Cybercrime Investigations
Module 9 examines the search warrant application process appropriate to electronic evidence at a single-location crime scene and considers a multitude of stakeholders; that is, agencies, organizations, businesses, and individuals, as well as the hardware and storage devices potentially containing evidence of a crime. In addition, an explanation and description of the best current practices for the collection, preservation, transportation, and storage of electronic evidence is provided in conjunction with a review of challenges posed by cyber investigations, and the role of knowledge management. Finally, the introduction of categories and probable locations of evidence are included within a review of broadly outlined procedures for preserving and collecting network trace evidence.
Learning Objectives
After completing this module, you should be able to:
- identify hardware and storage devices potentially containing evidence of crime.
- identify and discuss stakeholders involved in cybercrime investigations.
- discuss cybercrime reporting practices.
- explain and describe best practices for the collection, preservation, transportation, and storage of electronic evidence.
- examine the role of knowledge management in cybercrime investigations.
- identify categories of evidence and probable locations.
Summary
The investigation of digital crimes involves a structured process that encompasses the identification, preservation, analysis, and presentation of digital evidence. This process requires a meticulous approach to ensure the integrity of evidence and adherence to legal standards.
The initial state for any investigation is preparation. This initial phase involves setting up a team of experts, defining the scope of the investigation, and acquiring the necessary legal authority to proceed, such as search warrants or subpoenas.
Investigators must always identify relevant digital evidence by locating devices or systems that may contain information related to the crime. This includes computers, smartphones, servers, and cloud storage services.
Once potential evidence is identified, it is crucial to preserve its integrity. Most specially, investigators should secure the crime scene and establish a chain of custody for anything taken from the suspect; especially if further analysis is required. In the case of digital evidence, this involves creating digital copies of the evidence (forensic imaging) and securing the original devices or data against unauthorized access or alterations.
Once a bit-by-bit image of the suspect’s device is created, the analysis phase begins. The analysis phase involves examining the collected digital evidence in detail to uncover relevant data. This includes reviewing files, analyzing system logs, decrypting encrypted data, and reconstructing events that occurred.
As with all activities throughout the criminal justice system, document, document, document. Every step of the investigation is thoroughly documented, including the methods used to collect and analyze the evidence. This ensures the process is transparent and the evidence is admissible in court.
Once the forensic analysis is complete, it is time to enter the final phase. The final phase involves presenting the findings of the investigation to relevant stakeholders, which may include law enforcement agencies, legal teams, or courtrooms. The evidence and analysis are compiled into a comprehensive report that supports or refutes the hypotheses about the crime.
Throughout the investigation, it’s essential to adhere to principles of digital forensics, including maintaining a chain of custody for evidence and ensuring the use of validated tools and methodologies. This process not only aids in solving digital crimes but also in building a case that can withstand legal scrutiny.
Key Terms/Concepts
Chain of custody
Computer forensic analyst
Computer systems
Corporate security investigators
Digital analysts
First responder
Investigators
Multiple-scene crime
Network crime scene
Single-scene crime
Trace evidence
Read, Review, Watch and Listen
- Watch the International Association of Chief of Police (ICAP), Law Enforcement Cyber Center – also embedded below.
- Review ICAP’s Law Enforcement Cyber Center’s overview of Cybercrime Investigations
- Also: Read NEW APPROACHES TO DIGITAL EVIDENCE ACQUISITION AND ANALYSIS (U.S. Department of Justice, Office of Justice Programs, National Institute of Justice, 2018)
- Review Best Practices For Seizing Electronic Evidence: A Pocket Guide for First Responders-v3 (US DHS / US Secret Service, 2010)
- Watch and learn about the High Technology Crime Investigation Association (HTCIA)
- Watch and learn about the most recent activities conducted by the International Association of Computer Investigative Specialists (IACIS) International Association of Computer Investigative Specialists
Activity
Students should review the course syllabus to determine the assignment of this activity.
This is a copy of the module’s activity that students find within Blackboard. For that reason, refer to the Activities page to submit your work for review.
Purpose
The purpose of this activity is to introduce the basics of cybercrime investigation and explore similarities and differences between traditional and computer crime investigations.
