Cybercrime Investigations
Module 9 examines the search warrant application process appropriate to electronic evidence at a single-location crime scene and considers a multitude of stakeholders; that is, agencies, organizations, businesses, and individuals, as well as the hardware and storage devices potentially containing evidence of a crime. In addition, an explanation and description of the best current practices for the collection, preservation, transportation, and storage of electronic evidence is provided in conjunction with a review of challenges posed by cyber investigations, and the role of knowledge management. Finally, the introduction of categories and probable locations of evidence are included within a review of broadly outlined procedures for preserving and collecting network trace evidence.
Learning Objectives
After completing this module, you should be able to:
- identify hardware and storage devices potentially containing evidence of crime.
- identify and discuss stakeholders involved in cybercrime investigations.
- discuss cybercrime reporting practices.
- explain and describe best practices for the collection, preservation, transportation, and storage of electronic evidence.
- examine the role of knowledge management in cybercrime investigations.
- identify categories of evidence and probable locations.
Summary
The investigation of digital crimes involves a structured process that encompasses the identification, preservation, analysis, and presentation of digital evidence. This process requires a meticulous approach to ensure the integrity of evidence and adherence to legal standards.
The initial state for any investigation is preparation. This initial phase involves setting up a team of experts, defining the scope of the investigation, and acquiring the necessary legal authority to proceed, such as search warrants or subpoenas.
Investigators must always identify relevant digital evidence by locating devices or systems that may contain information related to the crime. This includes computers, smartphones, servers, and cloud storage services.
Once potential evidence is identified, it is crucial to preserve its integrity. Most specially, investigators should secure the crime scene and establish a chain of custody for anything taken from the suspect; especially if further analysis is required. In the case of digital evidence, this involves creating digital copies of the evidence (forensic imaging) and securing the original devices or data against unauthorized access or alterations.
Once a bit-by-bit image of the suspect’s device is created, the analysis phase begins. The analysis phase involves examining the collected digital evidence in detail to uncover relevant data. This includes reviewing files, analyzing system logs, decrypting encrypted data, and reconstructing events that occurred.
As with all activities throughout the criminal justice system, document, document, document. Every step of the investigation is thoroughly documented, including the methods used to collect and analyze the evidence. This ensures the process is transparent and the evidence is admissible in court.
Once the forensic analysis is complete, it is time to enter the final phase. The final phase involves presenting the findings of the investigation to relevant stakeholders, which may include law enforcement agencies, legal teams, or courtrooms. The evidence and analysis are compiled into a comprehensive report that supports or refutes the hypotheses about the crime.
Throughout the investigation, it’s essential to adhere to principles of digital forensics, including maintaining a chain of custody for evidence and ensuring the use of validated tools and methodologies. This process not only aids in solving digital crimes but also in building a case that can withstand legal scrutiny.
Key Takeaways
Digital crime investigations follow a structured process, including identification, preservation, analysis, and presentation of digital evidence.
In the preparation phase, investigators start by assembling a team, defining the scope, and acquiring legal authority (e.g., search warrants or subpoenas).
The identification of evidence describes the process in which Investigators locate devices or systems that might contain relevant information (e.g., computers, smartphones, servers, cloud storage).
The preservation of evidence involves securing the crime scene, establishing a chain of custody, creating digital copies (forensic imaging), and safeguarding original evidence from tampering.
During the analysis phase, investigators analyze the bit-by-bit image of devices, review files, system logs, decrypt data, and reconstruct events.
The meticulous documentation of all methods and steps is crucial to ensure transparency and admissibility in court.
The presentation of findings is the final phase includes presenting findings in a comprehensive report to stakeholders such as law enforcement or legal teams.
Computer crime investigations require and involve a strict adherence to established practice and principles. Meaning, investigators must maintain a chain of custody and use validated tools and methods to ensure the evidence holds up under legal scrutiny.
Key Terms/Concepts
Chain of custody
Computer forensic analyst
Computer systems
Corporate security investigators
Digital analysts
First responder
Investigators
Multiple-scene crime
Network crime scene
Seized Computer and Evidence Recovery (SCER)
Single-scene crime
Trace evidence
Modern Application
A current example of a significant cybercrime investigation involves the Microsoft breach disclosed in January 2024, where a Russia-aligned group, known as Midnight Blizzard, infiltrated the corporate email accounts of Microsoft executives and other staff members. This breach affected multiple federal agencies and was linked to Russia’s foreign intelligence unit, SVR. The attackers exploited weak multi-factor authentication (MFA) settings on legacy accounts, allowing them to steal email correspondence between Microsoft and several U.S. federal agencies. The ongoing investigation has prompted emergency responses, including notices to affected customers, to mitigate further damage.
