Training

One of the priority areas for the L3CE is training programs which are developed and acquired within the boundaries of competence. The activity involved with training programs combine: needs identification for development of required skills and knowledge; foreign training programs adaptation and preparation for use; self-creation of training programs and their accreditation; education of lecturers. Moreover, L3CE accumulates and publicizes.

1. Identity theft in cyberspace.  “Legal aspects”

The training programme is designed for law enforcement agents who perform investigations of identity theft in cyberspace. Law enforcement agents seeking to successfully investigate identity theft in cyberspace crimes should be familiar with the concept of such crimes, the methods, forms and legal aspects.

The training programme is based on an analysis of the legal and regulatory practices in the European Union and Lithuania and is dedicated to researchers investigating the cases of identity theft. The training courses include the European Union (EU), Lithuania (LT) legislation, EN and EU court procedures, case studies and best practices.

This training programme cover the topics such as personal identity and identification, dangers for personal data in cyberspace, personal identity theft, the concept of identity theft, related danger, results and trends in such activity, forms and methods of committing identity theft, subjects and victims of identity theft in cyberspace, legal regulation related to identity theft in cyberspace, liability for identity theft in cyberspace, prevention of identity theft in cyberspace, legal relationship between electronic information and electronic documents.

Personal identity and identification topic covers the definition of personal identity, the linked to state-approved identification, ways and means for identification in cyberspace, dangers for personal data in cyberspace, the concept and definition of personal identity theft, related danger, results, and tendencies of such activity. The one of the most dangerous threats in cyberspace is electronic identity theft and closely related to dangers for personal data in cyberspace. The identity theft in cyberspace is a wider and complicated crime: electronic identity usage and total accessibility of personal information will only increase, and virtual social networks are spreading quickly, a need for false electronic identity increases as well as the increasing scale of identity theft in cyberspace influences e-business and public e-services, therefore, the financial identity threats are the most dangerous and entrain the biggest financial damage.

Forms and methods of committing identity theft: due to constant progress of information and communication technologies the phenomenon itself acquires new forms, which are moving more and more often into cyberspace. Due to the mentioned reasons the finite list of the forms of identity theft may be compiled only for the present moment. The main forms of committing identity theft are following: thefts of medical identity, computer identity, driver’s license identity, internet identity, financial identity, social security identity, banking identity, corporate identity, criminal identity and passport identity as well as identity theft cloning. The main methods are: phishing, scam, spam, spoofing, spyware, skimming, pharming, replay attack, dumpster diving, creation of a false profile in a social network.

Under the topic for subjects and victims of identity theft in cyberspace the classification of identity theft subjects, the factors that motivate subjects of identity theft in cyberspace, concept and definition of the victim of identity theft in cyberspace are presented as well as ways, how victims usually find out about identity theft, what are prevention measures.

Legal regulation related to identity theft in cyberspace covers the main aspects of EU legal regulation directly and indirectly related to identity theft such as Convention on cybercrime, Convention for the protection of individuals with regard to automatic processing of personal data (the Strasbourg Convention) of 1981, Directive 95/46/EB of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, certain of EU communications, legal regulation that has the biggest link with identity theft in cyberspace is legal regulation of identification, legal protection of personal data, and security of electronic information (cybersecurity). Some principles for legal regulation are established in the Cybersecurity strategy An Open, Safe and Secure Cyberspace of 2013. In addition, the roles and function in cybersecurity of certain institution that act in the domain of cybersecurity on EU level, such as ENISA, EUROPOL and EDA, are explained.

The topic on legal regulation of cybersecurity in Lithuania focuses on 2014 the Law on Cybersecurity of the Republic of Lithuania, the Programme of Cybersecurity Development for 2011-2019 of 29 June 2011 with roles and functions of the main institution for cybersecurity in Lithuania – National Cybersecurity Centre.

