The EU becomes cyber Sherlock Holmes

How can you be sure your on-line transactions are secure, and find out if anybody has been siphoning off money from your credit card? The European Commission’s Joint Research Centre (JRC) has developed a way of handling electronic information to protect the rights of cyberspace users and guard against fraud when buying on the Internet.

The EU Cyber Tools On-Line Search for Evidence (CTOSE) project helps identify, secure, integrate and present electronic evidence on on-line criminal offences. It meets the challenge of clearly establishing what happens during an e-crime, or even a simple on-line transaction. The new approach developed in this project enables investigators to use “computer forensic tools” to gather evidence which will stand up in court or tribunal proceedings throughout Europe. EU researchers, in co-operation with European computer and security specialists, have developed new standardised procedures for this purpose.

“Cybercrime hides behind our computer screen, and in the wires of global communication networks and services,” says European Research Commissioner Philippe Busquin. “Business is a prime target – but public authorities and even individuals are vulnerable, too. Millions of e-mail inboxes and networks have recently been crippled by computer viruses. This innovative methodology, developed by the Commission, will not only help combat cybercrime, it will also increase user confidence in carrying out secure transactions in everyday life.”

Alarming increase in crime

The global information society is rapidly evolving, continually driving the development of new products and services, as well as ways of conducting business and commerce. However, cyberspace has also opened the door to criminals of all sorts.

Vast online information resources, network and user security all need to be protected, or the development opportunities opened up by the Web will be seriously compromised. Fraudulent transactions, computer hacking and viruses, high-tech crime, identity theft and computer fraud have become quite common occurrences, as have disputes over electronic transactions.

Computers not only provide the means of committing crime, they can also provide essential evidence of a crime. Electronic records such as computer network logs, e-mails, word-processing files, and picture files increasingly provide important evidence in criminal cases.

Supporting investigators

Fighting cybercrime is not easy. The EU Cyber Tools On-Line Search for Evidence (CTOSE) project, supported by the Commission’s Information Society Technologies (IST) programme, has developed a methodology that identifies, secures, integrates and presents electronic evidence. It enables anyone – from system administrators, information technology security staff and computer incident investigators, to police and law-enforcement agencies – to follow consistent and standardised procedures when investigating computer incidents using ‘computer forensic tools’.
The methodology ensures all electronic evidence is legally and properly gathered and preserved, acting as uncontaminated and compelling proof that a crime or fraud has been committed to company management, industrial tribunals, or civil or criminal courts.

Pooling resources to police the digital arena

The CTOSE project, completed on 30 September 2003, combined the expertise of French telecommunications and security specialist, Alcatel, and UK security company, QinetiQ, and three research Institutes: the CRID at the University of Namur (Belgium), the University of St. Andrews (United Kingdom), and the Fraunhofer Institute (IAO)/University of Stuttgart (Germany), together with the JRC’s Institute for the Protection and Security of the Citizen.

The CTOSE ‘Special Interest Group’ (SIG) made an important contribution to the success of the project. The project brought together some 50 experts in the domain, from Europe and the US, with a wide range of specialist backgrounds, including Computer Emergency Response Teams (CERTs), computer lawyers, computer forensic tool suppliers, high-tech police investigators, and IT security staff from major financial institutions. The project partners and SIG members share a common understanding of the importance of privacy and data protection. They are now drawing up plans to carry forward the results, and ensure widespread deployment of the methodology and tools developed, by means of both a research network and a Foundation.

On-line law enforcement

The project has also developed the Cyber-Crime Advisory Tool (C*CAT), as well as a legal advisor, an expert system which offers advice on the legal aspects of computer investigations, an XML-based specification for electronic evidence, and a demonstrator showing investigations of realistic commercial situations involving simulated attacks – from hacking and website defacement to organised fraud.

The C*CAT tool tells an investigator, at each stage of an investigation, which procedures to carry out and what decisions are required. The “legal advisor” points out the legal requirements to investigators, to ensure that the evidence is admissible, convincing, and legally obtained. The XML specification enables one investigator to package a piece of evidence and hand it over to another, ensuring a safe ‘chain of custody’ for all electronic evidence.

The demonstrator shows what happens in the event of an attack, both on a typical unprotected Website, and on a site which has followed the project’s guidelines on forensic readiness, and which is therefore in a position to investigate and respond to an attack properly. Overall, the tools developed by the project represent the first complete end-to-end methodology to guide investigators through the difficult task of computer forensics.