The Cyber Security Incident Response and Reverse Engineering

LGU (IJECI) ISSN: 2522-3429 (Print) ISSN: 2616-6003 (Online) Taseer et al.LGU (IJECI) 2022 LGU International Journal for Electronic Crime Investigation Vol. 6 issue 4 Year 2022 Research Article Cyber Security Incident Response and Reverse Engineering Taseer Suleman and Nadia Liaquat School of Electrical Engineering and Computer Sciences, NUST, Islamabad, Pakistan Corresponding authores: [email protected], [email protected] Received: 11 September, 2022; Accepted: 14 November, 2022; Published: 20 December, 2022 Abstract Although the incident response has always been a crucial component of information security, security administrators frequently ignore it. Whereas, Reverse engineering focuses on the difficult issue of analyzing legacy software code in the absence of appropriate documentation. This paper proposes an approach to understanding cyber security Incident Response and the services it provides followed by Reverse Engineering resources and the practical analysis of a malware named “Alice ATM Malware” in detail. Key words: Cybersecurity Incident, Indicator of compromise, Digital defenses, Computer Security Incident Response Team, IDA de-compilers, Reverse Engineering. 1. Introduction H ighly skilled attackers provide a continuing threat to organizations. Attackers constantly discover new ways to breach organizations’ digital defenses to steal information or destroy their operations. The threat landscape is rapidly changing (Ahmad et al. 2019). There is a lot of ongoing research on how to reinforce these digital defenses, but relatively little is done to improve the process that takes over when things go wrong: incident response (IR) [1]. When digital defenses fail, cybersecurity incident response teams are at the forefront and must intervene to reinstitute services andical problems are impeding the incident response team’s capacity to respond to cyber-attacks (Nyre-Yu et al. 2019) [2]. By removing these obstacles, organizations may be better able to respond to incidents in general. One method to achieve this is through training, particularly employing training scenarios, which can boost team cybersecurity performance by developing skills and spotting possible flaws. The most significant information technology advancements are right in front of us right now. Given that approximately one billion computers in our world are currently connected to the Internet and that mobile telephony services and e-commerce have converged, enormous amounts of information can go from one network to another with only LGU Int.J. Elect.Crime Investigation 6(4):LGUIJECI MS.ID- 03 (2022) 15 Cyber Security Incident Response and Reverse Engineering one request, command, or click (Global Reach, 2005). To this degree, numerous technologies, platforms, and infrastructures are flourishing to give services to the end user, who now serves as the target point because it is the user who asks for services, accesses networks, and resources, and needs security and privacy [3]. Expertise in fields like forensic investigation and malware reverse engineering is frequently needed for incident response. Reverse engineering is the process through which a variety of items, including software, types of machinery, and architectural structures, are disassembled to obtain design data and is also known as back engineering. The reverse engineering method typically involves disassembling the parts of larger, more important products. The reader will learn about reverse engineering's common principles, applications, stages, and future in this article. It demonstrates how Reverse Engineering is constantly developing and influencing the idea of cyber security [4]. Software development can also benefit from reverse engineering since it allows developers to examine their code and identify potential flaws that were overlooked during software development but that an adversary could find through reverse engineering. In Cybersecurity it is important because it enables the extraction of Indicators of Compromise (IoC) from samples [5]. Typically IoC is file’s hashes, registry keys, import function and export functions, the programming language used, compilation date, IPs, emails, and even text strings that are present in the code, which are the traces left by attackers [6] [7]. 2. Incident Response 16 The handling of diverse security incidents, cyber threats, and data breaches involves an organized technique called incident response. A cyber attack or live incident's cost is to be identified, contained, and reduced using incident response techniques [8]. Although it is not the end-all solution, a solid incident response (IR) plan can seal a potential weakness to avoid more attacks. The response is a part of incident handling, which in turn looks at the coordination, logistics, and planning required to deal with a problem. This kind of work is normally handled by the Computer Security Incident Response Team (CSIRT), with assistance from the Security Operation Center. While incident management is the primary function of CSIRT, it also has reporting, analysis, and reaction responsibilities. Before these phases, the incident must be located and promptly reported [9]. The function of a SOC Analyst becomes crucial at this point. 