The topic on liability for identity theft in cyberspace covers aspects of the criminalisation of identity theft in cyberspace, including comparative aspects on criminalisation of identity theft in cyberspace in Lithuania, the main provisions of Criminal Code of Republic of Lithuania (hereinafter – the Code) and phases of the legal process: for example, the receiving information related to identity is criminalised by articles 166, 167, 198, 198(1), 214 of the Code, the use of information related to identity with the purpose to commit a crime falls under the area of regulation of articles 182, 207, 215, and 300 of the Code, and storing, distribution – partly fall under the area of application of articles 198 and 214 of the Code.

The topic on prevention of identity theft in cyberspace includes crime prevention (common aspects, levels of identity theft in cyberspace prevention, prevention level of specific person, 21 rules, prevention in public and private sectors, Red Flag rules), the level of non-formal social combinations, formations and organisations as well as prevention of identity theft in cyberspace on the international, bilateral (inter-national) and (or) regional level.

The topic on legal relationship between electronic information and electronic documents focuses on such aspects: when assessing electronic evidence and its probative value, the court must consider the reliability of such evidence, which could be questioned. Therefore it is necessary to determine a method of creating, storing and transmitting electronic information / data, the integrity, authenticity, and reliability of stored information and other important circumstances. These conditions are necessary for physical documents as well as for information recorded in cyberspace – for electronic documents: authenticity and reliability of a document, document integrity, suitable for use. The definition of electronic document, electronic information, electronic data and electronic document is presented and their suitability as evidence in criminal proceedings.

The training programme is tailored both for in the class-training and learning remotely.

2. Forensic investigation in a Virtual Environment and hidden crime information detection 

The training programme is designed for law enforcement officers who perform criminal investigations of virtual and cloud computing environments.

Law enforcement agents seeking to successfully investigate cybercrimes must know the basic virtual and cloud computing environment operating principles, criminal concealment capabilities, cyber-crime evidence collection techniques in virtual and cloud computing environments. The aim of this training programme is to provide knowledge which would help to reduce international cybercrime damage by stopping these crimes in a timely manner. The training programme includes an analysis of cyber security vulnerabilities, cybercrime in cloud computing environments, practices applied in the EU and LT, and experience in developing of training programmes.

This training programme covers the topics such as the main concepts of virtualisation and cloud computing, challenges for virtualisation, forensic investigation of virtualisation technologies for personal use and corporative use, basic on encrypting, steganography, data bases and virtualisation technologies for cybercrime.

The forensic investigation of virtualisation technologies for personal use is going into detail, how to identify the use of virtualisation technologies at in-situ search and inspection, the most popular virtualisation technologies for personal use (Google Drive, Dropbox, OneDrive, iCloud, Box, Spideroak, etc.), how to collect information from typical virtualised environments, the most often used virtualised services (e-mail, contacts, calendars, documents, spreadsheets, music, photos, videos, slideshows, fileshares, media streaming, desktop apps/access), how the access rights are organised, users authentication, how an additional information could be collected using available information (using other user accounts), the commonly used virtualisation technologies with mobile access in accordance with mobile technology groups (iPhone, iPad, Android, Windows Mobile, BlackBerry, Mobile Browser), the commonly used the social internet services that could be used as virtualisation technologies (Facebook, Instagram, etc.), collection of big data, the usage of remote access to forensic data storage, the typical problems and their solutions scenarios.

The forensic investigation of virtualisation technologies for corporative use is focusing on the commonly used virtualisation technologies in business, Citrix virtual environment and search of evidences in Citrix virtual environment (XENServer), Vmware virtual environment and search of evidences in Vmware virtual environment (ESXi), Microsoft virtual environment and search of evidences in Microsoft virtual environment (Hyper-V), how to proceed at detection of the usage of virtualisation technologies at in-situ search in company.

Encrypting topic includes the presentation of the methods and means of data encrypting potentially used to hide the criminal information in computers and in virtual environment, methods and means for detection, extraction and storage for further investigation of encrypted data and encrypted files.

