Transcription
View metadata, citation and similar papers at core.ac.ukbrought to you byCOREprovided by SAS-SPACEArticle:digitalforensicsinstitute inmalaysia: theway forwardThe number of internet users in Malaysia fell by 1.1 percent in 2010. Simultaneously, cyber crimes and cyberrelated crimes handled and resolved by CyberSecurityMalaysia’s Digital Forensics Department increased by101.9 per cent. Despite this accomplishment, there aretwo notable concerns: the increase in reported crimeswhen the number of internet users dropped, and theoperation of digital forensics laboratories and researchactivities are not coordinated. This paper considers thedigital forensics landscape in Malaysia by analyzingthe problems encountered, its achievements and a briefcomparison with Japan. A Digital Forensics Institute isproposed as a way forward.IntroductionIn 2009, the number of internet users in Malaysia1 wasestimated by one market research organization as16,902,600 from a population of 25,715,819. A year later,in 2010, the numbers estimated were 16,902,600 froma population of 26,160,256. To encourage its citizens touse the internet, the government is collaborating withTM Berhad,2 a local broadband service provider, toimprove the infrastructure and charge at a low price rate.Some states, for example Penang, provide free wirelessconnection.3In the same period, cyber crimes and cyber relatedcrimes increased by 101.9 per cent. To address thisproblem, the government established CyberSecurityMalaysia in 1998, formerly known as National ICT Securityand Emergency Response Centre or NISER. CyberSecurityMalaysia is a reference centre for cyber security and12Internet World Stats and InternationalTelecommunication Union, Malaysia InternetUsage Stats and Marketing Report, , this web site that is apparently run byMiniwatts Market Research; http://www.skmm.gov.my/index.php?c public&v artview&art id 190.‘TM to announce UniFi pricing today’,TheEdge, 5 March 2010, http://www. Pario Communications Limited, 20123By Aswami Ariffin,Jill Slay and Husin Jazridigital forensics, introduced to help resolve cyber crimes.To date, the overall digital forensics initiatives in Malaysiaare progressing satisfactorily because all cases have beenresolved4 and there are some research publications.5However, the problems faced by Malaysia include poorresearch coordination and lack of cooperation amongagencies. Universities predominantly initiate most of theresearch efforts, with occasional discussion at nationallevel in an attempt to harmonize requirements, activitiesand resources. Whilst some of the legal agencies havetheir own laboratories, publically available information ontheir systems are limited because of confidentiality. Theproblems include imprudent management, the failure tobe cost effective, some redundancy, and a decentralizedapproach to the problems. The authors argue that theseapproaches need to be changed in the interests of aneffective digital forensics service to deal more effectivelywith cyber threats that are increasing and becoming moredifficult to resolve.This paper analyses cyber crimes and cyber relatedcrimes encountered in Malaysia. The efforts tomitigate the problems are discussed, such as digitalforensics research, operational procedures, includingthe achievements of CyberSecurity Malaysia’s DigitalForensics Department from 2000 to 2010. A briefcomparison is made with Japan to illustrate the Japanesesuccess in dealing with this issue for the purpose oflearning from the Japanese experience, and to suggestthat Malaysia consider the foundation of a DigitalForensics Institute to provide for a more coordinated andrational approach to this o-announce-unifi-pricingtoday.html; http://www.skmm.gov.my/index.php?c public&v art view&art id 36.Andrea Filmer, ‘Penang launches statewidefree WiFi project’, The Star, 18 September2008, http://thestar.com.my/news/story.asp?file /2008/9/18/nation/20080918201219&sec nation; myconvergence.com.my/main/images/stories/./MyCon06 29.pdf.45CyberSecurity Malaysia, Digital Forensics– CyberCSI 2010 Annual Report, ensics/about/main/detail/1987/index.html.Sundresan Perumal, ‘Digital Forensic ModelBased On Malaysian Investigation Process’,International Journal of Computer Scienceand Network Security, volume 9 number 8(August 2009), 38-44.Digital Evidence and Electronic Signature Law Review, 9 (2012)51
