Cyber security experts on paradigm shift and challenges in digital forensics

Monday, 29 October 2018 00:00 -     - {{hitsCtrl.values.hits}}

From left: 5 Roshan Chandraguptha, Principal Information Security Engineer Sri Lanka CERT/CC,Sri Lanka Police Special Task Force Commandant Senior DIG M. R. Latiff, Appknox Singapore Co-Founder-CTO Subho Holder, APAC. Digital Intelligence and Investigation Solutions Cellebrite (Israel) Vice President Terry Loo and Moderator CICRA Holdings Group Director-CEO Boshan Dayaratne


Final session of Daily FT-CICRA Cyber Security Summit 2018 focuses on dynamics of digital investigations


By Hiyal Biyagamage

In one of its blog posts, Cellebrite, the global leader in the digital intelligence market, states that between 1 January and 14 June this year, there were 3,056 fatalities and 584 attacks. By the end of 2018, terrorists will have been responsible for the killing of more than 6,000 people across the globe, in more than 1,000 attacks. That is approximately more than 16 people per day.

Not so surprisingly, the rise of technology as a weapon has helped a number of terrorist organisations across the globe to carry out their malicious attacks. With easy access to social media channels, forums, and websites, terrorists do not need to physically cross borders to recruit new members. They can reach them digitally. Moreover, once these radicalised individuals are ready to act, they are able to securely communicate with their leaders and followers anywhere in the world using encrypted phones and apps.

The final session of Daily FT-CICRA Cyber Security Summit 2018 focused on ‘Digital Forensics Dynamics’, where industry experts discussed extensively on the topics of rising cyber-attacks, how terrorists are using technology for destruction and why law enforcement and organisations need to be equipped with the right digital intelligence tools to fight against the abuse of technology.

Technology empowering terrorism

Taking some of the major terrorist attacks as examples, Cellebrite APAC Vice President Terry Loo said that terrorists use digital technology at every stage of an attack. Cells trade messages about whether attacks should proceed, source explosives and other materials using cryptocurrencies on the dark web, and use drones to scout targets or send GPS locations to other cell members. Not only is this technology increasingly affordable and accessible, but Terry also mentioned that many software and hardware products offer strong encryption options.

“In late 2017 in Sheffield, the United Kingdom, the brother of an ISIS bomber was sentenced to 10 years in prison for planning a terrorist attack.Law enforcement officials said they found a ‘significant amount of terrorism-related material’ on mobile phones, USB sticks, and computers they seized.”

“In the aftermath of the March 2017 Westminster attack in London, investigators found that attacker Khalid Masood used WhatsApp and Apple’s iMessage while he was behind the wheel of the van that mowed down 12 people. The investigators learned that Masood’s messages contained his supposed religious justifications for the attack. Police used information about the messages’ distribution in their investigation, arresting recipients to determine if they were Masood’s associates.”

Explaining why digital investigations are crucial, Terry said it is one of the best ways to catch criminals and terrorists. 

“When it comes to digital investigations, time urgency is crucial. We work with a number of law enforcement agencies and they have this concept called the ‘Golden Hours’. Say you managed to gather 10 mobile devices from drug traffickers, you have about two to three hours to extract data out of these devices and put into an analytics system. After that, you will be able to analyse their communication channels and methods.” 

“Imagine you send the mobile device to a central lab and it takes you six months to generate a full report; the repercussions of that will be dire because, after six months, the rest of the culprits have changed their mobile numbers or throw away their mobile device into a dumpster. Digital data is a depreciating commodity. The longer you drag the investigation, the value of the data drops,” Terry explained.

He explained some of the main challenges when it comes to digital investigations. 

  • Encryption: We are seeing a situation where device manufacturers and OEMs are highly focusing on placing encryptions on their devices. Not only that, but applications are also being encrypted. This means that traditional methods of intercepting over devices and apps cannot be used anymore. 
  • Volume: It comes in two forms. First, it is devices. The number of devices is increasing day by day. Almost in every case, a single user may have more than one device. The volume of data is also growing. Many devices today come with a storage capacity of one or two terabytes.
  • Variety: Just thinking about the variety of devices—operating system, different models etc.—it is overwhelming. We are talking about 20 billion connected devices by 2020. How are we going to deal with that?
  • Velocity: We are shifting from 4G to 5G. When the speed of the internet increases, you get more data stored in the cloud compared to the phone. If you are able to look at this data in the cloud and correlate them with the evidence found in the phone, that would help the investigation. However, how are you going to do that is the question.
  • Qualitivity: Digital data is zero and one. We are seeing more and more manufacturers coming up with remote kill switches and disabling USB ports after one hour if you wrongly enter your pin code. These features are blocking digital investigation more and more because digital data can be destroyed quickly. 