Steganography topic focuses on the methods and means of steganography potentially used to hide the criminal information in computers and in virtual environment, methods and means for detection, extraction and storage for further investigation of data and files hidden by using steganography methods.

Data bases topic highlights an expertise of data bases.

Topic on vulnerability of IS backed out by data bases focuses on SQL injection, forensic of data bases vulnerability and search crimes footprints.

Topic on virtualisation technologies for cybercrime explains the mechanisms of DDOS and anonymization.

The training programme is tailored both for in the class-training and learning remotely.

The training programme is tailored both for in the class-training and learning remotely.

3. First Responder

The training programme “External storage inspection” according to the training programme that is developed by Cybersecurity and Cybercrime investigation Centre of Dublin College University (UCD CCI), is adapted in cooperation with L3CE, Ekonominės konsultacijos ir tyrimai (EKT) and Vilnius County Police Headquarters (VCP).

The training program “First responders” according to the training programme that is developed by Cybersecurity and Cybercrime investigation Centre of Dublin College University (UCD CCI), is adapted in cooperation with L3CE, Ekonominės konsultacijos ir tyrimai (EKT) and Vilnius County Police Headquarters (VCP).

Training programme is dedicated to law enforcement officers who investigate or are related with solving ICT use for criminal purposes. The main objective of this programme is to equip the participants with knowledge about IT and their abuse, cybercrime evidence collection, and instructions on how to effectively react to the reports on cybercrime. Moreover, the trainees will be introduced with seizure and handling of electronic evidence. This training programme also contains a component for training of trainers how to deliver course First responders – what training methods, practical exercises to be used, how to perform the testing and examination of gained knowledge and skills.

First responders course systematically acknowledging with basic how computers work, jargon buster, cybercrime business model, Tor and Darknet, psychology of child abuse, how malware infects, how Freetool for first responders could be used, search basic and LDF for first responders, what are CCIU requirements, how does network, Ips & domains work, what are Email headers, ASP request, ebay& paypal, Facebook, Google search and how all these affecting victims and how the crime could be committed. The theoretical knowledge presentation is followed by demonstration of Freetool that tackles to detect and search of footprints and cyber evidences. The training also includes the introduction into OSINT– what are OSINT tools and resources, exif, the main OSINT principle “follow the Money” explanation followed by demonstration and analysis of the OSINT case study.

The topic on introduction to computers, peripheral devices & networking covers the various components of modern computers, expansion cards, Ethernet expansion cards, input and output hardware, RAM (random access memory), SSD (solid state drives), hard disk drives (HDDs), auxiliary storage (floppy disks, optical disks, flash drives, magnetic storage, RAID (redundant array independent disks), the principles of connecting to other computers, the main numeral systems used by computers and networks, how do computers process data, the main encoding systems ASCII (American Standard Code for Information Interchange) and Unicode, cryptography overview, time zones and converting to UTC.

Topic on Jargon Buster allows for participants to understand and describe understand and describe the most common attack vectors such as computer worms, Spyware, DDoS attack (distributed denial-of-service attack), phishing, vishing and the hallmark features of these scams, schemes “man in the middle and watering hole attack, Cross-Site Scripting (XSS) attacks, zero day attack, Botnet. The crime prevention advices are also presented. This topic includes the practical exercise for participants on phishing.

Cybercrime business model topic cover the list of prominent cybercrime marketplaces, categories of cybercrime business models (commercial model, organised model, outsourcing model, mentor-apprentice model) followed by “Topfox” case study, theft chain, exploitation of affiliate marketing, customer service, legitimate merchant account and webmoney for committing of cybercrime, roles and types of money mules, the chain how the fraud works.

The topic on deep internet covers the deep web, the underground internet, the onion router (Tor), the mechanism how Tor works, what are Tor hidden services, how to access Tor and what are Tor investigation tools for law enforcement.