2.1 Incident Response Services The most efficient incident response is carried out rapidly by trained responders. Organizations frequently lack the funding necessary to keep a fully functional incident response team on duty around the clock [10]. Working with an outside organization that provides qualified incident response services is one alternative. Getting involved with these organizations offers the following advantages: 2.1.1 Availability The cost and impact of an attack on the organization are reduced the faster the incident response team gets to work. Cybersecurity issues can happen at any time, and getting in touch with incident response team members LGU Int.J. Elect.Crime Investigation 6(4):LGUIJECI MS.ID- 03 (2022) Cyber Security Incident Response and Reverse Engineering after hours might be challenging. To improve coverage and availability, professional incident response companies have numerous staff teams on hand. 2.1.2 Experience Managing security issues improperly can increase costs and harm a company. For instance, a ransomware attack might cause a system to become unstable, making it unlikely that encrypted data will be restored after a system restart. Professional incident responders have the experience necessary to accurately and efficiently address such security issues. 2.1.3 Specialized expertise Reverse engineering malware and forensic analysis are two skills that are frequently used in incident response. Even though the majority of businesses won't require these talents in-house, a specialized incident response team has access to the professionals they require to successfully manage cybersecurity problems. 2.1.4 Controlling all aspects of the incident response procedure All of the organization's incident response requirements should be met by outsourced incident response providers. This includes putting incident response plans in place, controlling identified intrusions, and thwarting potential attacks. 3. Incident Response Plan Phases It is a set of guidelines that must be followed during each stage of incident response. The components of a good incident response plan include a clear communication strategy, directives defining the duties and responsibilities of each person and organization, and protocols that must be followed at all times [11]. 3.1 Preparation The steps a business should take in the case of a disruptive incident are outlined in an effective incident response strategy. The plan starts by describing how a company should reduce the danger of a data leak [12]. Organizational data protection policies should be in line with security objectives and technology defenses throughout the preparation stage. You must, at the very least, guarantee that staff members have received training on information security. They should ideally also have specialized training in incident response. To make sure your sensitive data is adequately protected, you should audit your systems as well. 3.2 Identification The second component of incident response planning deals with the measures an organization takes to ascertain when one of its systems has been compromised [13]. You are better able to stop you may quickly recognize an incursion from an assault. You can save time and money even if it isn't possible by limiting the damage and hastening the response effort. The following inquiries should be addressed when determining a security incident: • Who found the opening? • How much of a breach is there? • Had an impact on our operations? • Where did the compromise originate? 3.3 Containment The third phase discusses the steps you should LGU Int.J. Elect.Crime Investigation 6(4):LGUIJECI MS.ID- 03 (2022) 17 Cyber Security Incident Response and Reverse Engineering take to minimize harm after being infiltrated. Depending on the circumstances, this can require taking action to remove the criminal hacker from your networks or to isolate the already compromised data [14]. During this stage, you should consider whether systems need to be shut down or removed as well as whether there are any rapid fixes for vulnerabilities. 3.4 Eradication Fixing the fault that caused the data breach is the aim of phase four of a cyber incident response strategy. Again, the specifics will depend on the type of incident, but right now you need to determine how the information was disclosed and how to get rid of the threat [15]. For instance, you would remove the malicious software and isolate the affected areas if your firm had been compromised by malware In the meantime, you would lock down a worker's account if the attack resulted from their login information being stolen by a malicious hacker. 3.5 Recovery Getting your systems back online is the penultimate step in responding to a cyber incident once the threat has been eradicated. In some circumstances, this will be trickier to do than in others, but it's an important step that needs to be taken seriously. Without a strong recovery process, you might still be vulnerable to attacks, which would make the injury worse. As part of the recovery process, you should test and monitor the impacted systems after the 18 issue has been fixed. This guarantees that the measures you implement the function as planned and offers you the chance to fix any errors [16]. 