[BreachExchange] Cyber Crime – Can Locard’s Exchange Principle Be Applied to Cyber Crime?

[Audrey McNeil]

http://internetdo.com/internet/cyber-crime-can-
locards-exchange-principle-be-applied-to-cyber-crime.html

Cyber Crime is replacing drug trafficking. Recent government findings
indicate that cyber crime has pushed aside the illicit drug trade as one of
the top sources for hundreds of millions of dollars in ill-gotten gains the
world over. In its infancy, the Internet seemed like something that could
develop into a useable tool for scientific research. If we had only known
back then what potential it held, perhaps more thought would have gone into
its protection.

Today the newswires are filled with reports of massive thefts of personal
information as well as depleted bank accounts-all due to the criminal
element that, for a small investment in a computer and an Internet
connection, is changing the landscape of criminal investigation. One highly
regarded research survey stated that 8.1 million Americans were victims of
identity theft in 2010. Losses were in the hundreds of millions.

The Locard Exchange Principle (LEP)

Dr. Edmond Locard (1877-1966), known to many as the French “Sherlock
Holmes,” was a pioneer in forensic evidence investigation. Locard
formulated the basic principle of forensic science, “Every contact leaves a
trace,” Of course Locard’s theory dealt with the physical contact made by
the perpetrator to items in the crime scene. But today’s crime scene may
not involve a physical structure-more than likely the crime scene is
located out there in cyberspace.

So the question evolves, “Does Locard’s Exchange Principle apply to an
electromagnet passing over a spinning disk?” Some digital detectives
believe that it does. For example, a hacker gains access to a computer
system that may or may not be secure. Is any computer completely secure?
Granted, security software is effective against many such invasions, but a
secure system will only take the hacker a little longer to get into it.
Now, the question is, does the exchange principle apply?

Cyber crimes leave no physical evidence

On the surface, the infiltrator would leave no physical trace of his having
been there. But other electronic trace evidence may be present. If the
computer’s file access logs were accessible, it’s possible that a record
will be available showing that the file was, in fact, accessed, and even
that a network transmission followed. Also a possibility is that a
side-channel analysis of any activity on the hard drive will uncover
network operations. As a last resort, the examiner may check the access
logs of the Internet Service Provider (ISP) to uncover surreptitious entry.
This step will not necessarily divulge what specific data was removed, but
it will indicate that data was, in fact, lifted from the line.

Industrial espionage is becoming commonplace

Personal information and cash are not the only targets of this spreading
menace. Online industrial espionage is a growing threat to the U.S. economy
as well as our national security. U.S. intelligence agencies recently
warned elected officials that China and Russia are engaged in
cyber-espionage. “Trade secrets developed over thousands of working hours
by our brightest minds are stolen in a split second and transferred to our
competitors,” said one counterintelligence executive. These foreign
governments deny this claim.

The Cyber Exchange Principle

Perhaps when relating to cyber crime, the “Cyber Exchange Principle”
applies. Forensic examination of a computer or server will uncover
artifacts of invasion. The investigator is then, faced with a situation
that the crime scene is not limited to a single computer and may involve
another computer half the world away.

The hacker will not be leaving latent fingerprints, foot prints, or traces
of physiological fluids in the wake of his intrusion. But electronic
activity in this case can be far more valuable in the bits and bytes this
activity leaves behind. The principle that Locard espoused so long ago must
be forefront in the minds of our digital detectives as they seek what clues
an invaded computer holds as well as what traces are awaiting discovery out
there in cyberspace.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170612/f102cf27/attachment.html>