DIGITAL FORENSICS INSTITUTE IN MALAYSIA: THE WAY FORWARDFigures for cyber crimes12068Video EnhancementIPRGamblingVoice ument Extraction40RobberyDigital Forensics Cases35060ForgedDocuments40064Internet ScamData Recovery Cases7665Physical Attack42880Financial Fraud450104100HarassmentThe Digital Forensics Department maintains statistics oncyber crimes, although not all cases are cyber crimes,but include an element of digital evidence in some form.An example is where a person is murdered, and the caserequires the analysis of closed circuit television, or amobile telephone and a digital video recorder features aspart of the evidence. The crime will normally be termedas a cyber related case if it includes evidence from digitaldevices.Figure 2. 2010 cases by 013520022003048 4541200520062020042007200820092010YearFigure 1. Digital Forensics Department Case Statistics from 2002-2010From 2002 to 2010, the Digital Forensics Departmentmanaged 1,893 cases (Figure 1), including crime sceneinvestigations with broad technical background. Thecases included computer forensics, mobile telephoneforensics, audio forensics, video forensics and datarecovery.6 A total of 600 cases from various legal agencieswere analysed in 2010. Among the legal agencies thatmade referrals to the Digital Forensics Department werethe Royal Malaysia Police, Royal Malaysian CustomsDepartment, Malaysian Communications and MultimediaCommission, Companies Commission of Malaysia,Securities Commission Malaysia, Malaysian AntiCorruption Commission, Ministry of Defense and Ministryof Domestic Trade, Cooperative and Consumerism. TheRoyal Malaysia Police was the highest contributor, with246 digital /www.mycert.org.my.8Cases of financial fraud (Figure 2) were the highestin 2010, involving pyramid and investment schemes.Second, with 76 cases, were illegal businesses and piracyof games, grouped under ‘IPR’. Harassment cases weredivided into three types: threats, blackmail and sexual.Document falsification (forgery of documents) such asforged passports and visas amounted to 6 cases. Internetscams, sedition, physical attacks, gambling, robbery,voice identification, video enhancement, documentextraction and bribery recorded 11, 23, 8, 64 (higher thanprevious year due to the World Cup match), 8, 2, 23, 18,20 cases respectively.The Malaysia Computer Emergency Response Team(MyCERT7 ) is another department within CyberSecurityMalaysia that provides a public service called Cyber999to assist and provide advice to Malaysian citizens oncyber related incidences. It handled 8,090 incidences in2010, and the most frequent complaint was fraud, with2,212 requests for assistance. Other complaints includedintrusion, spam, cyber harassment, denial of service,reports on vulnerabilities and matters related to thecontent of web sites.8Examples of problems encountered inMalaysiaThere are challenges in operating a digital forensicsservice because cases of cyber crime and the use ofFor MyCERT Incident Statistics figures, mycert/2012/main/detail/836/index.html.Digital Evidence and Electronic Signature Law Review, 9 (2012) Pario Communications Limited, 2012
DIGITAL FORENSICS INSTITUTE IN MALAYSIA: THE WAY FORWARDdigital devices linked to crimes have increased everyyear. The diversity of the technologies used has been themain problem for the Digital Forensics Department, andstill is. For instance, some of the cases reported in 2010included hard disks that were in a poor condition andmalfunctioned. Forensic data recovery of the hard diskrequires specialized techniques, tools and clean facilities.9Forensic data recovery of a digital video recorder is anexample, and expertise in this subject is urgently neededbecause cases in which video evidence has been foundare increasing by approximately 15 per cent annually.The need for such expertise is further justified at a timewhen the government is installing more close circuittelevisions.10If forensic data recovery of a digital video recorderfails, other forensic analyses such video authentication,image enhancement and identification could not beconducted. The major problems faced by the digitalforensics specialists are usually because they are askedto forensically examine customized, proprietary andcorrupted digital video recorders with a variety of videofile formats. This