Research On Forensic Readiness For Ai-Assisted Cybercrime Cases In Singapore

05 Oct 2025 --
0 Comments

1. What is forensic readiness in cybercrime / AI-assisted contexts

“Forensic readiness” means preparing ahead of an incident so that digital evidence is captured, preserved, and usable for investigation and prosecution. Key features include:

Logging, monitoring and audit trails ready in advance

Systems designed so that evidence of attacks (including by AI-tools) can be retrieved with integrity

Defined chain of custody and tamper-resistant evidence practices

Coordination between cybersecurity, incident response, legal and law-enforcement functions
In AI-assisted cybercrime (e.g., deepfake attacks, AI-enabled phishing, automated malware), forensic readiness becomes more important because the scale, automation, and obfuscation present higher evidential challenges (e.g., attribution, voluminous data, rapid deletion).
In the Singapore context, the institutional and legal infrastructure show growing attention to these challenges.
For example:

Singapore’s national cybersecurity strategy mentions strengthening “digital forensics and malware analysis” capabilities.

The legislative framework (e.g., Computer Misuse and Cybersecurity Act (CMCA) / the earlier Computer Misuse Act) provides powers relating to search/seizure of computers and data.

The prosecutorial commentary emphasises that AI-enabled crimes pose increasing forensic-challenge (e.g., attribution).

Thus, forensic readiness in Singapore must now account for AI-assisted crimes—meaning organisations (private and public) need not only incident response but ready-logging, ready-preservation, cross-border coordination, and chain-of-custody practices viable in court.

2. Legal / institutional framework in Singapore relevant to forensic readiness

Before diving into case studies, it’s useful to summarise key legal provisions and institutional practices that support forensic readiness:

Legal framework

The Computer Misuse and Cybersecurity Act (CMCA) (and its predecessor, the Computer Misuse Act) criminalises, inter alia, unauthorised access, unauthorised modification of computer data/material.

Under criminal procedure, the Criminal Procedure Code (CPC) allows for production orders, search orders and access to computer systems.

Organisations in Singapore are required (for critical infrastructure) to have incident response and notification protocols; for example, via the Cyber Security Agency of Singapore (CSA) and the regulatory regime.

Parliamentary replies disclose that the Singapore Police Force (SPF) has built “digital investigation capabilities”, centralising cyber-forensic functions under a cybercrime command.

Institutional / operational readiness

The written reply to Parliament (2021) states that since June 2015, the SPF’s cyber-investigations, forensics and crime prevention were consolidated under a single Cybercrime Command (CCC) to improve coordination.

The 2014-2018 National Cybersecurity Masterplan (NCAP) of Singapore emphasises strengthening “incident response, digital forensics and malware analysis” capabilities.

Prosecutorial commentary (2025) highlights attribution difficulty in AI-enabled cybercrime, underscoring the need for forensic readiness (logs, traceability, cross-border cooperation).

Forensic readiness implications

From the above, some key legal/forensic readiness implications in Singapore:

Organisations should have pre-incident logging and monitoring systems so when an AI-enabled attack occurs (e.g., automated phishing or deepfake voice scam), investigators can reconstruct the chain of events.

Preservation orders / production orders may be sought by police or prosecutors to secure data before it is destroyed.

Because AI-enabled attacks often cross borders (servers, jurisdiction, hosting), multinational cooperation is necessary.

In litigation or prosecution, digital forensic evidence must meet reliability and chain of custody standards; the readiness of logging and preservation influences admissibility and weight.

Investigations must keep pace with scale and complexity of AI-tools: e.g., large volumes of log data, automated tools generating phishing/adversarial AI, deepfakes.

3. Case Studies from Singapore (or involving Singapore) with forensic readiness issues

While there are limited publicly reported Singapore cases purely labelled “AI-assisted cybercrime + forensic readiness”, we can draw from relevant cases that illustrate forensic readiness issues, especially in digital forensics, cybercrime investigations and emerging AI contexts. Below are five cases or case-studies with detailed discussion.

Case A: James Raj a.k.a. “The Messiah” hacking case

Facts & forensic readiness issues:

The suspect known as “The Messiah” hacked various Singapore government agency and media websites, claimed affiliation with “Anonymous”.