Overview
Computer crime investigations are almost all “Traditional crimes committed in a non-traditional way.” Therefore, established investigative techniques and methods are used during an investigation. Although digital investigation techniques might require specialized skills, most do not exceed that of the average user. Investigators must remember that applying traditional policing skills to the case is crucial.
Instructions
- Review the attached Federal Bureau of Investigation’s (FBI) Law Enforcement Cyber Incident Reporting resource (see attached)
- Watch Digital Forensic Science’s Basics of Cybercrime Investigation:
Answer the following questions:
- Explain how cybercrime investigations are like traditional investigations.
- Describe what is required for two or more computers to communicate.
- Explain why it is difficult to associate an IP address with a single person.
Key Terms/Concepts
Computer Crime Investigation is the process of investigating, analyzing, and recovering forensic data for digital evidence of a crime.
TCP/IP protocol in full Transmission Control Protocol/Internet Protocol, standard Internet communications protocols that allow digital computers to communicate over long distances.
IP address is a unique string of characters that identifies each computer using the Internet Protocol to communicate over a network.
Internet Service Provider (ISP), company that provides Internet connections and services to individuals and organizations.
Refer to the course learning management system (LMS); that is Blackboard (BB), for the correct due date. In addition, submit your work via BB for grading.
Discussion Questions
- How does the initial preparation phase, including the assembly of a team of experts and the acquisition of legal authority such as search warrants or subpoenas, impact the overall success and legality of a digital crime investigation?
- Considering the vast array of devices and systems that can store digital evidence (e.g., computers, smartphones, servers, cloud storage), what challenges do investigators face in identifying relevant evidence, and how do these challenges affect the scope and direction of the investigation?
- Discuss the importance of securing the crime scene and establishing a chain of custody for digital evidence. How does the process of forensic imaging and securing original devices against unauthorized access ensure the integrity and admissibility of evidence in court?
- What are the major challenges investigators encounter during the analysis phase of digital evidence, especially with tasks like decrypting encrypted data and reconstructing events? How do these challenges influence the outcomes of digital crime investigations?
- How critical is the documentation of each step in the investigation for the transparency and admissibility of evidence in court? Additionally, discuss the importance of presenting findings to stakeholders and the impact of a well-compiled report on the hypotheses about the crime.
Supplemental Readings
Read, Review, Watch and Listen to all listed materials by the due date listed within the course LMS site.
Click HERE to report any needed updates, e.g., broken links.
A process that tracks the movement of evidence through its collection, safeguarding, and analysis lifecycle by documenting each person who handled the evidence, the date/time it was collected or transferred, and the purpose for the transfer (National Institute of Standards and Technology [NIST], 2021).
Compute forensic analysts analyze digital evidence and investigate computer security incidents to derive useful information in support of system/network vulnerability mitigation.
A basic, complete and functional hardware and software setup with everything needed to implement computing performance (Technopedia, 2021).
Corporate security investigators are employed by corporations to secure the digital assets of the corporation. In many instances, corporate security employees cooperate with law enforcement, while maintaining a fundamentally different mission.
People who are tasked with making sure reports, analyses, and dashboards accurately reflect vital information about their companies' digital assets.
A person (such as a police officer or an EMT) who is among those responsible for going immediately to the scene of an accident or emergency to provide assistance.
Any person who carries out an investigation; that is, very simply the gathering of facts to form a cohesive and logical picture of a given situation.
A crime that materialized within two or more physical locations of evidence associated with a crime (e.g., in a crime of personal violence, evidence may be found at the location of the assault and on the person and clothing of the victim/assailant, the victim's/assailant's vehicle, and locations the victim/assailant frequents and resides).
Network crime scene consists of a computer network, which consists of two or more computers linked by data cables or by wireless connections that share or are capable of sharing resources and data. A computer network often includes printers, other peripheral devices, and data routing devices such as hubs, switches, and routers.
A single scene crime involves only. a single computer. a multiple scene crime involves. more than one computer with the possibility of a network.
Physical evidence that results from the transfer of small quantities of materials (e.g., hair, textile fibers, paint chips, glass fragments, gunshot residue particles).