Another major investigation this year focused on attacks by a China-linked group, Volt Typhoon, which compromised hundreds of small office/home office (SOHO) routers in the U.S. These devices were then used to form a botnet aimed at U.S. critical infrastructure providers, including energy and transportation sectors. The FBI and cybersecurity agencies have been actively involved in disrupting this threat.
These examples demonstrate the increasingly complex nature of cybercrime investigations, which require a coordinated effort between law enforcement agencies and private cybersecurity firms to mitigate the risks and recover compromised systems.
Resources
- CRN (2024), 10 Major Cyberattacks And Data Breaches In 2024 (So Far) (Kyle Alspach, July 2024) [last accessed, October 2024].
- IT Governance (May 2024), Global Data Breaches and Cyber Attacks in 2024 (last accessed, October 2024).
Read, Review, Watch and Listen
- Read ICAP’s Law Enforcement Cyber Center’s overview of Cybercrime Investigations
- Read NEW APPROACHES TO DIGITAL EVIDENCE ACQUISITION AND ANALYSIS (U.S. Department of Justice, Office of Justice Programs, National Institute of Justice, 2018)
- Review Best Practices For Seizing Electronic Evidence: A Pocket Guide for First Responders-v3 (US DHS / US Secret Service, 2010)
- Review ICAP’s Police Chief: The AI Paradigm (April 2024)
- “Technology in contemporary policing is far from what is seen in science fiction novels and movies; however, embracing new technologies—such as artificial intelligence—can empower police agencies with more sophisticated practices. Although these advancements can be promising, police leaders must learn to navigate any challenges and address potential threats and ethical considerations that may arise” Editors Craig Allen and Andrea Watson (last accessed, October 2024).
- Review and learn about the High Technology Crime Investigation Association (HTCIA)
- The High Technology Crime Investigation Association (HTCIA) was created in 1986 and we are the oldest and most prestigious association solely focused on high tech investigations. HTCIA is an organization that provides education and collaboration to our members for the prevention and investigation of high tech crimes. HTCIA helps all those in the high technology field by providing extensive information, education, collective partnerships, mutual member benefits, board leadership and professional management. HTCIA is a registered not for profit association.
- Watch and learn about the most recent activities conducted by the International Association of Computer Investigative Specialists (IACIS) International Association of Computer Investigative Specialists
- Listen to the latest Inside the FBI’s latest podcast episode about the 20th Anniversary of the Bureau’s Internet Crime Complaint Center, or IC3. Learn more about how the IC3 has tracked online crime, from the evolution of early frauds to sophisticated schemes, as well as what you can do to not only report scams, but how to protect yourself from future threats (FBI, 2024) [last accessed, October 2024].
Activity
STOP!!!
Students should review the course syllabus to determine the assignment of this activity.
This is a copy of the module’s activity that students find within Blackboard. For that reason, refer to the Activities page to submit your work for review.
Purpose
The purpose of this activity is to introduce the basics of cybercrime investigation and explore similarities and differences between traditional and computer crime investigations.
Overview
Computer crime investigations are almost all “Traditional crimes committed in a non-traditional way” (McQuade III, S., 2005). Therefore, established investigative techniques and methods are used during a cyber incident/investigation. Although digital investigation techniques might require specialized skills, most do not exceed that of the average user. Investigators must remember that applying traditional policing skills to the case is crucial.
Instructions
- Review the attached Federal Bureau of Investigation’s (FBI) Law Enforcement Cyber Incident Reporting (see attached)
- Watch Digital Forensic Science’s Basics of Cybercrime Investigation:
When answering the following questions, remember to be specific and connect the response to concepts as presented within the provided resources and course concepts:
- Explain how cybercrime investigations are like traditional investigations.
- Describe what is required for two or more computers to communicate.
- Explain why it is difficult to associate an IP address with a single person.
Key Terms/Concepts
Computer Crime Investigation is the process of investigating, analyzing, and recovering forensic data for digital evidence of a crime.
TCP/IP protocol in full Transmission Control Protocol/Internet Protocol, standard Internet communications protocols that allow digital computers to communicate over long distances.
IP address is a unique string of characters that identifies each computer using the Internet Protocol to communicate over a network.
Internet Service Provider (ISP), company that provides Internet connections and services to individuals and organizations.
Refer to the course learning management system (LMS); that is Blackboard (BB), for the correct due date. In addition, submit your work via BB for grading.
Discussion Questions
- How does the initial preparation phase, including the assembly of a team of experts and the acquisition of legal authority such as search warrants or subpoenas, impact the overall success and legality of a digital crime investigation?
- Considering the vast array of devices and systems that can store digital evidence (e.g., computers, smartphones, servers, cloud storage), what challenges do investigators face in identifying relevant evidence, and how do these challenges affect the scope and direction of the investigation?
