Cybercrime Investigations
Module 9 introduces a preliminary review of how investigators find, gather, and examine digital evidence in cybercrime cases. You’ll review how search warrants relate to electronic evidence at a single-site crime scene and identify the many parties involved—such as law enforcement agencies, private companies, and individuals.
We’ll review the types of devices that can store digital evidence and the proper procedures for collecting, preserving, transporting, and storing that evidence to ensure it remains legally admissible. You’ll also explore common challenges in cyber investigations and see how knowledge management tools assist investigators in sharing and organizing information.
By the end of this module, you’ll learn how to recognize different types of evidence, where to find them, and how to preserve their integrity throughout the investigative process.
Learning Objectives
After completing this module, you should be able to:
- identify different types of hardware, devices, and storage media that could contain electronic evidence of criminal activity.
- explain the legal steps for obtaining and executing a search warrant involving digital or electronic evidence.
- describe the roles and interactions of key stakeholders in a cybercrime investigation, including law enforcement agencies, private organizations, and individual users.
- follow established best practices for collecting, preserving, transporting, and storing electronic evidence to maintain its integrity and ensure it is admissible in court.
- examine challenges and limitations in digital investigations, such as encryption, jurisdictional issues, and technological complexity.
- assess the role of knowledge management systems in organizing, sharing, and protecting investigative information among agencies.
- differentiate between categories of digital evidence and identify their likely locations within physical devices and networked environments.
Summary
The investigation of cybercrime and digital offenses requires a structured, methodical, and legally compliant process to ensure that electronic evidence is both credible and admissible in court. This module provides a comprehensive overview of that process, emphasizing the identification, collection, preservation, analysis, and presentation of digital evidence while examining the multiple agencies, organizations, and professionals involved in these investigations.
Students start with ICAP’s Law Enforcement Cyber Center overview of Cybercrime Investigations, which introduces the landscape of cybercrime and explains how digital evidence is created and stored. The sections on Common Electronic Devices that Generate Digital Evidence, Community Resources, and Handling Evidence from Specific Sources offer practical insights into where and how investigators find potential sources of information across devices, networks, and platforms.
The report The reading New Approaches to Digital Evidence Acquisition and Analysis (U.S. Department of Justice, National Institute of Justice, 2018) expands upon these ideas by exploring emerging tools and methodologies for the acquisition and analysis of digital evidence. This report bridges the gap between traditional forensic procedures and modern challenges such as encryption, cloud computing, and large-scale data analysis. effectively builds on these concepts by examining new tools and methods for gathering and studying digital evidence. It connects traditional forensic techniques with contemporary issues like encryption, cloud storage, and big data analysis.
To reinforce procedural integrity, the National Institute of Standards and Technology (NIST) 2023 Digital Evidence Processing Standards for Law Enforcement introduces federal guidelines for handling evidence. This document establishes standardized practices for documenting, securing, and transferring electronic data, ensuring that the chain of custody remains intact and legally defensible.
The IACP’s April 2024 article, “The AI Paradigm,” expands the discussion to include artificial intelligence and its increasing role in digital policing and forensics. Students examine how new technologies, while powerful, create ethical and operational challenges that require strong knowledge management systems and clear procedural oversight.
Professional collaboration is another key theme. Through a review of the High Technology Crime Investigation Association (HTCIA) and a video featuring the International Association of Computer Investigative Specialists (IACIS), students learn about the professional organizations that promote education, certification, and partnerships within the field. These resources highlight the importance of interagency cooperation and ongoing learning in combating digital crime.
Adding a global perspective, the INTERPOL Singapore: Inside the Digital Forensics Lab (2025) video shows how international agencies work together to handle digital evidence, emphasizing that best practices go beyond borders. This global view complements the module’s focus on stakeholders and investigative challenges in networked environments.
To connect theory with practice, students then engage with two key listening resources. The FBI’s “Inside the FBI” podcast on the 20th anniversary of the Internet Crime Complaint Center (IC3) highlights the evolution of cybercrime reporting and public awareness, while The Digital Forensics Files Podcast (Tyler Hatch, 2025) offers practitioner-level insights into case management, investigative tools, and real-world applications of forensic principles.