The investigation required forensic triage of the web-servers, logs, hacker’s online footprints (“open source intelligence”). The prosecutor’s speech notes that open source posts by the hacker (boasting about services) were used in prosecution.

The fact that logging and online footprint analysis were used shows that forensic readiness (e.g., logs available, analysis of online footprints) matters.
Legal outcome:

He pleaded guilty to multiple charges under the Computer Misuse and Cybersecurity Act and was sentenced to four years and eight months in prison.
Forensic readiness lessons:

Importance of pre-attack logging and monitoring so investigators could link persona to actions.

Coordination across agencies (Singapore and Malaysian authorities) for extradition and forensic data.

The case underscores that forensic readiness is not just technical (logging) but also organisational and cross-agency.

Case B: Zhang Changjie (private prosecution under CMA/CMCA) – Koh Keng Leong Terence v Zhang Changjie [2023 SGMC 96]

Facts:

Zhang, former employee of Genk Capital Pte Ltd, misappropriated company data (copied files to personal accounts) without authority.

The company pursued a successful private prosecution under Section 3(1) of the Computer Misuse and Cybersecurity Act (unauthorised access).
Forensic readiness issues:

The company and investigators had to trace who accessed/copies files, when, and by whom—a matter of logging, file-access auditing and chain of custody of digital evidence.

The judgement emphasised that the files belonged to the company, copying constituted “securing access” under the
Legal outcome:

Zhang was convicted and fined the maximum SGD 5,000. The decision emphasised that private entities may pursue criminal action when their forensic readiness and logging permit evidence of unauthorised access.
Forensic readiness lessons:

In corporate environments, readiness (audit trails, access logs) supports both internal investigation and potential criminal prosecution.

The case illustrates that readiness allows attribution (who accessed what) and linkage to statute (unauthorised access).

Even though it is not purely “AI-assisted crime”, it highlights the forensic readiness infrastructure needed when digital access is abused.

Case C: Digital evidence procedural delay case – [2014] SGHC 10

Facts:

In this decision, part of the issue was whether a “reasonable time” had elapsed for the applicant to be questioned given the trans-border nature of investigations and the forensic process of retrieving digital evidence.

The Court considered that forensic process (retrieval of digital evidence) is “time-intensive”.
Forensic readiness issues:

Investigation of cybercrime (or digital crime) may involve extraction of evidence from remote systems, analysis of malware or hacking tools, coordination with other countries. If logging/preservation is not immediate, evidence may degrade.

The case emphasises readiness in the sense of early preservation and cooperation so delays do not hinder investigations.
Legal relevance:

Demonstrates that the courts recognise forensic readiness/time‐intensity of digital evidence.
Lesson:

Organisations/investigators must act quickly to preserve logs and digital artefacts; delays may weaken evidential quality.

Case D: Data breach / incident readiness – SingHealth Data Breach (2018)

Facts:

From 27 June to 4 July 2018, Singapore’s largest public healthcare cluster (SingHealth) suffered a hacking attack; personal data of ~1.5 million patients was stolen.

A Committee of Inquiry identified failures: e.g., exploited server had not been updated for over a year; network vulnerabilities flagged earlier but not fixed.
Forensic readiness issues:

The incident involved forensic investigation by CSA, with steps to identify attacker’s foothold, lateral movement, malware. The delay in detection (6 days from infection to discovery) reduced forensic readiness.

Because systems were not properly patched and logging/monitoring weaknesses existed, forensic reconstruction was more difficult.

The report emphasised “adopting an enhanced security structure and readiness” for public healthcare systems.
Legal/institutional outcome:

The incident triggered multiple reforms: requirement for suspicious IT incidents to be reported within 24 hours; two-factor authentication for administrators; proactive threat-hunting.
Lesson:

Even where forensic readiness is not a criminal prosecution, incidents of large scale emphasise that organisations must be ready to detect, log, preserve evidence and coordinate investigation—especially given the possibility of AI-enabled attacks (although this incident was not publicly described as AI-assisted).

Forensic readiness must be part of organisational risk management, not just reactive incident response.

Case E: Emerging AI-enabled crime & forensic challenge – Prosecutors’ response commentary (2025)

Facts:

In 2025, Singapore’s Law Minister Edwin Tong said that AI has amplified scale of crimes (e.g., deepfakes, large-scale scams) and prosecutors must keep up.

