Cybercrime Investigators Handbook
eBook - ePub

Cybercrime Investigators Handbook

  1. English
  2. ePUB (mobile friendly)
  3. Available on iOS & Android
eBook - ePub

Cybercrime Investigators Handbook

About this book

The investigator's practical guide for cybercrime evidence identification andcollection

Cyber attacks perpetrated against businesses, governments, organizations, and individuals have been occurring for decades. Many attacks are discovered only after the data has been exploited or sold on the criminal markets. Cyber attacks damage both the finances and reputations of businesses and cause damage to the ultimate victims of the crime. From the perspective of the criminal, the current state of inconsistent security policies and lax investigative procedures is a profitable and low-risk opportunity for cyber attacks. They can cause immense harm to individuals or businesses online and make large sums of money—safe in the knowledge that the victim will rarely report the matter to the police. For those tasked with probing such crimes in the field, information on investigative methodology is scarce. The Cybercrime Investigators Handbook is an innovative guide that approaches cybercrime investigation from the field-practitioner's perspective.

While there are high-quality manuals for conducting digital examinations on a device or network that has been hacked, the Cybercrime Investigators Handbook is the first guide on how to commence an investigation from the location the offence occurred—the scene of the cybercrime—and collect the evidence necessary to locate and prosecute the offender. This valuable contribution to the field teaches readers to locate, lawfully seize, preserve, examine, interpret, and manage the technical evidence that is vital for effective cybercrime investigation.

  • Fills the need for a field manual for front-line cybercrime investigators
  • Provides practical guidance with clear, easy-to-understand language
  • Approaches cybercrime form the perspective of the field practitioner
  • Helps companies comply with new GDPR guidelines
  • Offers expert advice from a law enforcement professional who specializes in cybercrime investigation and IT security

Cybercrime Investigators Handbook is much-needed resource for law enforcement and cybercrime investigators, CFOs, IT auditors, fraud investigators, and other practitioners in related areas.

Frequently asked questions

Yes, you can cancel anytime from the Subscription tab in your account settings on the Perlego website. Your subscription will stay active until the end of your current billing period. Learn how to cancel your subscription.
At the moment all of our mobile-responsive ePub books are available to download via the app. Most of our PDFs are also available to download and we're working on making the final remaining ones downloadable now. Learn more here.
Perlego offers two plans: Essential and Complete
  • Essential is ideal for learners and professionals who enjoy exploring a wide range of subjects. Access the Essential Library with 800,000+ trusted titles and best-sellers across business, personal growth, and the humanities. Includes unlimited reading time and Standard Read Aloud voice.
  • Complete: Perfect for advanced learners and researchers needing full, unrestricted access. Unlock 1.4M+ books across hundreds of subjects, including academic and specialized titles. The Complete Plan also includes advanced features like Premium Read Aloud and Research Assistant.
Both plans are available with monthly, semester, or annual billing cycles.
We are an online textbook subscription service, where you can get access to an entire online library for less than the price of a single book per month. With over 1 million books across 1000+ topics, we’ve got you covered! Learn more here.
Look out for the read-aloud symbol on your next book to see if you can listen to it. The read-aloud tool reads text aloud for you, highlighting the text as it is being read. You can pause it, speed it up and slow it down. Learn more here.
Yes! You can use the Perlego app on both iOS or Android devices to read anytime, anywhere — even offline. Perfect for commutes or when you’re on the go.
Please note we cannot support devices running on iOS 13 and Android 7 or earlier. Learn more about using the app.
Yes, you can access Cybercrime Investigators Handbook by Graeme Edwards in PDF and/or ePUB format, as well as other popular books in Computer Science & Cyber Security. We have over one million books available in our catalogue for you to explore.

Information

Publisher
Wiley
Year
2019
Print ISBN
9781119596288
eBook ISBN
9781119596301
Edition
1
Topic
Computer Science
Subtopic
Cyber Security
Index
Computer Science