Together, these resources show that investigating digital crimes involves more than just technical skill; it requires methodological accuracy, ethical responsibility, and cooperation across sectors and borders. Students completing this module will learn how to identify potential evidence, follow best practices for its preservation, analyze it with validated methods, and effectively communicate their findings to legal and professional audiences.
| Theory / Perspective | Key Scholars or Sources | Assigned Resources | Policy or Practice Connections |
| Digital Evidence and Cybercrime Investigation Framework | ICAP Law Enforcement Cyber Center | Read: ICAP’s Law Enforcement Cyber Center Overview of Cybercrime Investigations; Review: Common Electronic Devices that Generate Digital Evidence, Community Resources, and Handling Evidence from Specific Sources | Establishes foundational understanding of how cybercrime is detected, reported, and investigated; links to stakeholder identification and evidence source awareness. |
| Evidence Acquisition and Analysis | U.S. Department of Justice, National Institute of Justice (2018) | Read: New Approaches to Digital Evidence Acquisition and Analysis | Provides methodological insight into collecting and analyzing digital evidence; reinforces best practices for forensic acquisition and data integrity. |
| Standardization and Chain of Custody | National Institute of Standards and Technology (NIST, 2023) | Read: Digital Evidence Processing Standards for Law Enforcement | Introduces federal standards for maintaining integrity, documenting evidence, and ensuring admissibility through chain-of-custody protocols. |
| Artificial Intelligence and Emerging Technology | International Association of Chiefs of Police (IACP, 2024) | Review: The AI Paradigm (April 2024) | Examines the ethical and operational implications of AI in policing, connecting to knowledge management and responsible innovation in investigative practice. |
| Professional Collaboration and Investigative Communities | High Technology Crime Investigation Association (HTCIA); International Association of Computer Investigative Specialists (IACIS) | Review: HTCIA mission and training resources; Watch: IACIS overview video | Highlights the importance of professional education, certification, and interagency cooperation within the digital forensics community. |
| Global Forensic Coordination | INTERPOL Digital Forensics Lab, Singapore (2025) | Watch: INTERPOL Singapore: Inside the Digital Forensics Lab | Demonstrates international standards and coordination in electronic evidence handling; supports understanding of global best practices and multi-jurisdictional challenges. |
| Cybercrime Reporting and Knowledge Sharing | Federal Bureau of Investigation (FBI, 2024) | Listen: Inside the FBI Podcast – 20th Anniversary of the Internet Crime Complaint Center (IC3) | Demonstrates how the collection of cybercrime data and public reporting enhance prevention efforts and facilitate cross-agency knowledge sharing. |
| Applied Forensic Practice and Case Insight | Tyler Hatch, B.A., LL.B. (2025) | Listen: The Digital Forensics Files Podcast | Offers practitioner perspectives on real-world forensic cases; links theory to applied methods and ethical decision-making in investigations. |
Key Takeaways
- Cybercrime investigations follow a step-by-step process that ensures evidence is collected, analyzed, and presented according to legal standards.
- Evidence may be found on computers, smartphones, IoT devices, cloud systems, or network storage, all of which must be identified and handled correctly.
- Federal guidelines such as the NIST Digital Evidence Processing Standards help maintain the chain of custody and ensure evidence remains admissible in court.
- Reports like the DOJ’s New Approaches to Digital Evidence Acquisition and Analysis highlight new methods and challenges such as encryption and cloud storage.
- As described in the IACP’s “The AI Paradigm,” AI can improve policing and forensic analysis but also raises ethical and procedural concerns.
- Groups such as HTCIA and IACIS provide education, certification, and networking opportunities that strengthen investigative capacity and interagency cooperation.
- International agencies, such as INTERPOL, play a vital role in setting standards and sharing knowledge about digital forensics practices across borders.
- The FBI’s IC3 podcast demonstrates how reporting and data sharing help detect and disrupt online crime.
- The Digital Forensics Files Podcast offers real-world examples of investigative challenges, reinforcing the importance of professional judgment and technical skill.
- Investigators must document every step, preserve evidence accurately, and present findings clearly to legal and professional audiences.
Key Terms/Concepts
Artificial intelligence (AI)
Chain of custody
Cloud forensics
Computer forensic analyst
Computer systems
Corporate security investigators
Data integrity
Digital analysts
Digital evidence acquisition
Digital evidence processing standards
Digital forensics
Digital imaging (forensic imaging)
Encryption
First responder
Forensic duplication
Incident response
Investigators
Knowledge management
Metadata
Multiple-scene crime
National Institute of Standards and Technology (NIST)
Network crime scene
Open-source intelligence (OSINT)
Search warrant (electronic evidence)
Seized Computer and Evidence Recovery (SCER)
Seizure protocol
Single-scene crime
Trace evidence
Validation (forensic tools)
Volatile data
Modern Application
A recent example of a major cybercrime investigation is the Microsoft breach revealed in January 2024. A Russia-linked group, known as Midnight Blizzard, infiltrated the email accounts of Microsoft executives and staff. This breach impacted multiple federal agencies and was associated with Russia’s foreign intelligence agency, SVR. The hackers took advantage of weak multi-factor authentication (MFA) settings on old accounts, enabling them to steal email communications between Microsoft and several U.S. federal agencies. The ongoing investigation has led to emergency actions, including notices to affected customers, to prevent further damage.
