Cybercrime Investigators Handbook

The investigator?s practical guide for cybercrime evidence identification and collection

Cyber attacks perpetrated against businesses, governments, organizations, and individuals have been occurring for decades. Many attacks are discovered only after the data has been exploited or sold on the criminal markets. Cyber attacks damage both the finances and reputations of businesses and cause damage to the ultimate victims of the crime. From the perspective of the criminal, the current state of inconsistent security policies and lax investigative procedures is a profitable and low-risk opportunity for cyber attacks. They can cause immense harm to individuals or businesses online and make large sums of money?safe in the knowledge that the victim will rarely report the matter to the police. For those tasked with probing such crimes in the field, information on investigative methodology is scarce. The Cybercrime Investigators Handbook is an innovative guide that approaches cybercrime investigation from the field-practitioner?s perspective.

While there are high-quality manuals for conducting digital examinations on a device or network that has been hacked, the Cybercrime Investigators Handbook is the first guide on how to commence an investigation from the location the offence occurred?the scene of the cybercrime?and collect the evidence necessary to locate and prosecute the offender. This valuable contribution to the field teaches readers to locate, lawfully seize, preserve, examine, interpret, and manage the technical evidence that is vital for effective cybercrime investigation.

• Fills the need for a field manual for front-line cybercrime investigators
• Provides practical guidance with clear, easy-to-understand language
• Approaches cybercrime form the perspective of the field practitioner
• Helps companies comply with new GDPR guidelines
• Offers expert advice from a law enforcement professional who specializes in cybercrime investigation and IT security

Cybercrime Investigators Handbook is much-needed resource for law enforcement and cybercrime investigators, CFOs, IT auditors, fraud investigators, and other practitioners in related areas.

List of Figures xi

About the Author xiii

Foreword xv

Acknowledgments xvii

Chapter 1: Introduction 1

Chapter 2: Cybercrime Offenses 9

Potential Cybercrime Offenses 11

Cybercrime Case Study 26

Notes 26

Chapter 3: Motivations of the Attacker 29

Common Motivators 30

Cybercrime Case Study I 33

Cybercrime Case Study II 34

Note 35

Chapter 4: Determining That a Cybercrime is Being Committed 37

Cyber Incident Alerts 38

Attack Methodologies 41

Cybercrime Case Study I 44

Cybercrime Case Study II 44

Notes 45

Chapter 5: Commencing a Cybercrime Investigation 47

Why Investigate a Cybercrime? 47

The Cyber Investigator 48

Management Support 48

Is There a Responsibility to Try to Get the Data Back? 50

Cybercrime Case Study 51

Notes 52

Chapter 6: Legal Considerations When Planning an Investigation 53

Role of the Law in a Digital Crimes Investigation 54

Protecting Digital Evidence 55

Preservation of the Chain of Custody 56

Protection of Evidence 59

Legal Implications of Digital Evidence Collection 60

Cybercrime Case Study 63

Note 63

Chapter 7: Initial Meeting with the Complainant 65

Initial Discussion 65

Complainant Details 68

Event Details 68

Cyber Security History 69

Scene Details 70

Identifying Offenses 71

Identifying Witnesses 71

Identifying Suspects 71

Identifying the Modus Operandi of Attack 72

Evidence: Technical 73

Evidence: Other 74

Cybercrime Case Study 74

Chapter 8: Containing and Remediating the Cyber Security Incident 77

Containing the Cyber Security Incident 77

Eradicating the Cyber Security Incident 80

Note 82

Chapter 9: Challenges in Cyber Security Incident Investigations 83

Unique Challenges 84

Cybercrime Case Study 91

Chapter 10: Investigating the Cybercrime Scene 93

The Investigation Team 96

Resources Required 101

Availability and Management of Evidence 104

Technical Items 105

Scene Investigation 123

What Could Possibly Go Wrong? 152

Cybercrime Case Study I 155

Cybercrime Case Study II 156

Notes 158

Chapter 11: Log File Identification, Preservation, Collection, and Acquisition 159

Log Challenges 160

Logs as Evidence 161

Types of Logs 162

Cybercrime Case Study 164

Notes 165

Chapter 12: Identifying, Seizing, and Preserving Evidence from Cloud-Computing Platforms 167

What is Cloud Computing? 167

What is the Relevance to the Investigator? 172

The Attraction of Cloud Computing for the Cybercriminal 173

Where is Your Digital Evidence Located? 174

Lawful Seizure of Cloud Digital Evidence 175

Preservation of Cloud Digital Evidence 177

Forensic Investigations of Cloud-Computing Servers 178

Remote Forensic Examinations 182

Cloud Barriers to a Successful Investigation 196

Suggested Tips to Assist Your Cloud-Based Investigation 203

Cloud-Computing Investigation Framework 206

Cybercrime Case Study 219

Notes 221

Chapter 13: Identifying, Seizing, and Preserving Evidence from Internet of Things Devices 225

What is the Internet of Things? 225

What is the Relevance to Your Investigation? 226

Where is Your Internet of Things Digital Evidence Located? 228

Lawful Seizure of Internet of Things Evidence 228

Notes 229

Chapter 14: Open Source Evidence 231

The Value of Open Source Evidence 231

Examples of Open Source Evidence 233

Note 236

Chapter 15: The Dark Web 237

Crime and the Dark Web 238

Notes 242

Chapter 16: Interviewing Witnesses and Suspects 243

Suspect Interviews 245

Witness Interviews 246

Preparing for an Interview 247

The Interview Process 250

Closing the Interview 254

Review of the Interview 254

Preparation of Brief for Referral to Police 255

Chapter 17: Review of Evidence 257

Chapter 18: Producing Evidence for Court 265

Digital Evidence and Its Admissibility 267

Preparing for Court 268

Chapter 19: Conclusion 273

Glossary 277

Index 283

DR. GRAEME EDWARDS,CFE, has been a cybercrime investigator with the Queensland Police Service Financial and Cyber Crime Group and has worked on numerous successful criminal investigations involving local and international jurisdictions. He facilitated the creation of the Victims of Financial Crimes Support Group to support those suffering losses associated with financial or cybercrime. Graeme is an experienced conference speaker and cybercrime investigation educator, provider of training in a corporate environment and conducts post investigation analysis. He has a Doctorate of Information Technology focusing on computer security, computer networking, and cloud computing investigation strategies.