makes video files with timestampextraction and playback more complicated. Usingcommercial and open source digital forensics tools areoften ineffective because they are not able to analyzedigital video recorders.Digital forensics research in MalaysiaIt is suggested that innovation11 and investment isthe answer to the problem faced by the authoritiesin Malaysia. The Digital Forensics Departmenthas a research unit to handle operational matters.Hypothetically, analyzing data streams can resolvethe forensic data recovery of digital video recordercomplexity. Information on the forensic data recoveryof digital video recorder techniques and tools are notfreely available because of manufacturing secrecy.Existing research on this topic is limited, and empiricalexamination is currently being carried out by the DigitalForensics Department. The aim is to produce best practiceguidelines, and a software tool will be developed to assistdigital forensics specialists in their work. Nevertheless, ascientifically proven framework with three main steps iscompleted and is referred to in Figure 3.9Charles H. Sobey, Laslo Orto and GlennSakaguchi, ‘Drive-Independent DataRecovery: The Current State-of-the-Art’, TheIEEE Transactions on Magnetics (2007), 1-6.10 Nancy Nais, ‘More CCTVs plannedfor Putrajaya’, New Straits Times, 28March 2012, http://www.nst.com.my/ Pario Communications Limited, 2012Figure 3. Framework of Forensic Data Recovery of Digital Video RecorderDigital forensics procedures in MalaysiaThe Digital Forensics Department12 is frequently referredto if the crime needs a thorough digital evidence analysisinvolves criminal proceeding with the aim of bringing theoffender to justice. The service request is made by therespective legal agency by handing over the evidence,and a case file will be opened to collect all the details. Thetwo parties will maintain constant communications, andan expert witness will maintain records on the progressof the technical analysis until the handover of the finalreport and possible appearance in court. All investigationsand criminal proceeding for legal proceedings are handledby the respective law legal agencies.In principle, the standard operating procedures of theDigital Forensics Department consists of identification,preservation, recovery, analysis and presentationof digital evidence. This follows the ASCLD/LABInternational requirement,13 an American Society of CrimeLaboratory Directors Laboratory Accreditation Board14and ISO/IEC 17025:2005 General requirements for thecompetence of testing and calibration laboratories.The aim is to provide for high quality and trajaya-1.67398.11 Kara Nance, Brian Hay and Matt Bishop,‘Digital Forensics: Defining a ResearchAgenda’, in Proceedings of the 42nd HawaiiInternational Conference on System Sciences(2009).12 http://www.cybersecurity.my/en/services/digital nu 113 http://ascld-lab.net/Applications.html.14 http://ascld.org/.Digital Evidence and Electronic Signature Law Review, 9 (2012)53
DIGITAL FORENSICS INSTITUTE IN MALAYSIA: THE WAY FORWARDfoundations for the work undertaken by the DigitalForensics Department.15 The agencies that refer work tothe Digital Forensics Department value such accreditation,and consequently they send more work to be processedby the Digital Forensics Department, even if some of themhave their own digital forensic laboratories.16All digital forensic specialists must adhere to thestandard operating procedures strictly, from the momentthe evidence is accepted or obtained during the crimescene investigation, until the analysis is completed.This is to avoid any challenges in court relating to theprocedures adopted by the digital evidence specialist.Additionally, a set of digital video recorder datarecovery best practice guidelines are going to bedeveloped by the Digital Forensics Department, andwill be recommended for reference when giving opinionevidence. This kind of document is scientifically producedand difficult to rebut by the opposing party.The standard operating procedures of the DigitalForensics Department also include guidelines in givingexpert witness testimony. They are: to understand the actused to charge the suspect and other related informationduring the criminal proceedings; to review, validate andfinalize their report findings; statements taken fromthe expert witness for