|
 |
| Marthie Lessing |
Forensic experts around the world are in combat mode, trying to outsmart hackers who are tormenting unsuspecting internet users, swindling them out of large sums of money, and stealing their identities.
The problem of cyber-aided crimes is bigger than meets the eye. Marthie Lessing, a CSIR cyber security specialist, has set her sights on developing the tools that will enable law enforcement agencies to nail these evil doers and bring them to justice.
Lessing’s research on live forensics, although still relatively new in South Africa, will assist investigators when acquiring evidence and presenting it in court. Computer-aided crimes include hacking, cyber stalking and unlawful use of intellectual property (commonly known as plagiarism). An interesting cyber crime is ‘salami attacks’, a form of defrauding unsuspecting bankers. In this scenario, programmers with access to a specific bank's financial system, program the software to take a small amount of cash from each transaction and deposit it in their own accounts.
There is limited statistics related to cyber crimes in South Africa, but it is known that cyber crimes are on the increase albeit still less widespread locally than in other parts of the world. “But it is clear that South Africa is not immune to these technology-enhanced crimes,” says Lessing.
Unlike traditional digital forensics, where investigators have to physically switch off and confiscate the hardware, or make a mirror copy of the data, a live forensic investigator cannot use this approach. Live forensics require that an investigator acquires, examines and analyses data in a live system, without changing any of the data on the machine or the computer system. If any data are changed, the evidence is considered inadmissible in court. In addition, live forensics allows the investigator access to volatile data that may otherwise have been lost. “We are in a constant battle with these computer criminals, this is a fast moving operation,” Lessing says.
Lessing’s research is complex. “To try and get into someone’s machine without switching it off and without modifying any of the evidence can be very complicated,” she says. One of the first steps to get information in the investigative process is to use a device called a ‘hardware write blocker’. This device prevents any information from being written to an external hard drive, preventing any data modification.
“Nobody fully trusts new technology, especially not the courts,” says Lessing. There is constantly new technology on the market, and the live forensics investigator needs to keep up with developments in order to fulfil the live forensics function. In general, courts have not embraced new technology and its demands on the justice system and therefore, the forensic investigator needs to provide an expert witness in court.
Lessing says if her live forensics framework is accepted and used, it will establish the CSIR as a leader in forensics research. “This has the potential of seeing the area grow into a full-sized forensic research platform,” she says.
Lessing would like to see the country’s legislation deal with live forensic investigations. “Generally, legal people don’t understand technology terms and we as forensic technologists don’t necessarily understand their language. With forensics, but especially live forensics, these two disciplines need to become intertwined,” she says. “This [live forensics] is wide ranging and it’s going to open up many possibilities for cyber investigations.”
She cites as an example the incidences of children disappearing without a trace after having cellphone chats on MXit with strangers. With live forensics, the criminals who lure children can be tracked down and brought to justice. Lessing says investigators need to sort out the legal aspects of the investigation first and then contact the service provider of the cellphone used while on MXit. This will show where the last active cell was when contact with the child was lost and serves as a starting point for locating the child.
One worst-case scenario of technology fiends getting the upper hand, she says, was two years ago when Estonia was attacked by hackers who brought the country's internet system to its knees by overloading the network, cutting it off from the rest of the world.
Her long-term objective is to show that live forensics can be a forensically sound investigative method that can be used in the courts of law for evidence. She says that while researchers are busy trying to fight hacking, hackers are also hard at work developing new anti-forensic techniques to counter these investigations. “In theory one needs to think like a hacker to catch one,” she says.
Her research is looking at the procedural and legal sides of live forensic investigation; what laws investigators need to know by heart to avoid contaminating evidence. Lessing intends to develop a guideline model for live forensics to make sure that whatever information investigators get from the digital storage media or digital system of a suspected criminal, will hold in court. At the moment there are no public cases in South Africa where live forensics has been used as evidence in court.
Lessing is registered as a PhD student at the University of Johannesburg and has been at the CSIR for seven months. She completed her BSc Computer Science with financial orientation at the same university and did her master’s in information security governance. The 26-year-old computer whiz is engaged and is planning her walk down the aisle.
|