Another major investigation this year focused on attacks by a China-linked group, Volt Typhoon, which compromised hundreds of small office/home office (SOHO) routers in the U.S. These devices were then used to create a botnet targeting U.S. critical infrastructure providers, including the energy and transportation sectors. The FBI and cybersecurity agencies have been actively working to disrupt this threat.
These examples show how cybercrime investigations are becoming more complex, requiring a coordinated effort between law enforcement and private cybersecurity firms to reduce risks and recover compromised systems.
Resources
- CRN (2024), 10 Major Cyberattacks And Data Breaches In 2024 (So Far) (Kyle Alspach, July 2024) [last accessed, October 2024].
- IT Governance (May 2024), Global Data Breaches and Cyber Attacks in 2024 (last accessed, October 2024).
Read, Review, Watch and Listen
1. Read ICAP’s Law Enforcement Cyber Center’s overview of Cybercrime Investigations
Review on that same page:
- Common Electronic Devices that Generate Digital Evidence
- Community Resources
- Handling Evidence from Specific Sources
2. Read NEW APPROACHES TO DIGITAL EVIDENCE ACQUISITION AND ANALYSIS (U.S. Department of Justice, Office of Justice Programs, National Institute of Justice, 2018)
3. Read the National Institute of Standards and Technology (NIST). (2023). Digital Evidence Processing Standards for Law Enforcement.
- Brings federal standardization context and replaces or complements older DHS pocket guide.
4. Review ICAP’s Police Chief: The AI Paradigm (April 2024)
- “Technology in contemporary policing is far from what is seen in science fiction novels and movies; however, embracing new technologies—such as artificial intelligence—can empower police agencies with more sophisticated practices. Although these advancements can be promising, police leaders must learn to navigate any challenges and address potential threats and ethical considerations that may arise” Editors Craig Allen and Andrea Watson (last accessed, October 2024).
5. Review and learn about the High Technology Crime Investigation Association (HTCIA)
- The High Technology Crime Investigation Association (HTCIA) was created in 1986 and we are the oldest and most prestigious association solely focused on high tech investigations. HTCIA is an organization that provides education and collaboration to our members for the prevention and investigation of high tech crimes. HTCIA helps all those in the high technology field by providing extensive information, education, collective partnerships, mutual member benefits, board leadership and professional management. HTCIA is a registered not for profit association.
6. Watch and learn about the most recent activities conducted by the International Association of Computer Investigative Specialists (IACIS) International Association of Computer Investigative Specialists
7. Watch INTERPOL Singapore: Inside the Digital Forensics Lab (September 2025).
- Provides global dimension on procedures for electronic evidence handling.
8. Listen to the latest Inside the FBI’s latest podcast episode about the 20th Anniversary of the Bureau’s Internet Crime Complaint Center, or IC3. Learn more about how the IC3 has tracked online crime, from the evolution of early frauds to sophisticated schemes, as well as what you can do to not only report scams, but how to protect yourself from future threats (FBI, 2024) [last accessed, October 2024].
9. Listen to one or more of any The Digital Forensics Files Podcast (By Tyler Hatch, B.A., LL.B., 2025).
Activity – Introduction to Cybercrime Investigations
STOP!!!
Students should review the course syllabus to determine the assignment of this activity.
This is a copy of the module’s activity that students find within Blackboard. For that reason, refer to the Activities page to submit your work for review.
Purpose
The goal of this activity is to introduce students to the basics of cybercrime investigation and to explore how traditional investigative principles relate to technology-based crimes. Students will compare investigative techniques used in conventional (offline) crimes with those needed in digital or computer-based cases.
Overview
Most computer crimes are, as McQuade (2005) describes, “traditional crimes committed in a non-traditional way.” While cybercrime investigations often use specialized tools and terminology, they still depend on the core principles of law enforcement, such as establishing probable cause, maintaining a chain of custody, and documenting each step of the investigation.