court submission and their legalstanding; to understand the prosecution course of action;the appropriate expert witness presentation style; tounderstand how cross examination is being conducted,and overall post-event analysis.The opinion of an expert witness is based on the facts ina case and must be proven by admissible evidence. Thisis on the ground that the courts need a digital evidencespecialist to testify on the digital forensics evidencetendered in a criminal proceeding. Acceptance of expertopinion is regulated by Section 45 of the Evidence Act1950 which provides:45. Opinions of experts54(2) Such persons are called experts.In Malaysia, the procedure for admittance of expertevidence can be noted from section 399 of the CriminalProcedure Code Act 593. A digital forensics specialistreport produced by CyberSecurity Malaysia is recognizedunder section 399(2)(f) of the Criminal Procedure Code,which reads as follows:Reports of certain persons399. (1) Any document purporting to be a reportunder the hand of any of the persons mentionedin subsection (2) upon any person, matter or thingexamined or analysed by him or any documentpurporting to be a report under the hand of theRegistrar of Criminals upon any matter or thingrelating to finger impressions submitted to him forreport may be given in evidence in any inquiry, trial orother proceeding under this Code unless that personor Registrar shall be required to attend as a witness(a) by the Court; or(b) by the accused, in which case the accused shallgive notice to the Public Prosecutor not less thanthree clear days before the commencement of thetrial:Provided always that in any case in which the PublicProsecutor intends to give in evidence any such reporthe shall deliver a copy of it to the accused not lessthan ten clear days before the commencement of thetrial.(2) The following are persons to whom the provisionsof this section apply:(a) officers of the Institute for Medical Research;(1) When the court has to form an opinion upon a pointof foreign law or of science or art, or as to identity orgenuineness of handwriting or finger impressions, theopinions upon that point of persons specially skilledin that foreign law, science or art, or in questions asto identity or genuineness of handwriting or finger15 Jill Slay, Yi-Chi Lin, Benjamin Turnbull,Jason Beckett and Paul Lin, ‘Towards aFormalization of Digital Forensics’, in GilbertPeterson and Sujeet Shenoi, eds, Advancesimpressions, are relevant facts.(b) Government Medical Officers;(c) chemists in the employment of any Governmentin Malaysia or of the Government of Singapore;(d) any person appointed by the Minister byin Digital Forensics V (2009, Springer,Boston), 37-47.16 http://www.sprm.gov.my/.Digital Evidence and Electronic Signature Law Review, 9 (2012) Pario Communications Limited, 2012
DIGITAL FORENSICS INSTITUTE IN MALAYSIA: THE WAY FORWARDnotification in the Gazette, to be a DocumentExaminer;(e) Inspector of Weights and Measures appointedas such under any written law relating to weightsand measures in force in Malaysia; and(f) any person or class of persons to whom theMinister by notification in the Gazette declaresthat the provisions of this section shall apply.suspects were charged for posting coarse commentson web sites, short message service (SMS) and e-mailsthat insulted the Sultan of Perak (one of the states inMalaysia).19Digital forensics achievements in Malaysia(3) The persons referred to in subsection (2) and theRegistrar of Criminals are by this Code bound to statethe truth in reports made under their hands.The Malaysia government supports the developmentof the Digital Forensics Department laboratory. This isimportant, because the cost is high. Equally importantis to carefully plan for the quality of the people involved,as well as the quality of the process and facilities – all ofwhich are capable of adding to its success.Digital forensics has been used in Malaysia’s courts toinculpate or exculpate a suspect.17 Courts accept digitalevidence, and digital forensic experts are called toprovide expert opinion. In 2009, eleven cases were takento court under sections 211 and 233 of the MalaysianCommunications and Multimedia Act 1998.18 TheThe progress must be in parallel that includes training,laboratory accreditation and installation of equipment(plus future