Introduction into psychology and Child Sexual Exploitation (CAM) is relevant to understand patterns and behaviour of criminals on internet. The types of child sexual exploitation are presenting such as contact sexual abuse, trafficking for sex, recording sexual abuse, trading recorded material, grooming and inappropriate attention. Based on psychology (Finkelor theory) the four preconditions for child sex offending are explained such as motivation, overcoming internal inhibitors, overcoming external impediments, overcoming victim resistance and how this goes throw the internet into the mix.

The key topic is on search and seizure guidelines that explain the principles for the seizure of electronic evidences, on demonstration how to identify, seize and transport electronic evidence and how identify portable and removable storage media. The good practice principles for electronic evidence are presented. Detail description of steps to be taken covers pre-search preparation process, crime scene investigation process and related legislation. Pre-search phase preparation includes the presentation of the main principles, actions for pre-search preparation such as appointment of officer in charge, distribution of roles scene secure team appointment, equipment preparation, application to CCTV (Closed Circuit Television), search briefing background and targets, search team appointment. The crime scene investigation process covers on-site analysis, on-site computer response team, appointment of equipment officer and transport team, case information search site intelligence, search methodology, photographing / sketching scene, evaluation for “live” analysis, live forensics; on-site live computer systems, response team, on-site observations and transporting evidence.

LDF (live data forensics) for first responders focuses on how to examine historical data from web browsers, to perform basic Live forensic operation, what to do and what don’t, what are ACPO Guidelines, how to record activities and ensure compliance with the Law, what is ‘Post Mortem’ (cold) forensics. The topic is followed by exercises on “live analysis”, what is private browsing: Firefox, Google Chrome, Internet Explorer, Safari, how to analyse e-mails and IM chats, what are evidence of e-mails and IM chats.

Basic on encryption is presented – knowledge and observation. Training course knowledge is supported by Freetool demonstration and exercise. The topic on internet enable the participants to discuss the history of the Internet and covers items such as principles of the internet, internet protocols, TCP/IP architecture and protocol suite, IP addresses, network addressing, network addressing capabilities, reserved IP addresses, circuit switched vs. packet switched, packet header information, TCP/IP and packet switching, the internet – the real view, additional notes on IP addresses, ipv6 addresses, connecting to the internet, what is a HTML file, creating and opening a HTML file, mypage.html, web pages – image issues, correcting our code, web pages and colours, adding colour to our web page, extending HTML, web browsers, browser statistics, Firefox 5.0, web servers, what is HTTP, how to send a HTTP request, cookies, top level domain names & country codes, domain names, IP and e-mail addresses, managing the domain name server system, Regional Internet Registries, how do you get a domain, hosting options, web pages and web servers, web site statistics Introduction into identity theft includes definition of identity theft, how data used to commit identity fraud or obtain personal information, what information at social networking sites could be used for fraud, what are ID theft & Cyber-bullying, phishing for data, a phishing scam, publicly available personal information, impersonating the Dead, information collected at e-commerce sites, database hacking, insider threats, identity theft online, social engineering, using personal information to defraud financial institutions, selling personal information, how to protect against identity theft. The topic is followed by practical exercise on incident response task. The topic on auction fraud and online payment systems covers items such as online auctions, making money from auctions, analysis of case studies on different types of frauds such as auction for sale (PlayStation 2 Original Box and Receipt), non-delivery of purchased items (the Rotten Apple), misrepresentation, shill bidding as well as other types of auction fraud (overpayment fraud, black-market/counterfeit goods, bid siphoning, second-chance schemes). To this topic is related investigation of in payments systems. This investigation topic covers eBay’s privacy policy, information that eBay can provide, using payment systems to protect your money, what is PayPal, sending and receiving money via PayPal, PayPal e-mail scams, escrow services and fictitious ‘escrow’. The topic is followed by examples and introduces the LEP (Law Enforcement Portal) – tool for registered Law Enforcement officers to obtain eBay user information without the need of faxing a data request, Law Enforcement eRequest System (LERS). Network Investigation: e-mail headers, online groups and social networking, Newsgroups, Usenet News, Google Groups, News Programs, Usenet newsgroups, Usenet Headers. Facebook Investigations topic allow to understand the Facebook data request process, present a list the information to include in a data request, how does it work an access the Facebook activity log, how to download an injured parties/suspect Facebook account, what does it mean to “preserve” records, what are account preservation requests, data requests process, identifying Facebook profiles, Facebook graph, information to include into records, data received for basic subscriber information, data requests statistics, Mlat, accessing fb activity log, activity log, picture info, downloading a Facebook account, download process, index.html, messages, security tag, photographs. The introduction into OSINT covers definition of OSINT, explains the relevance of OSINT for law enforcement and presents the sources of OSINT, tips for success, safe surfing and evidencing OSINT. This topic is followed by exercise 1: Using ECHOSEC.net. The basic on Google Search presented: Quotation Marks and Search Term, Google Operators, Sites, “Linkto:”, Google Search Tools, Google Alerts, images.google.com, Google Operators Guide. The training programme is tailored both for in the class-training and learning remotely.

