The Wiretap Phase: Special Cases Using Live Monitoring of Targets’ Communications
A few investigations will proceed to the point where a wiretap order is contemplated, the legal tool to monitor a suspect’s live communications. Live information is helpful when investigators have reached the stage in which they believe a crime is about to be committed, seek to locate a known suspect, or need to defeat security measures. At this point, the investigation likely has identified key phone and Internet accounts used by criminal actors on an ongoing basis in connection with criminal activity.
Using a penltrap. Investigators considering a wiretap typically obtain pen/trap orders first. A pen/trap (especially with location data) provides valuable real-time information about a target’s activity, movement, and associates, helping the investigation prepare for a wiretap. If gathering evidence from a pen/trap does not lead to the arrest of the target, it helps satisfy a wiretap’s exhaustion requirement as an investigative method that was tried and failed.
Using a wiretap. Wiretap evidence is some of the most productive and compelling evidence of criminal activity. Investigators can see or hear, in real time, exactly what a target is planning, admitting to, and conspiring with associates. Wiretaps are also extremely difficult to use. Even after the extensive application process, implementing a wiretap requires numerous other steps, including setting up the wiretap with the service provider, establishing a physical facility with the technical equipment to monitor the wire, sufficient staffing to conduct 24/7 monitoring, training procedures for the monitoring investigators, and regular reporting about the wiretap’s activity to the court. At the conclusion, investigators must notify all individuals whose communications were intercepted and provide recordings of all monitored communications to the court.
Investigative Strategies - when investigators are working on wiretaps, some strategies might include:
1. Wiretapping voice conversations: minimization and amendment. When conducting the wiretap monitoring of communications, law enforcement agents must establish procedures that “minimize” the interception to only the information approved by the court order. In other words, if the wiretap order is to monitor a cellphone for activity related to identity theft, then the agents listening to the calls must have a procedure to check for that information without needlessly listening to calls about other topics. If an agent is listening to a call and happens upon information about different crimes, the wiretap application must be amended and re-authorized by the court to allow for interceptions related to this new crime. The same procedures must be implemented for email and other text-based wiretaps.
2. Wiretapping written communications versus voice communications. In some cyber cases, using a wiretap solely for written (text) communications (such as emails or text messages) has fewer technical and practical demands than a wiretap for voice communications. When the monitoring involves only reading messages as they come through, fewer investigators are required, even with multiple intercepted accounts. In addition, the goals for a text wiretap may be different than for voice interceptions. A text wiretap can gain evidence and perhaps identify a cybercriminal, but may not be needed to coordinate surveillance or other real-time investigative activities. Thus, 24/7 monitoring may not be required, and leads can be pursued at a pace more amenable to the regular schedules of investigators.
Traditional Shoe Leather Techniques
The tried and true investigative techniques used for all types of crimes are also needed in cybercrime investigations, and are especially useful at the beginning of a cyber case. When first reported, a cybercrime often involves a live person and/or a physical device that has information about a crime. After assessing the initial evidence, cyber investigators often will conduct interviews, crime scene evaluation and searches - in other words, the traditional methods that are universally applicable.
Beyond the initial stages, there can be many points along the course of a cyber investigation that require investigators to get out from behind the computer screen and use traditional “shoe leather” investigative methods. Some of the traditional techniques that are used frequently in cyber investigations are:
- • Victim or witness interviews
- • Recovery of computing devices as evidence
- • Recovery and review of security videotape or other surveillance video
- • Recovery of stolen/forged credit cards and fraudulently purchased property
- • Surveillance of locations and suspects.
Investigation Skills in a Cybercrime Investigation
The lead DA’s investigator on the Western Express case always made clear that technology was not his forte, but nevertheless he was an experienced and dogged investigator in all respects and he wore down a lot of shoe leather during the investigation. New-York-City- based cybercriminals and identity thieves were using mail drops and Internet cafes around the area. One of the investigator’s roles was to visit those locations and gather evidence about the suspects’ activities. He interviewed the managers and attendants and, through the personal connections he made, was able to obtain leads that helped identify suspects and further the investigation. He also did all the important things that investigators do to build a case, including surveillance and coordinating search warrants and arrest.
Simply put, investigative skills and people skills are as essential to a cybercrime investigation as any technological expertise.