This activity demonstrates the similarities and differences between traditional policing and digital investigations. Students will examine how agencies such as the Federal Bureau of Investigation (FBI) handle cyber incidents, the types of evidence they may find, and the significance of interagency cooperation and knowledge sharing when responding to cyber threats.
Instructions
- Read the FBI’s Law Enforcement Cyber Incident Reporting resource (attached in Blackboard). Focus on how cyber incidents are defined, documented, and reported to federal authorities.
- Review the NIST Digital Evidence Processing Standards for Law Enforcement (2023) to understand how federal guidelines define proper evidence handling, documentation, and chain of custody.
- Watch ‘Digital Forensic Science: Basics of Cybercrime Investigation’ (embedded below). Pay attention to the steps investigators take when identifying, collecting, and preserving electronic evidence.
- Visit the High Technology Crime Investigation Association (HTCIA) website to see how digital investigators work together across agencies and industries to exchange knowledge and best practices.
- (Optional) Watch INTERPOL Singapore: Inside the Digital Forensics Lab (2025) to gain a global perspective on how digital evidence is examined and preserved worldwide.
- (Optional) Listen to the FBI’s Inside the FBI Podcast – 20th Anniversary of the Internet Crime Complaint Center (IC3) to learn how cybercrime reports help with national data collection and knowledge sharing.
Compare and Reflect:
- Identify three similarities and three differences between traditional and cybercrime investigations.
- Discuss how traditional investigative skills like interviewing, documentation, and evidence handling continue to be essential in digital investigations.
- Describe how knowledge management and interagency collaboration enhance investigative results.
Apply Your Learning
- Draft a brief investigative response plan for a cyber incident at a local business. Identify which devices, networks, or digital environments you would prioritize and explain how you would preserve evidence following NIST standards.
- Write a 300–400-word reflection paper. Mention at least two of the following Module 9 key terms: chain of custody, digital evidence acquisition, knowledge management, digital forensics, or data integrity.
Discussion Questions
- How does the initial preparation phase, including assembling a team of experts and obtaining legal authority like search warrants or subpoenas, affect the overall success and legality of a digital crime investigation?
- Considering the wide range of devices and systems that can store digital evidence (such as computers, smartphones, servers, and cloud storage), what challenges do investigators face in identifying relevant evidence, and how do these challenges influence the scope and direction of the investigation?
- Discuss the importance of securing the crime scene and establishing a chain of custody for digital evidence. How does the process of forensic imaging and protecting original devices from unauthorized access ensure the integrity and admissibility of evidence in court?
- What are the main challenges investigators face during the analysis stage of digital evidence, especially with tasks like decrypting encrypted data and reconstructing events? How do these challenges affect the results of digital crime investigations?
- How important is documenting each step of the investigation for ensuring transparency and the admissibility of evidence in court? Also, discuss why presenting findings to stakeholders matters and how a well-prepared report can influence hypotheses about the crime.
Supplemental Readings
- International Association of Chiefs of Police (ICAP) – Law Enforcement Cyber Center
- The Cyber Center is a collaborative project of the International Association of Chiefs of Police (IACP), the National White Collar Crime Center (NW3C), and the Police Executive Research Forum (PERF), and is made possible by funding from the Bureau of Justice Assistance, at the U.S. Department of Justice’s Office of Justice Programs.The Cyber Center was developed to enhance the awareness, expand the education, and build the capacity of justice and public safety agencies to prevent, investigate, prosecute, and respond to cyber threats and cyber crimes. It is intended to be a national resource for law enforcement and related justice and public safety entities.
- United Secret Service – Cyber Investigations
- The Secret Service is responsible for detecting, investigating, and arresting any person who violates certain laws related to financial systems. In recent years digital assets have increasingly been used to facilitate a growing range of crimes, including various fraud schemes and the use of ransomware.
- Best Evidence Rule (Cornel Law School Legal Information Institute (LLI, 2024).
- MAC address: How to Find an Identity (last accessed, October 2024).
- Regional Computer Forensics Laboratory (RCFL)
- With the proliferation of digital devices, today’s criminal investigations often rely on evidence stored on computers, smart phones, and other connected tools. Performing digital forensic examinations on that evidence is the specialty of the Regional Computer Forensics Laboratory (RCFL) program.Created in 2000, the RCFL program is a partnership between the FBI and other federal, state, and local law enforcement agencies operating a regional, digital forensic task force. The laboratories provide forensic services and expertise to support law enforcement agencies in collecting and examining digital evidence for a wide range of investigations, including child pornography, terrorism, violent crime, and fraud.