expansion). Figure 4 summarizes theachievements of the Digital Forensics Departmentbetween 2000-2010; and as of 2011, the Digital ForensicsDepartment laboratory is ASCLD/LAB accredited.Figure 4. The Digital Forensics Department Achievements from 2000 to 201017 Aswami Fadillah Mohd Ariffin and IzwanIskandar Ishak, ‘Digital Forensics inMalaysia’, Digital Evidence and ElectronicSignature Law Review 5 (2008), 161-165.18 http://www.skmm.gov.my/index. Pario Communications Limited, 2012php?c public&v art view&art id 3019 Jacqueline Ann Surin, ‘11 cases brought tocourt under CMA’, The Nutgraph, 21 October2009, court-under-cma/.Digital Evidence and Electronic Signature Law Review, 9 (2012)55
DIGITAL FORENSICS INSTITUTE IN MALAYSIA: THE WAY FORWARDA brief comparison with Japan, discussionand future workIn 2010, internet users in Japan20 were listed by onemarketing organization as being 99,143,700 from apopulation of 126,804,433 with a penetration rate of 78.2per cent. The annual growth difference between Japan andMalaysia was only 13.6 per cent. Taking into account thatJapan is a developed country with a better infrastructure,the gap is small, which illustrates the government ofMalaysia’s objective to increase the number of peoplethat used the internet in Malaysia is deemed to have beenfruitful.In relation to cyber crime, the reported cases in Japanhave increased since 2003.21 Fraud and fraud using theinternet were the highest in 2007 with 1,512 and 1,229cases respectively. The lowest was cyber crime relating tocopyright, with 165 cases. Cases of fraud were common,and it is alarming to note that it is increasing in Japan andMalaysia.The number of users of the internet in Japan is higherthan in Malaysia, which means it is expected that theircyber crime cases were also higher. In Malaysia, even ifwe combine the reported cases from the Digital ForensicsDepartment (221 cases) and MyCERT (1,038 incidences),the Malaysian figures are lower than the number of casesin Japan (4,082 cases) in 2007. Even though the numberof cases in Japan was higher, it is considered a betterfigure in proportion, because the number of internet usersin Japan was about six times higher than in Malaysia. Inthis regard, Malaysia must take preventative measures totry and reduce the number of reported cases, rather thanresolving them.Unfortunately, the digital forensics agencies in Malaysiaoperate in such a way as not to communicate with eachother. Perhaps this attitude is because of the confidentialnature of the work conducted. There are no examplesof any effort to share experience, either generally, or toshare expertise. In conducting research for this paper,the authors failed to find evidence of an formal meetingbetween the agencies, with the exception of the ‘DigitalForensics Forum For Researchers and Academicians’and ‘Digital Forensics Closed Session Seminar ForLaw Enforcement Agencies, Regulatory Bodies andDeputy Public Prosecutors’ organized by CyberSecurityMalaysia’s Digital Forensics Department in 2010, the ofwhich aim was to bridge the gap between practitionersand researchers.2220 Internet World Stats and InternationalTelecommunication Union, Japan InternetUsage Stats and Marketing Report, is area deals with fast evolving technologies, andthe latest threats require the development of new plansin order for the forensics services to stay relevant. TheDigital Forensics Department statistics demonstrate thatthe cases will get more difficult, and cloud forensics is justone practical example of the changes that are occurring.Operational cooperation is needed due to the borderlessnature of crime, and it should be extended to researchas well. This new approach will be in a better position toresolve challenging cases.In Japan, one notable sign of progress is the setting upof ‘The Institute of Digital Forensics’.23 This is a nonprofit organization whose brief is to look into the areaof technology development, globalization, legal reform,public awareness, civilian research and development andhigher education. It acts as the intermediary betweenthe government, the national police agency, industry,education and promoting the development of digitalforensics in Japan.It would be good to have a similar institute in Malaysia.This noble idea is to maintain the progress of digitalforensics. It is justifiable by