- Discuss the importance of securing the crime scene and establishing a chain of custody for digital evidence. How does the process of forensic imaging and securing original devices against unauthorized access ensure the integrity and admissibility of evidence in court?
- What are the major challenges investigators encounter during the analysis phase of digital evidence, especially with tasks like decrypting encrypted data and reconstructing events? How do these challenges influence the outcomes of digital crime investigations?
- How critical is the documentation of each step in the investigation for the transparency and admissibility of evidence in court? Additionally, discuss the importance of presenting findings to stakeholders and the impact of a well-compiled report on the hypotheses about the crime.
Supplemental Readings
- International Association of Chiefs of Police (ICAP) – Law Enforcement Cyber Center
- The Cyber Center is a collaborative project of the International Association of Chiefs of Police (IACP), the National White Collar Crime Center (NW3C), and the Police Executive Research Forum (PERF), and is made possible by funding from the Bureau of Justice Assistance, at the U.S. Department of Justice’s Office of Justice Programs.The Cyber Center was developed to enhance the awareness, expand the education, and build the capacity of justice and public safety agencies to prevent, investigate, prosecute, and respond to cyber threats and cyber crimes. It is intended to be a national resource for law enforcement and related justice and public safety entities.
- United Secret Service – Cyber Investigations
- The Secret Service is responsible for detecting, investigating, and arresting any person who violates certain laws related to financial systems. In recent years digital assets have increasingly been used to facilitate a growing range of crimes, including various fraud schemes and the use of ransomware.
- Best Evidence Rule (Cornel Law School Legal Information Institute (LLI, 2024).
- MAC address: How to Find an Identity (last accessed, October 2024).
- Regional Computer Forensics Laboratory (RCFL)
- With the proliferation of digital devices, today’s criminal investigations often rely on evidence stored on computers, smart phones, and other connected tools. Performing digital forensic examinations on that evidence is the specialty of the Regional Computer Forensics Laboratory (RCFL) program.Created in 2000, the RCFL program is a partnership between the FBI and other federal, state, and local law enforcement agencies operating a regional, digital forensic task force. The laboratories provide forensic services and expertise to support law enforcement agencies in collecting and examining digital evidence for a wide range of investigations, including child pornography, terrorism, violent crime, and fraud.
- Computer Crime and Intellectual Property Section (CCIPS)
- The Computer Crime and Intellectual Property Section pursues three overarching goals: to deter and disrupt computer and intellectual property crime by bringing and supporting key investigations and prosecutions, to guide the proper collection of electronic evidence by investigators and prosecutors, and to provide technical and legal advice and assistance to agents and prosecutors in the U.S. and around the world.
Read, Review, Watch and Listen to all listed materials by the due date listed within the course LMS site.
Click HERE to report any needed updates, e.g., broken links.
A process that tracks the movement of evidence through its collection, safeguarding, and analysis lifecycle by documenting each person who handled the evidence, the date/time it was collected or transferred, and the purpose for the transfer (National Institute of Standards and Technology [NIST], 2021).
Compute forensic analysts analyze digital evidence and investigate computer security incidents to derive useful information in support of system/network vulnerability mitigation.
A basic, complete and functional hardware and software setup with everything needed to implement computing performance (Technopedia, 2021).
Corporate security investigators are employed by corporations to secure the digital assets of the corporation. In many instances, corporate security employees cooperate with law enforcement, while maintaining a fundamentally different mission.
People who are tasked with making sure reports, analyses, and dashboards accurately reflect vital information about their companies' digital assets.
A person (such as a police officer or an EMT) who is among those responsible for going immediately to the scene of an accident or emergency to provide assistance.
Any person who carries out an investigation; that is, very simply the gathering of facts to form a cohesive and logical picture of a given situation.
A crime that materialized within two or more physical locations of evidence associated with a crime (e.g., in a crime of personal violence, evidence may be found at the location of the assault and on the person and clothing of the victim/assailant, the victim's/assailant's vehicle, and locations the victim/assailant frequents and resides).
Network crime scene consists of a computer network, which consists of two or more computers linked by data cables or by wireless connections that share or are capable of sharing resources and data. A computer network often includes printers, other peripheral devices, and data routing devices such as hubs, switches, and routers.
The Seized Computer Evidence Recovery Specialist (SCERS) training program teaches fundamental forensic techniques for the analysis of electronic data from Windows desktop computer systems and selected peripherals. It is designed as a comprehensive digital forensics introductory program of instruction for novice examiners or those who wish to update their skill/tool set.
A single scene crime involves only. a single computer. a multiple scene crime involves. more than one computer with the possibility of a network.
Physical evidence that results from the transfer of small quantities of materials (e.g., hair, textile fibers, paint chips, glass fragments, gunshot residue particles).