CHAPTER 1
Introduction

CYBER-ATTACKS AGAINST businesses and individuals have been occurring for decades. Many have been so successful they were never discovered by the victims and only identified while the data was being exploited or being sold on criminal markets. Cyber-attacks damage the finances and reputation of a business and cause significant damage to those whose data has been stolen and exploited.
From the criminal's perspective, the current cyber environment effectively gives them a free pass when it comes to attacking their target. They can do whatever they like to an individual or business online, cause immense damage of a professional or personal nature, and make large sums of money safe in the knowledge the complainant will rarely report the matter to police. In fact, this is a strange anomaly about cybercrime: a company has millions of dollars of intellectual property (IP) stolen from them, has all the personally identifying information (PII) of the staff and clients stolen, and the action of reporting it to police or investigating who is behind the attack is rarely considered or undertaken unless forced by local legislation. Consequently, from the criminal's perspective, there is little to no downside to being a cybercriminal. They operate on a high-financial-return, low-risk model.
Due to the high volume and complexity of cyber-attacks, should a victim decide to refer a complaint to police they cannot always rely upon them to be available to undertake an investigation and locate the offender. Police resources are stretched and skilled cyber investigators in law enforcement are few and overworked. This means organizations subject to a cyber-attack that wish to find information about who is behind the attack will need to hire an experienced cyber investigator (scarce and very expensive) or investigate the matter themselves. Alternatively, they will not conduct an investigation and instead focus on increasing security.
The decision by victims to not investigate a cybercrime is made for many reasons, including the time and money to be expended on an investigation, the focus of the business being directed on the investigation, the internal disruption it causes, and the reputational harm caused when the community finds the company security has been breached and all the data entrusted to them stolen. Also, directors would not look forward to the day that they stand before a public annual general meeting and explain to the shareholders that all the company data was stolen on their watch and that they have made no effort to recover it or identify who took it.
To the members of an incident response (IR) team or the cyber investigator, responding to an attack is often an inexact science as the attackers' motives and skill levels vary. Whereas an attack against a single desktop computer may be easily contained and investigated, an attack against a complete distributed corporate network will require significant resources and an experienced response team to protect the company, their data, and clients. As the attack methodologies vary, the investigation strategy will not necessarily follow the exact same path each time.
Investigating a cyber-attack may be a critical part of the continuation of the business. When the attack is discovered, a mixture of panic, stress, anxiety, and fear is seen among staff, and those tasked to mitigate and eradicate the attack may feel the future of the company rests upon their shoulders. Many employees will be concerned as to their personal future, as they will be familiar with the many stories of businesses hit by a cyber-attack that no longer exist six months later. Staff members of the organization being interviewed as a part of the incident response may also feel that they are being held responsible and that the interview is a method of laying blame at their feet.
So why conduct an investigation and gather evidence? Why should a company start investigating the cybercrime and try to track down the offender? With the proliferation in the instances of cybercrime, there is an expectation among the community that those who are entrusted with their PII take their responsibilities seriously and ensure their data is secure.
Shareholders of companies who find that the value of their shares and/or dividends is affected by a breach may demand efforts by the company to identify and prosecute the attacker. In the initial aftermath of the attack, there may be the possibility of locating the suspect and the digital property taken and recovering it before it is exploited. It may be argued that the duties and responsibilities of a director include trying to recover the stolen corporate data before it is exploited.
Outside of law enforcement and several large businesses, such as the major accounting companies, there are few options for those who want to have an investigation into a cyber-attack conducted. The IR team may find evidence pointing to a suspect, but it is generally not their job to prepare a case for referral to police or lawyers. A cyber investigator is a very specialized position and is roughly the equivalent of a police detective conducting a criminal investigation, as the rules of evidence the court demands are the same whether you are an experienced detective or a civilian investigator.
The cyber investigator is viewed as the person who is tasked with finding evidence of the person behind the attack, and in some cases preparing a referral to police or commencing a civil prosecution. While many attacks originate from overseas and are hidden behind multiple legal jurisdictions, anonymizers, bots, or other technology, people have their own motivations to commit crimes—and these people may include current or former employees residing within your local jurisdiction.
The role of the cyber investigator is an extension of the digital investigator. For the benefit of this book, the digital investigator is the person who conducts a forensic examination of a device or network and produces a report on the evidence seized and identified.
This book is intended for the person assigned the task of investigating the cyber event with a view to gaining a full understanding of the event and where possible recovering the IP/PII before it is exploited. They may also be tasked with finding evidence to support an action in a tribunal (e.g., employment court) or a potential prosecution in a civil or criminal court should the attacker be identified. It will also be of benefit to the manager/executive/lawyer who is tasked to review an investigation to understand the actions of the investigation team and why certain decisions were made and to gain an understanding of the evidence available from a cybercrime scene and the follow-up investigation. This is not a book that describes how to technically respond to and mitigate a cyber-attack, as there are many books covering this topic in great detail. There are also many courses offered by organizations that teach the many aspects of responding to a cyber-attack from the technical perspective.
Although this book makes some references to material from third parties, it is not intended to be an academic book. This is because much of the material is not from academic literature or web sources, but from the experience of the author as a cybercrime investigator. The major exception to this is Chapter 12, which relies on evidence from the author's doctoral thesis on cybercrime investigation in a cloud-computing environment and where academic references from a literature review are noted. Where explanations are provided, as in the glossary, they are largely kept at a low-level technical definition to allow those new to this field of work to understand the material and its relevance without having to learn a whole new language called technology.
Due to the dynamic nature of evidence, advances in technology, and the evolution of legislation/court decisions, this book is not intended to be an exclusive guide in every legal jurisdiction or to cover every potential cyber event. Where material in this book conflicts in any way with the laws of your jurisdiction, the legal environment(s) you operate in will always take precedence. The book intends, however, to provoke critical thinking among management, IR team managers, and investigators facing a complex legal and technical environment should a suspect be identified and subsequent evidence need to be presented to a tribunal or court.
This book contains many of the steps a cybercrime investigator will undertake, from the initial identification of a cyber event through to considering a prosecution in court. There are many lists of things the investigator may consider. These are not exhaustive lists and are provided to expand the thinking as to what to do, where evidence may reside, and how to legally obtain and manage it. Use this book as a prompt and not as a definitive step-by-step template, as each cyber investigation is different and each jurisdiction has its own legal requirements.
The lists in this book provide a handy point of direction in each stage of the investigation. As you will discover, at each stage there are many things to be done and no one can remember them all every time. So, the lists are provided as a memory prompt of things to consider and apply as the circumstances, legislation in your jurisdiction, and your experience dictate. Not all items in the lists will be relevant in all instances. The explanations are in plain language and technical terms are kept to a minimum to assist your understanding of new concepts.
In Chapter 2 we provide an introduction to the cybercriminal and a series of offenses an investigator may be called upon to investigate. These will vary according to the laws of the jurisdiction(s) you are operating in and terms for the offenses will vary. By gaining an understanding of the cybercriminal and their chosen cybercrimes, we gain an understanding of how the crime was committed and why it was committed in the manner it was, as well as gaining some understanding of the type of identity we are seeking.
Once we understand typical offenses, in Chapter 3 we look at the motivations of the attacker. In some instances, understanding the attacker's motives will provide a strong pointer as to who the offender is, especially in cases of internal offenses. Motivations will vary across the many forms of cyber-attack you will investigate. It is worth understanding the reasons why a criminal attacks a specific target, as this will make great sense to them, even if the motivation seems unusual to the investigator.
In Chapter 4 we will look at examples of the alerts that may be the first indicators of the cyber event, as well as the offender's methodologies. These alerts and methodologies may be evidence in their own right and provide indicators as to the identity of the offender. While an alert will be generated before the investigator is brought in, the evidence from the alert will provide direction for the investigator to use as a platform for their investigation.
In Chapter 5 we will learn the process of commencing a cybercrime investigation. We will discuss the many reasons why an investigation is commenced and introduce who a cyber investigator is. While the common response to a cyber event is to fix the system and prevent an attack from happening again, we also will ask whether there is a responsibility on the part of the data owner to identify the attacker and attempt to get the stolen data back before it is exploited.
Once we have an understanding of offenses, offenders' motivations, initial alerts, and attack methodology, in Chapter 6 we will learn about the role of the law in your investigation. Should an attacker be identified and presented before the court, every aspect of your investigation is subject to critical examination in court by the defendant's lawyers, and your actions and their legality may be as much on trial as the activity of the defendant.
Whether you are conducting a civil or criminal investigation, the complainant will provide direction to the investigation they want from you. They will have information on which to base your investigation as well as the authority to provide the resources you require. In Chapter 7 we will cover the many aspects of your initial meeting with the complainant, including numerous questions you may find relevant to ask them at this meeting.
Chapter 8 provides a general introduction to the role of the digital investigator for the cyber investigator. Although the cyber investigator will not necessarily be involved in the technical aspect of the incident response while the attack is underway, it will be of benefit to them to understand what the IR examiners are doing and the consequences of their actions involving the digital evidence. The cyber investigator will be involved in preserving evidence and in discussion with the digital investigator and IR teams as to the seizure of evidence, including placing a priority on preserving digital evidence, especially that which is most volatile.
The cyber environment provides ...