The commentary noted that attribution is difficult when AI tools automate phishing, deepfake voice scams, etc.
Forensic readiness issues:

The forensic readiness challenge here is that when AI is used (e.g., to generate deepfake voice scams), logs may be ephemeral, volumes massive, servers distributed, the actual human actor may be remote, use of AI masks attribution.

Thus, readiness implies that logging systems must capture AI-tool behaviour, threat-intelligence must monitor for deepfake generation, cross-border cooperation must be in place.
Legal / policy relevance:

Although this is not a particular court case, the public acknowledgement by prosecutorial authorities signals that Singapore’s criminal justice system recognises the forensic readiness gap.
Lesson:

Organisations and law-enforcement must enhance readiness for AI-enabled attacks: e.g., enhanced logging of AI-generated events, better monitoring of deepfake creation/distribution, stronger chain of custody for AI-generated evidence.

The commentary provides context that readiness for AI-assisted cybercrime is increasingly a priority.

4. Analytical commentary: forensic readiness and AI-assisted cybercrime (Singapore perspective)

From the above cases and framework, one can draw several observations.

(a) Forensic readiness remains organisation-centric, but must evolve for AI-assisted attacks

Traditional forensic readiness (logging, monitoring, incident response) remains foundational.

But AI-assisted attacks introduce new dimensions: volume of data, automation of attacks, deepfake/voice phishing, cross-border distribution, potential serverless/cloud hosting.

Therefore readiness must include: AI-use monitoring (are AI models used for phishing/deepfakes), scalable forensic tooling (big data logs, pattern detection), cross-jurisdiction cooperation, and forensic frameworks that can trace and attribute AI-generated artefacts.

(b) Legal/court-admissibility aspects

For evidence to be admissible, issues of chain of custody, integrity, reliability matter. If organisations fail to preserve logs or allow deletion/overwriting, investigators may face evidentiary gaps.

Singapore jurisprudence acknowledges time-intensive nature of digital forensic evidence (see SGHC 10 2014 case).

The legal framework provides search/production powers; but readiness means evidence should be preserved even before formal powers are exercised.

(c) Attribution and burden of proof

In AI-assisted cybercrime, log trails may be automated and diffused; attribution (who ran the AI) becomes a challenge. Prosecutorial commentary highlights this.

For readiness, investigators must ensure that logs include not only system events but metadata of AI triggers, user-IDs, timestamps, network access, any AI-tool invocation, so that human accountability is traceable.

(d) Corporate/private readiness & internal investigations

The Zhang Changjie case shows that private entities can leverage forensic readiness (logs/audit) and pursue private prosecutions (or support public prosecution) under CMCA.

Corporates must treat forensic readiness as part of corporate risk management: access logs, file monitoring, audit trails, defined incident response, preserve evidence for potential prosecution.

(e) Institutional/government readiness

Singapore’s reforms (NCAP, establishment of Cybercrime Command) show institutional readiness is improving.

The SingHealth breach shows what happens when readiness is weak (late detection, unpatched systems).

For AI-assisted crime, institutional readiness must keep pace with AI-threats: cross-border cooperation, forensic tools to analyse AI artefacts, large-scale log data processing.

5. Summary and key takeaways

Forensic readiness is critical in the age of AI-assisted cybercrime: the sophistication and automation of attacks make logs, monitoring, attribution, evidence preservation more important.

Singapore’s legal/institutional framework provides many of the pieces: CMCA, CPC powers, digital investigation capability, coordinated command structure.

Case law and incidents illustrate: (i) hacking/unauthorised access (James Raj), (ii) insider data theft with good logging (Zhang Changjie), (iii) forensic procedural delays (SGHC 10), (iv) large scale data breach with inadequate readiness (SingHealth), (v) commentary on AI-enabled crime and forensic challenges (2025 prosecutors’ commentary).

Organisations (public, private) in Singapore must adopt: pre-incident logging, incident response planning, audit trails, chain of custody practices, AI-tool usage monitoring, cross-jurisdiction readiness.

For law-enforcement and prosecutors, readiness means scalable forensic capabilities (automated log‐analysis, AI-tool detection), cross-border cooperation, and ensuring evidence traceability to meet burden of proof.

The emergence of AI-enabled crime means readiness is not optional and must evolve from “we have logs” to “we have forensic capability tailored to AI threats”.