3.6 Lessons Learned The final phase in the cyber incident response strategy is reviewing the occurrence and identifying potential areas for improvement. Your incident response team needs to meet to go over the parts of the plan that worked and any problems you encountered. It is important to review the process at every stage. Discuss what happened, why it happened, what you tried to stop it, and what may have been done differently. For instance, was the documentation effective and clear, and did the plan include any gaps? Before having this conversation, one to two weeks should have passed after the security incident; this will allow everyone to think about the incident in retrospect while still keeping it fresh in everyone's memory [17]. Instead of berating team members for prior mistakes, this stage's objective is to avoid inefficiencies from occurring again. Failures in the processed signal that the documentation was either unclear, the proper course of action wasn't specified, or staff training wasn't adequate. 4 Reverse engineering The procedure of obtaining knowledge or designing blueprints from everything created by humans is known as reverse engineering. The idea has likely existed since the Industrial LGU Int.J. Elect.Crime Investigation 6(4):LGUIJECI MS.ID- 03 (2022) Cyber Security Incident Response and Reverse Engineering Revolution, long before computers or other contemporary technology. It closely resembles scientific research, in which an investigator seeks to identify the "blueprint" of an atom or the human mind. Reverse engineering is different from a traditional scientific study in that the artifact under investigation is human-made, as opposed to a natural event in scientific research [18]. When such information is lacking, reverse engineering is typically used to fill in the gaps in knowledge, ideas, and design philosophy. 4.1 Resources Used in Reverse Engineering Multiple tools are used to perform reverse engineering. These tools can help to debug, decompile and disassemble the application. 4.1.1 Debuggers GDB is a debugger for programming that may also be used to decipher binary code. While the assembly code is running, you can view the information in memory and registers [19]. Additionally, breakpoints can be added anywhere in the application using debuggers. 4.1.2 Disassembler Machine code is converted into a human-readable format using a disassembler. Because disassembled code lacks programmers' comments and annotations, reading it is more challenging than reading source code. 4.1.3 De compilers Although IDA is difficult to use and needs extensive programming knowledge, its technical level accurately captures the fundamental nature of reverse engineering (Seo et al., 2019). DE-compilation is the process of translating a compiled program into a higher-level symbolic language that humans can comprehend, and it particularly makes use of reverse engineering methods. 4.2 Stages in Reverse engineering By creating models that describe the current program and the assumed goal, reverse engineering can be accomplished. Three main phases make up this process: • Recovering from implementation. Prepare a preliminary model while learning about the application quickly. • Adaptive design. Foreign key references should be resolved and the database's mechanics reversed. • Retrieval of analysis. Eliminate any inaccuracies in the model and design artifacts. 4.2.1 Implementation Recovery You prepare an early model for reverse engineering during implementation recovery. The first model should only reflect the implementation and contain no inferences because it will be used as a reference. Reading through the most recent documentation and getting acquainted with a program is the first step. The resulting context makes it simpler to interact with application professionals and clarifies the developer's intention. This project ought to be finished in a few hours. Even though what you learn is unrelated to the actual reverse engineering, it is crucial since it enables you to make more LGU Int.J. Elect.Crime Investigation 6(4):LGUIJECI MS.ID- 03 (2022) 19 Cyber Security Incident Response and Reverse Engineering accurate observations as you go. identity and foreign keys. The database structure is then typed in manually or automatically into a modeling program. Some tools have can read an RDBMS's system tables and seed a model. If you utilize these tools, you ought to at the very least glance over the database architecture to get a sense of the development approach. Design reclamation may result in optimizations and flaws, but it still reflects the DBMS paradigm in its ultimate form. The model will rarely be finished in practice. Some of the structure's components might be unclear. 