While digital evidence clearly has critical value in almost all criminal investigations, accessing this evidence is not a straightforward process. Terry said that there are vast amounts of data to access and analyse; often there are not enough resources among investigative teams to carry out collection and analysis at this scale. 

“Encrypted devices may take hours to unlock; investigators may need to recover deleted content, or extract content from damaged devices. In a 2015 Cellebrite customer survey, 85% of law enforcement officers said device and app encryption is one of the top challenges in mobile forensics.Encryption is becoming the norm: Half of the web’s traffic is now encrypted, according to the Electronic Frontier Foundation. All these factors can significantly slow down the course of an investigation.”

Terry went on to say: “However, terrorists’ use of the internet can work to the benefit of law enforcement. It means they’re leaving a digital trail of critical information. Mobile devices and online accounts store all kinds of valuable data, including images, SMS logs, call activity, and geolocation tagging. It’s no surprise that 95% of law enforcement and corporations consider mobile devices their most significant source of data.”

The right digital intelligence solution can help investigators gain access to locked or encrypted devices quickly and effectively. This data can be extracted along with other sources of critical information, such as online activity from email and social media accounts. These sources can then be filtered, compared and analysed using artificial intelligence and machine learning to generate actionable insights, such as locations of future attacks, safe houses, or drop-off points. 

Further discussing IoT investigations, Terry mentioned that the advantages of these investigations are huge but there are certain questions that organisations need to ask. 

“One of the key questions is that how these future innovations are going to impact digital investigations. As the worldwide leader in digital intelligence, Cellebrite has developed a range of innovative solutions that can when minutes matter. Cellebrite’s digital forensics tools can rapidly unlock, extract, decode, and analyse digital data from multiple sources, including the cloud. However, IoT investigators have to be familiar with what is going on between IoT devices.”

He also said that analytics play a vital role in digital investigations. “When an organisation gets hit with a cyber-attack, does your analytic tool suit the correct purpose? Is it future-proof? We are talking about data for mobile devices. If you purchase an analytics tool that does not go according to your mobile expectations, the tool will not serve your purpose.” 

Concluding his speech, Terry said: “I witnessed a paradigm shift in Sri Lanka. I went through the crimes statistics in Sri Lanka and you have a very peaceful country. However, we are seeing a situation in Sri Lanka where a number of reported crimes are traditional crimes. In other countries, however, we have started witnessing a shift between traditional and digital crimes. In 2015, Singapore’s traditional crime rate dropped by 68% but digital crimes rate went up by 72%.”

“If we move into a cashless society where e-commerce become a part of the legal framework in Sri Lanka, nobody would be able to rob on the street. The paradigm shift is yet to come in but it is not far away,” he concluded.

Be a fox when it comes to cybersecurity, not a dolphin

Speaking about the other side of the coin, which is how digital forensics help organisations when an organisation is breached for its data, AppKnoxCo-Founder and Chief Technology Officer Subho Halder delivered his keynote by with a heavy focus on mobile devices.

“Why is it so difficult for mobile devices to be analysed for forensic investigations? Firstly, many applications are fragmented. There are different kind of apps for different devices. We cannot have universal applications for all the devices. The second factor is fragmented platforms. It is not only devices but platforms as well. Android has different versions and even for iOS, there are different platforms. Some applications do not support certain platforms. Thirdly, personal and social information.” “Different breeds of devices contain data that is so personal for each and every individual who is using those devices.If a data breach happens, the confidentiality of that data will be paramount. Last but not least, we have businesses and enterprises,” Subho said. 

How do we protect this data and why is mobility security important? 

Subho said that mobility is the whole vertical of all devices that could connect to the internet. Why it is important is due to the very fact that many of these devices are connected to the internet and follow your day-to-day activities. 

“There is mobile malware, which is a huge threat today. They come in and steal your application data, whichare very personal to you. Cyber-attacks on mobile devices are increasing day by day and they are very effective. The number of mobile devices is more than the number of laptops and these devices are not even monitored properly.” 

Talking about securing mobile applications, Hadar said: “A normal monitoring tool expects a program to be written with a start function and an end function. However, Android applications do not run in that way. They run in an asynchronous manner. That is why it is important to secure mobile applications.”

Touching upon security frameworks in his speech, he discussed four pillars of security analysis.

