General Investigation Methods: Organization, Open Source, Records, and Email

This chapter is primarily for:

  • • Everyone
  • • Any investigator wanting to use the information available to all of us on the Internet
  • • Any investigator getting and analyzing records or email evidence
  • • Any investigator gathering evidence that might be used in litigation.


In this chapter, we cover some of the key investigative methods involved in conducting a cybercrime investigation that are applicable for investigators in all sectors.

The first part of the chapter looks at tools and techniques investigators can use to manage the flow of cybercrime evidence effectively. Part of the process includes anticipating that evidence might be used in a court proceeding, and taking steps to ensure its admissibility. It is hard to look for clues if the evidence is not collected and organized in a sensible way. And discovering clues is no good unless investigators can find them later in the pile of evidence. As investigators document and report on the unfolding investigation, being able to write clearly and logically about suspects, victims, accounts, and criminal activity greatly increases the efficiency of the investigation.

We then discuss three aspects of investigation that are important to most cybercrime cases: open source investigation, records evidence, and email evidence. These sections focus on finding and preserving information that is openly available online, organizing and analyzing records of Internet and financial activity, and locating valuable evidence within both individual email headers and large volumes of email evidence.

Finally, we turn to methods investigators can use throughout an investigation to take advantage of existing cybercrime intelligence, while also building and sharing intelligence from their own cases. Working cybercrime cases one at a time without the benefit of intelligence resources is a tough proposition.

Cybercrime Investigation: The Cyclical Process of Building Evidence

As with traditional criminal cases, a cybercrime investigation is a continuous process of searching for evidence and leads. But unlike traditional street crime investigations, even a simple cybercrime case typically involves piecing together clues from a variety of sources, including records evidence from Internet service companies and financial institutions. More complex cases require investigators to build a web of circumstantial evidence with many strands, each comprised of multiple evidentiary links. The strength of this web depends upon each and every link.

These qualities mean a cybercrime investigation is a detail-oriented process that requires organization and continuity. While great technical skills are wonderful resources and may be needed at some stages of a cyber case, the primary qualifications of a good cybercrime investigator are a desire to get to the bottom of the crime and a willingness to follow the trail wherever it leads. Investigators of any background who are good analytical thinkers, clear writers, and determined sleuths are tremendous assets to these cases.

The Cyclical Process. Finding evidence in a cybercrime investigation is best thought of as a cyclical, iterative process. Many investigations of traditional crime are essentially linear. One piece of evidence leads directly to another in a relatively straight line to an identified suspect and the legal basis for an arrest. Cybercrime investigations, on the other hand, often start with little concrete information about the criminal or even the crime. One small clue - such as a piece of information found online or in a set of records - leads to another clue, which prompts another online search or a subpoena for another set of records, and so on. As each clue is reviewed and analyzed, additional leads are generated and followed until enough rounds of evidence-gathering have occurred to develop an identifiable suspect and proof of his crimes. Figure 11.1 illustrates this process.

To conduct a data and records-based investigation efficiently, investigators need a method for organizing and following leads. Such a system can evaluate the case at the present time, what leads are available to be pursued, how to prioritize those leads, and what steps should be taken for follow-up.

Of course, an investigation exists within the context of finite resources. Rarely does any investigation receive all of the resources needed to follow every single lead. Public resources are limited, and private sector investigations cost money, whether through internal personnel time and resources or outside contractors who may charge by the hour or project.

The Cyclical Investigative Process

FIGURE 11.1 The Cyclical Investigative Process.

As new information is learned - through results of a witness interview, subpoenaed records from a communications provider or other private entity, or analysis of evidence - it needs to be incorporated into the investigation, to see what assistance it provides, and what additional leads are revealed.

Time Sensitivity. This cyclical, iterative process takes time, a significant issue for investigators because certain evidence becomes harder to obtain as time goes by.

Some of the time-sensitive evidence commonly important to a cybercrime investigation includes:

  • • Witness recollection
  • • Data within a computer’s volatile memory (see Chapter 3)
  • • Data stored in a computer’s fixed (persistent) memory (see Chapter 3)
  • • Records of Internet service providers and communications companies (before they are purged)
  • • Security video recordings from relevant retailers or government-operated cameras
  • • Fingerprints or DNA when devices or other physical evidence are obtained.

With few exceptions, evidence and leads are best obtained shortly after the event. That said, life rarely follows best practices. Investigators will find themselves trying to obtain evidence, wishing it had been done long before. Lawyers will prepare for a hearing or trial, wishing certain evidence had been obtained during the investigation.

< Prev   CONTENTS   Source   Next >