4.2.2 Design Recovery You undo the database's mechanics during design recovery and just carry out simple operations. Conjecture and interpretation should wait until the analysis-recovery stage. In most cases, design recovery may be carried out independently, without assistance from application expertise. You fix three main problems at this stage. Identity: For the prospective entity type keys, unique indexes will typically be defined. Otherwise, search for uncommon data combinations, which can point to a candidate key but not confirm it. You can also guess potential keys by looking at names and styling conventions. A suspected foreign key may imply a comparable candidate key. Foreign keys: The most difficult aspect of design recovery is often identifying foreign keys or references between different tables. Foreign keys may be indicated by names and data types that match. Foreign keys and their referents can be declared by developers in some DBMSs, such as RDBMSs, but the majority of legacy applications do not use this feature. Queries: When they are available, queries can be used to improve your understanding of 20 4.2.3 Analysis Recovery The last step is analysis and recovery. The model is interpreted, improved, and made more abstract. During this stage is when you should speak with any available application professionals. Recovery from analysis consists of four basic steps. Clarification: Eliminate any existing design artifacts. For instance, file and database access keys do not include any essential information and are purely design options, thus they are not required to be included in an analytical model. Redundancy: Remove derived data type if it improves database design or if it was included for the wrong reasons. You might need to examine the data to determine whether a data structure is a duplicate. Errors: Resolve any leftover database problems. This phase of analysis recovery is necessary since you need to completely understand the database before you can say that the developer committed a mistake. An apparent error in the early stages might have been a fair procedure or the result of inadequate database understanding [20]. Integration of a model. Various information sources can result in various models. For instance, structure and data analysis is typically used to develop a reverse-engineered LGU Int.J. Elect.Crime Investigation 6(4):LGUIJECI MS.ID- 03 (2022) Cyber Security Incident Response and Reverse Engineering model. A forward-engineered model could be created using a user manual. The final analysis model must incorporate all independent models. 5. Practical Demonstration Figure 1: Executable file This malware is detected on Virus total and 54 security vendors and 1 sandbox flagged this file as malicious on Virus Total. Figure 2: Results of Virus Total These are the libraries that are used by this malware. The following shown is the 32-bit executable file. The Alice ATM malware was discovered for the first time in November 2016 as part of an ATM malware research study with Europol EC3, however, researchers believe it has been present since 2014. Figure 3: Libraries used by the malware LGU Int.J. Elect.Crime Investigation 6(4):LGUIJECI MS.ID- 03 (2022) 21 Cyber Security Incident Response and Reverse Engineering Ntdll.dll: A module containing NT system functionality is called ntdll.dll. The NT kernel functions are Figure 4: Functions that are used from this library. contained in the Microsoft-created file ntdll.dll, which is referred to as an "NT Layer DLL." Comctl.dll: A module called Comctl32.dll houses standard GUI elements used by Windows programs. Msxfs.dll: Microsoft didn’t provide much information on msxfs.dll. 22 LGU Int.J. Elect.Crime Investigation 6(4):LGUIJECI MS.ID- 03 (2022) Cyber Security Incident Response and Reverse Engineering Malicious Strings: Figure 5: Malicious Strings Dynamic Analysis: number it wasn’t proceeding and when you entered 123 as pin it automatically processes the next step [21]. When running this malware it asks for the pin and it only takes 123 as a pin. It didn’t take any other number. When entering any other The "operator panel" is opened by entering a special PIN that is of 3 digits based on the terminal ID of the ATM. LGU Int.J. Elect.Crime Investigation 6(4):LGUIJECI MS.ID- 03 (2022) 23 Cyber Security Incident Response and Reverse Engineering Figure 6: Running the malware Maybe here it defines the password. After entering the pin it asked to input the cassette id. The loaded cassettes holding the money are visible when the "operator panel" is opened. The values ID, Bills count, Bill value, Currency, and Result are shown. It displays all cassettes containing money in the machine. Figure7: Password Defined 24 LGU Int.J. Elect.Crime Investigation 6(4):LGUIJECI MS.ID- 03 (2022) Cyber Security Incident Response and Reverse Engineering Figure 8: Entering the PIN At this point, it detects that is it running on an ATM. When running on XFS (Extension for Financial Services)-based machines, it accepts Figure 9: Second call In the second call, it calls the sub_401078 function. In this function it calls WFSStartUp, a connection is made between an application and the XFS Manager by WFSStartUp. It has input. For Microsoft Windows-based financial applications, particularly those that use specialized peripherals like ATMs, XFS offers a client-server