Cyber Crime Investigation Basics

Go back to Tutorial

The investigation of any crime involves the painstaking collection of clues and forensic evidence with an attention to detail. These methods are even more important in white-collar crimes where documentary evidence plays a crucial role.

Cyber crime investigation requires extensive research and highly specialized skills, and follows a series of investigation phases and analysis techniques. In the first phase of the investigation, the investigator does a preliminary analysis and gathers all the initial information that he or she can from the scene of the crime. Next, the investigator works on image acquisition and recovery. During this process the investigator extracts the details of all the images and documents recovered from the scene of the crime. Finally, the investigator performs a detailed analysis and prepares a detailed final report to present before the court.

Cyber crime investigation involves data retrieval and investigation.

Data retrieval

Internet based – If the case is internet based, finding the internet protocol (IP) addresses is your first step in the investigation. An IP address consists of numbers and letter, and that series is attached to any data moving through the internet. In order to retrieve an IP address from some Internet Service Providers (ISP) you will need to subpoena, warrant, or court order the company for information. An IP address contains:

  • who owns and operates the network address,
  • associated domain name/ computer name,
  • geolocation,
  • email addresses, and
  • local service provider identifier.

All ISPs are based on subscriptions to the company, these companies have records of everything their subscriber’s do while on the internet. The timeframe that ISPs retain data from subscribers varies, therefore the investigation must move quickly. As the investigator, you can make a formal request to the ISP requesting they preserve the data in question while a subpoena, warrant, or court order is made requiring the records. Even with this letter, ISPs are not legally obligated to preserve the data for law enforcement.

Device based – If possible, place the device in a faraday bag prior to turning on and examining the device. If a faraday bag is not accessible, turn the device into airplane mode, this will prevent any reception or remote communication.

A copy of the original data is needed prior to investigating its contents. Having a copy of the original data prevents the contamination of the evidence. Cell phone and other wireless devices should be examined in an isolated environment where it cannot connect to networks, internet, or other systems.

Data Investigation

In order to begin investigating the data you will need to install a lock on the copy made of the data. This lock will allow you to manipulate the data and view it without making permanent changes. Once you have identified the make and model of the device in hand, select an extraction software that will be best suited to analyze the data or permit the investigator to view as much data as possible. (List of Data extraction software found below)

When the data has been removed, the device should be sent to your evidence department, as the device might contain; traces of DNA, fingerprints, and/or other evidence.

While the physical device is with the evidence department, the investigator should run the software to see all files on the drive, the software should display any data areas that might have otherwise been hidden or partially deleted. Information on the suspect’s participation in internet chat rooms, instant messages, emails, websites, apps and networks will become available. The software system will also assist your investigation in providing information such as:

  • Time stamps,
  • Images,
  • Text documents,
  • GPS locations, and

Other encrypted data.

Go back to Tutorial

Cyber Crime Investigation
Pre-Investigation Technical Assessment

Get industry recognized certification – Contact us

keyboard_arrow_up
Open chat
Need help?
Hello 👋
Can we help you?