- Computer Crime and Intellectual Property Section (CCIPS)
- The Computer Crime and Intellectual Property Section pursues three overarching goals: to deter and disrupt computer and intellectual property crime by bringing and supporting key investigations and prosecutions, to guide the proper collection of electronic evidence by investigators and prosecutors, and to provide technical and legal advice and assistance to agents and prosecutors in the U.S. and around the world.
Read, Review, Watch and Listen to all listed materials by the due date listed within the course LMS site.
Click HERE to report any needed updates, e.g., broken links.
The use of computer systems to simulate human intelligence processes such as learning, reasoning, and decision-making is increasingly applied in policing and digital forensics.
A process that tracks the movement of evidence through its collection, safeguarding, and analysis lifecycle by documenting each person who handled the evidence, the date/time it was collected or transferred, and the purpose for the transfer (National Institute of Standards and Technology [NIST], 2021).
The use of forensic techniques on data stored or processed in cloud computing environments, often involving jurisdictional and shared control issues.
Compute forensic analysts analyze digital evidence and investigate computer security incidents to derive useful information in support of system/network vulnerability mitigation.
A basic, complete and functional hardware and software setup with everything needed to implement computing performance (Technopedia, 2021).
Corporate security investigators are employed by corporations to secure the digital assets of the corporation. In many instances, corporate security employees cooperate with law enforcement, while maintaining a fundamentally different mission.
The accuracy and consistency of stored data are maintained throughout its collection, transfer, and analysis to ensure it remains unaltered and authentic.
People who are tasked with making sure reports, analyses, and dashboards accurately reflect vital information about their companies' digital assets.
The legal process of identifying, collecting, and securing digital data for analysis without compromising its integrity or evidentiary value.
Guidelines, such as those established by NIST, that specify how digital evidence should be collected, documented, and handled to ensure reliability and admissibility.
The systematic analysis of digital devices and media to identify, preserve, analyze, and present data relevant to criminal or civil investigations.
The process of creating a precise, bit-for-bit copy of digital storage media to preserve original evidence for analysis.
A method of encoding data into a secure format that blocks unauthorized access or reading without a decryption key.
A person (such as a police officer or an EMT) who is among those responsible for going immediately to the scene of an accident or emergency to provide assistance.
The process of making an exact, verified copy of a digital device or storage medium for forensic examination.
A structured approach employed by investigators and organizations to identify, contain, and recover from cybersecurity incidents or breaches.
Any person who carries out an investigation; that is, very simply the gathering of facts to form a cohesive and logical picture of a given situation.
The organized collection and sharing of information and expertise among investigators, agencies, and organizations to enhance decision-making and investigative results.
Background information generated by digital communications (e.g., location, time, sender), which is important in privacy and surveillance debates.
A crime that materialized within two or more physical locations of evidence associated with a crime (e.g., in a crime of personal violence, evidence may be found at the location of the assault and on the person and clothing of the victim/assailant, the victim's/assailant's vehicle, and locations the victim/assailant frequents and resides).
A U.S. federal agency that creates technology, metrics, and standards—including protocols for handling forensic evidence—to ensure quality and consistency in investigations.
Network crime scene consists of a computer network, which consists of two or more computers linked by data cables or by wireless connections that share or are capable of sharing resources and data. A computer network often includes printers, other peripheral devices, and data routing devices such as hubs, switches, and routers.
Information gathered from publicly accessible sources such as websites, social media, and online databases to support investigations.
A legal order authorizing law enforcement to search, seize, or examine electronic devices and digital data during a criminal investigation.
The Seized Computer Evidence Recovery Specialist (SCERS) training program teaches fundamental forensic techniques for the analysis of electronic data from Windows desktop computer systems and selected peripherals. It is designed as a comprehensive digital forensics introductory program of instruction for novice examiners or those who wish to update their skill/tool set.
Standardized procedures for investigators to secure, document, and transport digital devices to ensure legal and evidentiary integrity.
A single scene crime involves only. a single computer. a multiple scene crime involves. more than one computer with the possibility of a network.
Physical evidence that results from the transfer of small quantities of materials (e.g., hair, textile fibers, paint chips, glass fragments, gunshot residue particles).
The process of testing and confirming that forensic software or hardware functions accurately and reliably for investigative purposes.
Data stored temporarily in RAM that is lost when a device powers off; often important for capturing live system activity.