architecture. to be the first XFS API function a program calls. XFS functions cannot be supplied by an application until a successful WFSStartUp has finished. After that, it made calls to the LGU Int.J. Elect.Crime Investigation 6(4):LGUIJECI MS.ID- 03 (2022) 23 Cyber Security Incident Response and Reverse Engineering DialogBoxParamA Figure 10: DialogBoxParamA This function takes five parameters. It takes one function as a parameter. Figure 11: Function as parameter run the program and it takes decisions based on provided data is correct or not. This function that is going as a parameter is managed message box that appears when we 24 LGU Int.J. Elect.Crime Investigation 6(4):LGUIJECI MS.ID- 03 (2022) Cyber Security Incident Response and Reverse Engineering The highlighted function is responsible to connect the despenser1 of the ATM. LGU Int.J. Elect.Crime Investigation 6(4):LGUIJECI MS.ID- 03 (2022) 23 Cyber Security Incident Response and Reverse Engineering Alice connects to ATM’s CurrenyDispenser1 peripheral, and no other hardware; therefore criminal does not need to issue any command via PIN pad. From here we can see the malware name Project Alice 24 LGU Int.J. Elect.Crime Investigation 6(4):LGUIJECI MS.ID- 03 (2022) Cyber Security Incident Response and Reverse Engineering the designated service that was started using WFSOpen. WFSClose is used to end a session or a series of service requests between the application and Then it calls WFSFreeResult, which informs the XFS manager that a memory buffer that was dynamically allocated by a service provider is ready to be released. An application uses this function to deallocate the memory. A second call was placed. All messages of the defined classes are forwarded to the window indicated in the hWndReg argument by WFSRegister, which enables event monitoring for the specified service via the specified window. For instance, the application can call WFSRegister with the parameters SYSTEM EVENT and USER EVENT to receive data for both system and user events. LGU Int.J. Elect.Crime Investigation 6(4):LGUIJECI MS.ID- 03 (2022) 23 Cyber Security Incident Response and Reverse Engineering At this point, it decides to see if input caste is available or not if available it calls the highlighted function if not then it moves on else part and displays an error. WFSLock Establishes the application's sole authority over the designated service. Before beginning the transaction, the application needs to make sure that it has access to all the devices and that no other program will be able to utilize them until the transaction is finished. So here before starting the transaction, the application ensures that it has access to all devices and until a transaction is made, no other program can use them. For this, it uses 24 Utilizing the WFSLock function and its companion WFSUnlock allows for this. WFSExecute communicates a command specified by the service to a service provider. To run commands supplied by the service, use this function. A service that has been locked by a previous WFSLOCK FUNCTION is released by WFSUnlock. WFSLock & WFSUnlock. After calling the function WFSLock it will call the next command for execution. LGU Int.J. Elect.Crime Investigation 6(4):LGUIJECI MS.ID- 03 (2022) Cyber Security Incident Response and Reverse Engineering Examining the next function, it monitors if the selected caste is available or not. It gives an error if the input caste is unavailable Before exiting the process it calls the function. In this function, it calls the WFSCleanUp function. An application is unplugged from the XFS manager via WFSCleanUp. The Flow of XFS APIs used: Key Points: This executable file, when provided is not named when I start reverse engineering I found a titled ‘Project Alice’. Alice ATM first asks for a pin after entering a pin opening the operator panel reveals the loaded cassettes that hold the money. While malware has one main function that it uses to connect to the currency dispenser peripheral in the ATM. During the reverse engineering process, I didn’t see that if it attempts to connect to other ATM hardware such as a PIN pad. So one thing is clear at this point it is not controlled by commands issued via Pin pad. How exactly it works: 1. It first calls WFSStartUp API to connect the application with the XFS manager. 2. After that it calls WFSRegister to enable event monitoring for the specified service. LGU Int.J. Elect.Crime Investigation 6(4):LGUIJECI MS.ID- 03 (2022) 23 Cyber Security Incident Response and Reverse Engineering 3. Next, it makes a call to the WFSLock API to make sure that the application has access to all the devices before beginning the transaction and that no other application can use them until the transaction is finished. Utilizing the WFSLock function and its companion WFSUnlock allows for this. 4. Next, a call to WFSFreeResult alerts the XFS manager that a dynamically allocated memory buffer from a service provider has to be freed. An application uses this function to deallocate the memory. 5. Next, it calls WFSExecute to transmit a command specific to the service to a service provider. To run commands supplied by the service, use this function. Then it calls WFSUnlock to release a service that has been locked by a previous WFSLOCK function. 