The training programme is tailored both for in the class-training and learning remotely.

4. External storage inspection 

The training programme “External storage inspection” according to the training programme that is developed by Cybersecurity and Cybercrime investigation Centre of Dublin College University (UCD CCI), is adapted in cooperation with L3CE, Ekonominės konsultacijos ir tyrimai (EKT) and Vilnius County Police Headquarters (VCP).

This training programme is developed and dedicated to law enforcement officers conducting on-site search and inspection of the external storage that was possibly used the information and communication technologies to do crime.

The main objective of the training programme – to provide trainees with knowledge and understanding of the digital traces collection methods and tools of coherent stages and the steps at each stage on how to prepare for and carry out digital footprint collection, how to capture and to document the evidence collected so that they can be recognised in the court process.

Presenting the digital footprints’ collection methods the detailed information with the practical exercises is providing, in particular on copies, backups and images, an introduction to the collection and presentation of hash value (MD5, SHA1), on data about data (metadata) and how a report is produced.

The training with tools for of digital footprints collection are taught how to set up the official working computer to collect the digital footprints, how to prepare the hardware and software that protects information from alteration, introduces into the operation of software for information analysis.

A comprehensive and coherent action plan, covering the preparation, execution and closing stages, allowing law enforcement officers to properly gather digital evidence, not to make mistakes, unaltered information so that it can be used as sharply further in the investigation and in court (if applicable) and not miss important clues. It also allows you to standardize proceedings throughout the whole chain and to train more officers throughout Lithuania. Particularly detailed is training in the execution phase which will focus on protection of information, scanning and emulation of the precise forensic copy.

Presentation of specific actions to be carried out depending on an external storage type, e.g., at inspection of optical discs is important to know how to scan the damaged optical discs, what are the difference between R (recordable) and RW (Rewritable) optical disks, what are optical drives file systems and what are launching optical discs. By reviewing USB devices it is important to know what USB flash drives and how they work, what are memory cards, external hard drives, files system (FAT, FAT32, NTFS, EXT4, hide sections and launch pads).

As the digital footprints of crimes may be in other devices that could be used as external storage, such as, mobile phones, video capture devices, audio players, game consoles and so on, so the trainees were trained how to collect digital evidence from these devices as well. An analysis of programmes and inspection of user-created files can provide additional information about criminal activity in cyberspace and left digital footprints. In analysis of programmes the main attention should be draw on analysis of log files and inspection of temporary files. The user-created files examined by checking that files or video files were watched or searched, by checking which video files have been viewed or searched for, are taught how to restore the destroyed files, search for hidden or encrypted files, as should be done in the virtual disk inspection. The final stage focuses on the correct and consistent writing of the protocol on inspection results for the census to collect evidence to be used in further investigations and judicial proceedings. According to the inspection results the further comprehensive IT investigation could be ordered, thereof, the trainees were trained how to properly fulfil IT investigation order – what are the facts have been recorded, what questions must be answered, etc.

The training programme is tailored both for in the class-training and learning remotely.