  • Static analysis: It is more like a code review. You go through the code and figure out what are the logical mistakes. However, developers are not security researchers and training a developer to become a security analyst is a waste of time. You need to have proper security practices in place and make sure that the security practice in place does a static analysis as well. This only covers 30% of security lifecycle.
  • Dynamic analysis: You run the code and figure out the output, whether it is an intended or unintended output. This covers almost 40% of your security lifecycle. It tells you what the issues in the application are while the app is running.
  • Network analysis: This is where all the logic happens. It sends data back to the cloud and gets data back from the cloud. We have to analyse the database size and whether it is encrypted or not. 
  • Analysis from an external point of view: When your organisation does the assessment, you will be more biased toward your company. When a third party does that, they are not biased towards the organisation. They will come up with a fresh tactic to figure out security issues inside your application.

Hadar said that his organisation has scanned more than 300,000 applications and conducted more than 10,000 security assessments. They came up with the following statistics.

  • 80% of applications scanned have an issue in the server-side
  • 43% of applications scanned are storing personal data without being encrypted 
  • 64% of applications do not have a proper SSL stack 
  • 72% of applications have been sources for intended data leakages
  • Broken cryptography and client-side injections are also causing major issues in applications

Concluding his speech, Subho said that organisations need to act as foxes when it comes to securing against cyber-attacks. “You might have detection strategies and security practices in place, but don’t be like a snail where it cannot detect any of these threats. You should have a security practice in place but do not be a turtle. Even if I tell you these are the security issues but you do not act upon it, you will become a turtle. Do not be a dolphin. You will detect your threats and take actions against them but you do not take proactive measures for the action. Be something like a fox, where you not only detect but predict what the next cyber threat is going to be.” 

The state of Sri Lanka’s cybersecurity policies

Speaking at the panel, STF Commandant Sri Lanka Police Senior Deputy Inspector General M.R. Latiff recalled some history on how Sri Lanka shone the limelight on cybersecurity.

“In 1997, United States wanted to bring cyber-terror laws when the LTTE launched an electronic bombing in 13 Sri Lankan Missions, coinciding with their Black Tiger Day, ranging from Washington to Jakarta. It was the first time that the US reported a cyber-terrorist attack on a government institution.” 

“Investigations were launched because the servers were based in Washington DC and London.When it was reported to the US authorities, a lot of tension was created. That is why in 1997, the US enacted new laws to tackle cyber-attacks. Sri Lanka at that time was not technologically savvy but we wanted to fortify our defence perimeters. As a result of that, the Criminal Investigation Department (CID) of the Sri Lanka Police launched the Cybercrime Unit which initially started as a Computer Crimes Unit,” said Latiff. 

He further stated: “In 2016, CID officers had a Digital Forensic Lab thanks to the South Korean Government. Right now, it offers a Diploma in Digital Forensic Investigation which is recognised by the South Korean Police University. We have done a number of awareness sessions and trained over 140 police officers to become technologically and digitally savvy about cyber threats.” 

Sri Lanka CERT|CC Principal Information Security Engineer Roshan Chandragupthatalked about how digital forensics should address cases pertaining to data residing in the cloud.

“Most of our data reside in the cloud. In Singapore, if authorities take your phone in for investigation and if the user has stored all his information in the cloud, authorities will not be able to get any of his or her data as they are residing in another country. From a security perspective, this initiative will be perfect as cloud vendors will also provide a number of security measures to enhance data protection, even if something happens to your device.

“However, it is a real challenge for any country to carry out forensic investigations on the trot. If the data is in different servers across different venues, how would it be possible to access the data of the device if the user does not provide the username and password?” he explained. 

Commenting about how legal challenges should be addressed, Roshan said: “If you do an analysis and do a report in Court, you have to go and explain the technicalities behind report elements. If the data is hosted elsewhere, somebody from that company needs to come down and explain details about how they do forensics in our Courts.”

“I do not think that will happen easily. However, this is the high time to think of a way and laws especially in an incident where the suspect has provided his device and if the authorities have retrieved the usernames and passwords; the latter will be given the power to use those details and retrieve data in an orderly manner. Then the local police officer could present it in Court and the local cyber expert could explain the mechanics behind the digital investigation. The data hosting party has to support as well when it comes to retrieving deleted data. There are so many avenues and it might not be a technical solution all the time. However, procedures and laws have to support that framework,” he added.

The Daily FT-CICRA 2018 Cyber Security Summit was supported by Cisco as the Principal Sponsor, Visa as the Strategic Partner, and Infowatch and Tufin as Co-Sponsors. LankaPay was the Official Payment Partner while Dialog was the Telecommunication Partner. Sri Lanka Insurance was the Insurance Partner. The Ministry of Telecommunication and Digital Infrastructure and ICT Agency of Sri Lanka endorsed the event. Cinnamon Grand was the Hospitality Partner of the Summit while Triad was the Creative Partner. The Electronic Media Partners of the event were TV Derana, FM Derana, Ada Derana and Derana24X7.

Pix by Upul Abayasekara 

and Ruwan Walpola