Cybercrime Investigations: A Comprehensive Resource for Everyone

Cover
Half Title
Title Page
Copyright Page
Dedication
Table of Contents
About the Authors
Acknowledgments
PART I: Understanding Cybercrime, Computers, and Cybersecurity
	Chapter 1. Introduction: The Need for Good Cybercrime Investigators
		1.1 Why This Book
		1.2 Who Investigates Cybercrime?
		1.3 How This Book Is Organized
		1.4 Keeping It Fun: Anecdotes, Cases, Diagrams, and Cartoons
		1.5 Onward and Upward
	Chapter 2. What Is Cybercrime and Why Is It Committed?
		2.1 Introduction
		2.2 What Makes a “Cyber” Activity a Crime? A Quick Introduction to Cybercrime Offenses
			2.2.1 Computer and Network Intrusions
			2.2.2 Data Breaches, Theft of Data, and Data Trafficking
			2.2.3 Transmission and Use of Malware
			2.2.4 Tampering with or Damaging a Network or System
			2.2.5 Identity Theft and Impersonation
			2.2.6 Theft of Funds and Fraud Schemes
			2.2.7 Blackmail and Extortion
			2.2.8 Money Laundering
			2.2.9 Harassment, Threats, Stalking, and Revenge Porn
			2.2.10 Possessing, Selling, or Sharing Child Pornography
			2.2.11 Trafficking of Physical Contraband
			2.2.12 Gambling
		2.3 Cybercrime vs. Traditional Street Crime: The Differences
			2.3.1 Technology, Internet and Networks
			2.3.2 Distance: The National and International Nexus
			2.3.3 Investigation Rate and Solve Rate
			2.3.4 Connection to a Broad Criminal Ecosystem
		2.4 Motives and Actors
			2.4.1 Profit and Greed
			2.4.2 Personal Attack
			2.4.3 Thrill and Bragging Rights
			2.4.4 Activism
			2.4.5 Corporate Espionage
			2.4.6 Nation-State Objectives
			2.4.7 Terrorism
		2.5 The Cybercrime-For-Profit Economy
			2.5.1 The Connection between Identity Theft and Cybercrime
			2.5.2 The Cybercrime Economy Earns Money and Requires Payments
		2.6 Digital Evidence: The Backbone of Any Cyber Investigation (and Traditional Investigations, Too)
		2.7 Conclusion
	Chapter 3. Introduction to Computers, Networks, and Forensics
		3.1 Introduction
		3.2 How Computers Work
		3.3 Basic Hardware PARTs of Computers
			3.3.1 Case
			3.3.2 Power Source
			3.3.3 Processors (CPUs)
			3.3.4 Memory (Volatile Storage – RAM)
			3.3.5 Persistent Storage (HDD/SSD)
			3.3.6 Communicating with the User: Interfaces for Input and Output
			3.3.7 Communicating with Other Computers (NIC)
			3.3.8 Physical Ports
			3.3.9 Putting the PARTs Together
			3.3.10 External Storage, Servers and More
		3.4 Basic Computer Software Categories
			3.4.1 BIOS/UEFI
			3.4.2 Operating Systems
			3.4.3 Applications
		3.5 Basic Networking and Internet Usage
			3.5.1 Networking Hardware
				3.5.1.1 NIC and MAC Addresses
				3.5.1.2 Cables, Wireless, and Network Switches
				3.5.1.3 Modem
				3.5.1.4 Router
			3.5.2 Networking Communication and Internet Protocol (IP) Addresses
			3.5.3 TCP versus UDP
			3.5.4 Domain Name System (DNS)
			3.5.5 Website Hosting
		3.6 Proxies, VPNs, and Tor
		3.7 Encryption
			3.7.1 Encryption in Transit
			3.7.2 Encryption at Rest
		3.8 Digital Forensics and Evidence Gathering
			3.8.1 Ensuring Integrity of Stored Data: Hashing
			3.8.2 Stored Data (Persistent Storage) in Devices: Forensically Obtaining Evidence through Imaging and Analysis
				3.8.2.1 Preview/Triage
				3.8.2.2 Imaging
				3.8.2.3 Analysis
			3.8.3 Volatile Memory: Conducting Memory Forensics
			3.8.4 Website Evidence: Viewing and Preserving
			3.8.5 Emails and Email Headers
			3.8.6 Forensic Examination Tools
