The investigator’s practical guide for cybercrime evidence identification and collection
Cyber attacks perpetrated against businesses, governments, organizations, and individuals have been occurring for decades. Many attacks are discovered only after the data has been exploited or sold on the criminal markets. Cyber attacks damage both the finances and reputations of businesses and cause damage to the ultimate victims of the crime. From the perspective of the criminal, the current state of inconsistent security policies and lax investigative procedures is a profitable and low-risk opportunity for cyber attacks. They can cause immense harm to individuals or businesses online and make large sums of money - safe in the knowledge that the victim will rarely report the matter to the police. For those tasked with probing such crimes in the field, information on investigative methodology is scarce. The Cybercrime Investigators Handbook is an innovative guide that approaches cybercrime investigation from the field-practitioner’s perspective.
While there are high-quality manuals for conducting digital examinations on a device or network that has been hacked, the Cybercrime Investigators Handbook is the first guide on how to commence an investigation from the location the offence occurred - the scene of the cybercrime - and collect the evidence necessary to locate and prosecute the offender. This valuable contribution to the field teaches readers to locate, lawfully seize, preserve, examine, interpret, and manage the technical evidence that is vital for effective cybercrime investigation.
- Fills the need for a field manual for front-line cybercrime investigators
- Provides practical guidance with clear, easy-to-understand language
- Approaches cybercrime form the perspective of the field practitioner
- Helps companies comply with new GDPR guidelines
- Offers expert advice from a law enforcement professional who specializes in cybercrime investigation and IT security
Cybercrime Investigators Handbook is much-needed resource for law enforcement and cybercrime investigators, CFOs, IT auditors, fraud investigators, and other practitioners in related areas.
Table of Contents
List of Figures xi
About the Author xiii
Foreword xv
Acknowledgments xvii
Chapter 1: Introduction 1
Chapter 2: Cybercrime Offenses 9
Potential Cybercrime Offenses 11
Cybercrime Case Study 26
Notes 26
Chapter 3: Motivations of the Attacker 29
Common Motivators 30
Cybercrime Case Study I 33
Cybercrime Case Study II 34
Note 35
Chapter 4: Determining That a Cybercrime is Being Committed 37
Cyber Incident Alerts 38
Attack Methodologies 41
Cybercrime Case Study I 44
Cybercrime Case Study II 44
Notes 45
Chapter 5: Commencing a Cybercrime Investigation 47
Why Investigate a Cybercrime? 47
The Cyber Investigator 48
Management Support 48
Is There a Responsibility to Try to Get the Data Back? 50
Cybercrime Case Study 51
Notes 52
Chapter 6: Legal Considerations When Planning an Investigation 53
Role of the Law in a Digital Crimes Investigation 54
Protecting Digital Evidence 55
Preservation of the Chain of Custody 56
Protection of Evidence 59
Legal Implications of Digital Evidence Collection 60
Cybercrime Case Study 63
Note 63
Chapter 7: Initial Meeting with the Complainant 65
Initial Discussion 65
Complainant Details 68
Event Details 68
Cyber Security History 69
Scene Details 70
Identifying Offenses 71
Identifying Witnesses 71
Identifying Suspects 71
Identifying the Modus Operandi of Attack 72
Evidence: Technical 73
Evidence: Other 74
Cybercrime Case Study 74
Chapter 8: Containing and Remediating the Cyber Security Incident 77
Containing the Cyber Security Incident 77
Eradicating the Cyber Security Incident 80
Note 82
Chapter 9: Challenges in Cyber Security Incident Investigations 83
Unique Challenges 84
Cybercrime Case Study 91
Chapter 10: Investigating the Cybercrime Scene 93
The Investigation Team 96
Resources Required 101
Availability and Management of Evidence 104
Technical Items 105
Scene Investigation 123
What Could Possibly Go Wrong? 152
Cybercrime Case Study I 155
Cybercrime Case Study II 156
Notes 158
Chapter 11: Log File Identification, Preservation, Collection, and Acquisition 159
Log Challenges 160
Logs as Evidence 161
Types of Logs 162
Cybercrime Case Study 164
Notes 165
Chapter 12: Identifying, Seizing, and Preserving Evidence from Cloud-Computing Platforms 167
What is Cloud Computing? 167
What is the Relevance to the Investigator? 172
The Attraction of Cloud Computing for the Cybercriminal 173
Where is Your Digital Evidence Located? 174
Lawful Seizure of Cloud Digital Evidence 175
Preservation of Cloud Digital Evidence 177
Forensic Investigations of Cloud-Computing Servers 178
Remote Forensic Examinations 182
Cloud Barriers to a Successful Investigation 196
Suggested Tips to Assist Your Cloud-Based Investigation 203
Cloud-Computing Investigation Framework 206
Cybercrime Case Study 219
Notes 221
Chapter 13: Identifying, Seizing, and Preserving Evidence from Internet of Things Devices 225
What is the Internet of Things? 225
What is the Relevance to Your Investigation? 226
Where is Your Internet of Things Digital Evidence Located? 228
Lawful Seizure of Internet of Things Evidence 228
Notes 229
Chapter 14: Open Source Evidence 231
The Value of Open Source Evidence 231
Examples of Open Source Evidence 233
Note 236
Chapter 15: The Dark Web 237
Crime and the Dark Web 238
Notes 242
Chapter 16: Interviewing Witnesses and Suspects 243
Suspect Interviews 245
Witness Interviews 246
Preparing for an Interview 247
The Interview Process 250
Closing the Interview 254
Review of the Interview 254
Preparation of Brief for Referral to Police 255
Chapter 17: Review of Evidence 257
Chapter 18: Producing Evidence for Court 265
Digital Evidence and Its Admissibility 267
Preparing for Court 268
Chapter 19: Conclusion 273
Glossary 277
Index 283
