Cybercrime investigation in Uganda fails due to poor first response procedures which often lead to spoliation of evidence making authentication of electronic evidence a tough call to any forensic examiner.
Briefly, prosecution must prove the following three key ingredients in the offense of electronic crime causing financial loss beyond reasonable doubt:
- There was dishonesty by the accused person
- That the dishonesty was deliberate with intent to secure unlawful gain
- That use of a digital device was involved in (i) and or (ii) above.
Without clear standard operating procedures, public awareness for effective first responder to preserve the crime scene for computer evidence, it is difficult, to prove the charges. And that is why most cyber related cases have by far failed at prosecution.
I will mention a few. Aliases have been used and some facts omitted to ensure confidentiality.
Case 1: The web phishing case
1.1 The facts in brief
- A businessman based in Kampala approached an IT company for computer maintenance services. A service level agreement (SLA) was signed, specifying clear terms and responsibilities for each party.
- During the course of the work, unknown to the client, the IT Company outsourced some part of the work to an external consultant who discovered the nature of transactions the client deals in in. Specifically, he noted that the client supplied some imported products to several companies purchased from a specific company in the US.
- Using free Internet tools, the suspect (computer consultant) copied the website of the US supplier and made the replica look exactly like the genuine one and also advertised all the products the company sells. He then sent a link to the victim via a cloud (anonymous) email address, who unknowingly placed orders through the rogue website.
- In the process, payment instructions were exchanged. The first was a bidding security payment of US $90,000. Thereafter, the victim was further asked to pay US $250,000 as part of tax clearance, PVO and inspection, among others. The victim provided evidence as having paid this money to the account provided by the suspect.
- Before the good could be shipped, the victim was further asked to make more payments, which aroused his suspicious. The genuine company never asked for this kind of payment, though at first he had thought of a change of process.
- The victim engaged Summit Consulting Ltd to help in the investigation. As a first step, Summit Consulting advised the client to report the matter to Police, considering the criminal nature of case.
1.2 The investigation
- Since we did not know the suspect, yet, we started by getting the emails received in the victim’s inbox. We were able to obtain the suspect’s email header (has information about the senders IP address and the email path from origin to destination) as well as bank account information and the fake website that had been created. Using WHOIS.com and other cyber forensic investigation tools, we established the details of the webmaster, and key details like email address, name, mobile phone number among others.