6. To disconnect the application from the XFS manager, it makes a final call to WFSCleanUp. 6. Conclusion The globe has suddenly become a global village as a result of the extraordinary rise of information technology. As it happens, it has made the world smaller and knowledge flow more freely. Additionally, it has increased internet vulnerabilities, threats, scams, and criminal activity. The privacy of people, organizations, and states has been violated by the accessibility, user-friendly hacking tools, and complexity of cyberattacks. A good computer and network security life cycle, which comprises countermeasures, detection, 26 and reaction, now includes incident response as a crucial component. An organization's information security policy should contain the necessary provisions, and from there, planning and organization are essential for a successful incident response effort. The planning and organizing for the incident response also includes developing a suitable incident response architecture, planning resource requirements, planning the use of technology, developing incident response procedures, cooperating with other teams and organizations, and developing appropriate metrics. Moreover, Reverse engineering encompasses a wide range of tasks, such as system data analysis and the DE compilation and disassembly of executable files and libraries. Reverse engineering is a technique used in computer security to analyze malware activities and develop solutions to stop them. 7. References [1]. A. Javaid, “Incident Response Planning for Data Protection”. SSRN Electronic Journal. Vol. 3, no.4. pp. 21-32. 2013. [2]. A. Ahmad, J. Hadgkiss, and A. B. Ruighaver. "Incident response teams–Challenges in supporting the organisational security function." Computers & Security. Vol. 31, no. 5. pp. 643-652. 2012. [3]. M. Kevin, C. Prosise, and M. Pepe. “Incident response & computer forensics”. New York: McGraw-Hill, vol, 2. 2003. LGU Int.J. Elect.Crime Investigation 6(4):LGUIJECI MS.ID- 03 (2022) Cyber Security Incident Response and Reverse Engineering [4]. M. Hausi. "Reverse engineering: a roadmap." Proceedings of the Conference on the Future of Software Engineering. 2000. [5]. E. Eldad. “Reversing: secrets of reverse engineering”. John Wiley & Sons, 2011. [6]. [7]. U. K. Sharath, K. Saumya and M. Madou. "Deobfuscation: Reverse engineering obfuscated code." 12th Working Conference on Reverse Engineering (WCRE'05). IEEE, 2005. W. Wego. “Reverse engineering: Technology of reinvention”. Crc Press, 2010. [8]. S. Bruce. "The future of incident response." IEEE Security & Privacy. Vol. 12, no.5, pp. 96-96. 2014. [9]. W. Brown and J. Molra. Handbook for computer security incident response teams (CSIRTs). Carnegie-mellon univ pittsburgh pa software engineering inst, 2003. [10]. R. Werlinger, K. Muldner, K. Hawkey and K. Beznosov. “Preparation, detection, and analysis: the diagnostic work of IT security incident response”. Information Management & Computer Security.vol.3, pp.13-56, 2010. [11]. C. Rui. "Design principles for critical incident response systems." Information Systems and E-Business Management. Vol. 5, no. 3. Pp. 201-227. 2007. [12]. W. Rodrigo. "Preparation, detection, and analysis: the diagnostic work of IT security incident response." Information Management & Computer Security. 2010. [13]. G. George, W. B. Glisson, and T. Storer. "Rethinking security incident response: The integration of agile principles." arXiv preprint arXiv. Vol.3. pp. 1408.2431.2014. [14]. F. Felix and B. Schwittay. "A common process model for incident response and digital forensics." Proceedings of the IMF2007. 2007. [15]. L. Trevor. "A forensic approach to incident response”. Information Security Curriculum Development Conference. 2010. [16]. S. Alexander. "A Cyber Incident Response and Recovery Framework to Support Operators of Industrial Control Systems." International Journal of Critical Infrastructure Protection. Vol. 37 . pp.100-105. 2022. [17]. S. Daniel, M. Caselli, and G. Pernul. "A comparative study on cyber threat intelligence: the security incident response perspective." IEEE Communications Surveys & Tutorials. vol. 23, no. 4. Pp. 2525-2556. 2021. [18]. H. A. Müller, J. H. Jahnke, D. B. Smith, and M. A. Storey. “Reverse engineering: a roadmap. InProceedings of the Conference on the Future of Software Engineering”. pp. 47-60. 2000. LGU Int.J. Elect.Crime Investigation 6(4):LGUIJECI MS.ID- 03 (2022) 27 Cyber Security Incident Response and Reverse Engineering [19]. H. Nikhil. "Where is the debugger for my software-defined network?." Proceedings of the first workshop on Hot topics in software defined networks. 2012. [20]. E. Stroulia and T. Systä. Dynamic analysis for reverse engineering and program understanding. ACM SIGAPP Applied Computing Review, vol.10, no. 1. pp. 8-17. 2002. [21]. S. Eleni, and T. Systa. "Dynamic analysis for reverse engineering and program understanding." ACM SIGAPP Applied Computing Review. Vol. 10, no.1. pp. 8-17. 2002. 28 LGU Int.J. Elect.Crime Investigation 6(4):LGUIJECI MS.ID- 03 (2022)