considering the contributionof the Digital Forensics Department since 2000. With theformation of such an institute, more programs can beconsidered. For future work, it is recommended that theprograms noted below should be considered as a matterof Conduct research based on operational oranticipated problems.Outputs are turned into innovative process(technique) and product (tool).Less dependence (independent) oncommercial tools.Capable of resolving own problemsby sharing case complexity amongpractitioners and researchers.Creation of research database.Coordinated activities.Optimization of funding.2.GlobalizationAble to work with counter part.Ensure quality of service on par withothers.Standardization of approach and solution.Counter act against globalize crime.International recognition.21 Jigang Liu and Tetsutaro Uehara, ‘ComputerForensics in Japan: A Preliminary Study’,International Conference on Availability,Reliability and Security ARES 2009 (IEEEDigital Evidence and Electronic Signature Law Review, 9 (2012)Computer Society, 2009), 1006-1011.22 tail/1837/index.html.23 http://www.digitalforensic.jp. Pario Communications Limited, 2012
DIGITAL FORENSICS INSTITUTE IN MALAYSIA: THE WAY FORWARD3.Legal ReformBetter protection for the digital forensicsspecialist.New act specifically for digital evidence.Mutual treaty.4.PublicAwarenessIncreasing public confidence.As a deterrence to crime.More economic activities will be conducted.5.HigherEducationEngaging with university researchers onthe relevant topics.Providing inputs for degree programs.Provide better funding.6.CooperationSharing of general case information amongdigital forensics laboratories.For national level engagement againstcyber crime.Research and development initiatives canbe included with the aim to reduce cost.Sharing of resources to avoid redundancy.Optimizing operation and developmentfund.7.OthersBetter recognition for the digital forensicsspecialist.Centralized service with state of the artfacilities.Control environment with secured systemto protect evidence.Focus workforce by separatinginvestigation and analysis tasking.Produce more researchers at PhD level.Table 1. New programs for Digital Forensics Institute in MalaysiaConclusionDigital forensics in Malaysia is not new, and CyberSecurityMalaysia has been promoting the digital forensics servicesince 2000. In the span of ten years, the Digital ForensicsDepartment has proved to be successful. From merelyproviding computer forensic service, it now providesmobile telephone forensics, audio forensics, videoforensics and data recovery. As a result, cyber crime andcyber related crime cases have been resolved.Without the support of the government of Malaysiaby providing operational and development funds, theachievements would not have been realized. In orderto stay relevant, Malaysia should not be complacent,because the threats will not diminish. In fact, it is safe tosay that they will be more complicated in the near future.As a way forward, it timely to establish a Digital ForensicsInstitute in Malaysia. The aim should be to bring theservice, capability and capacity to the next level. Aswami Ariffin, Jill Slay and Husin Jazri, 2012Aswami Ariffin has a bachelor of engineering in electronicsfrom the University of Liverpool and master in managementfrom University of Malaya and works for CyberSecurityMalaysia, Malaysia. Currently, he is pursuing his PhD at theUniversity of South Australia in digital forensics. In 2009, hewas awarded ‘Information Security Leadership Award’ by ISC2for digital forensics contribution in Malaysia.aswamifadillah@gmail.comJill Slay is a professor and dean of research of InformationTechnology, Engineering and the Environment of University ofSouth Australia.jill.slay@unisa.edu.auProfessor Husin Jazri is a Director and the Chief ExecutiveOfficer of CyberSecurity Malaysia, Malaysia.husin@cybersecurity.my Pario Communications Limited, 2012Digital Evidence and Electronic Signature Law Review, 9 (2012)57
If forensic data recovery of a digital video recorder fails, other forensic analyses such video authentication, image enhancement and identification could not be conducted. The major problems faced by the digital forensics specialists are usually because they are asked to forensically examine customized, proprietary and corrupted digital video .