Table of contents

  1. Cover
  2. Table of Contents
  3. List of Figures
  4. About the Author
  5. Foreword
  6. Acknowledgments
  7. CHAPTER 1: Introduction
  8. CHAPTER 2: Cybercrime Offenses
  9. CHAPTER 3: Motivations of the Attacker
  10. CHAPTER 4: Determining That a Cybercrime Is Being Committed
  11. CHAPTER 5: Commencing a Cybercrime Investigation
  12. CHAPTER 6: Legal Considerations When Planning an Investigation
  13. CHAPTER 7: Initial Meeting with the Complainant
  14. CHAPTER 8: Containing and Remediating the Cyber Security Incident
  15. CHAPTER 9: Challenges in Cyber Security Incident Investigations
  16. CHAPTER 10: Investigating the Cybercrime Scene
  17. CHAPTER 11: Log File Identification, Preservation, Collection, and Acquisition
  18. CHAPTER 12: Identifying, Seizing, and Preserving Evidence from Cloud-Computing Platforms
  19. CHAPTER 13: Identifying, Seizing, and Preserving Evidence from Internet of Things Devices
  20. CHAPTER 14: Open Source Evidence
  21. CHAPTER 15: The Dark Web
  22. CHAPTER 16: Interviewing Witnesses and Suspects
  23. CHAPTER 17: Review of Evidence
  24. CHAPTER 18: Producing Evidence for Court
  25. CHAPTER 19: Conclusion
  26. Glossary
  27. Index
  28. End User License Agreement