensor agent-based intrusion
detection system," In Proceedings of the 2nd annual
conference on Information security curriculum development
(InfoSecCD '05). ACM, New York, NY, USA, 100-103.
2005. DOI=10.1145/1107622.1107645
http://doi.acm.org/10.1145/1107622.1107645
[15] FADS: Forensic Analysis and Discovery System. Security &
Forensic Research Group, UniversitiSains Malaysia, Feb.
2012.
[16] Abu Hassan AlshariYahaya (2013, Jan 16). Internet Banking
Losses Decline. The New Straits Times, Retrieved April
22, 2013 from
http://www.cybersecurity.my/en/knowledge_bank/new
s/2013/main/detail/2261/index.html
[17] Abu Hassan AlshariYahaya Schell, B. H. and Martin, C.
Cyber crime: A Reference Handbook. Santa Barbara,
California: ABC-CLIO. (2004).
[18] Norton (2012, September 19). 2012 Norton Cybercrime
Report. Security Asia Portal, .Retrieved April 22, 2013
fromhttp://security.networksasia.net/content/2012-norton-
cybercrime-report.




2013 8th International Conference on Information Technology in Asia (CITA)