		3.9 Conclusion
	Chapter 4. Introduction to Information Security and Cybersecurity
		4.1 Introduction
		4.2 Basic Information Security and Cybersecurity Principles
			4.2.1 CIA: The Three Information Security Objectives
			4.2.2 Controls to Protect Information Systems
			4.2.3 Authentication to Guard Access
			4.2.4 Principle of Least Privilege
			4.2.5 Incident Response
		4.3 Information Security Frameworks
			4.3.1 The Four Pillars: Knowledge, Devices, Data, and Networks
			4.3.2 CIS Critical Security Controls
			4.3.3 NIST Cybersecurity Framework (CSF)
			4.3.4 NIST SP 800-53
			4.3.5 ISO/IEC 27000 Series
			4.3.6 AICPA SSAE 18
			4.3.7 Other Information Security Frameworks
		4.4 Conclusion
PART II: Law for the Cybercrime Investigator
	Chapter 5. Fundamental Principles of Criminal and Civil Law
		5.1 Introduction
		5.2 Criminal Law and Procedure
			5.2.1 The PARTicipants
			5.2.2 The Criminal Justice Process
			5.2.3 Criminal Justice Protections
			5.2.4 How Investigations and Prosecutions are Started
			5.2.5 Categories of Criminal Charges
			5.2.6 Charging the Defendant and Judicial Review: Complaints, Indictments, Grand Jury, Preliminary Hearings
			5.2.7 The Investigative Role of the Grand Jury
		5.3 Who Investigates and Prosecutes Crimes?
			5.3.1 State/Local Enforcement and Federal Enforcement
			5.3.2 Jurisdiction and Venue
			5.3.3 Resources, Expertise, and Collaboration
		5.4 What Constitutes a Crime and Its Elements
			5.4.1 Act or Omission (actus reus)
			5.4.2 Culpable Mental States (mens rea)
			5.4.3 Anticipatory Offenses (Such as Attempt and Conspiracy)
		5.5 Defenses (Such as Self-defense and Entrapment)
		5.6 The Fourth Amendment: Constitutional Rules for Search and Seizure
			5.6.1 Expectation of Privacy
			5.6.2 Consent
			5.6.3 The Search Warrant Requirement
			5.6.4 Exceptions to the Search Warrant Requirement
			5.6.5 Workplace Searches and Monitoring
			5.6.6 Private Searches versus Public Searches
		5.7 The Exclusionary Rule: Protections and Consequences for Improper Investigative Action
			5.7.1 Physical Evidence
			5.7.2 Other Forms of Evidence: Unlawful Arrests, Statements, and Witness Identifications
			5.7.3 Fruit of the Poisonous Tree Doctrine
		5.8 Civil Law and Procedure
			5.8.1 The Civil Litigation Process
			5.8.2 Causes of Action
				5.8.2.1 Intentional Torts
				5.8.2.2 Negligence Torts
				5.8.2.3 Breach of Contract
				5.8.2.4 Cybercrime-Specific Causes of Action
				5.8.2.5 Regulatory Actions
		5.9 Licensing and Regulatory Law
		5.10 Conclusion
	Chapter 6. Cybercrime Defined: The Criminal Statutes Outlawing Criminal Conduct Online
		6.1 Introduction
		6.2 Federal and State Law
		6.3 Federal Cybercrime Law
			6.3.1 The Computer Fraud and Abuse Act (CFAA)
			6.3.2 The Wiretap Act
			6.3.3 Unlawful Access to Stored Communications
			6.3.4 The Controlling the Assault of Non-Solicited Pornography and Marketing Act (CAN-SPAM Act)
			6.3.5 Communication Interference
		6.4 State Cybercrime Law
		6.5 “Traditional” Federal and State Laws that Apply to Cybercrime
			6.5.1 Theft/Larceny
			6.5.2 Possession/Receiving of Stolen Property
				6.5.2.1 Property: A Changing Concept in the Cyber Age
			6.5.3 Identity Theft
			6.5.4 Impersonation
			6.5.5 Credit/Debit Card Fraud
			6.5.6 Bank Fraud
			6.5.7 Wire Fraud
			6.5.8 Forgery
			6.5.9 Money Laundering
			6.5.10 Harassment, Stalking, and Sextortion
				6.5.10.1 First Amendment Considerations
			6.5.11 Child Exploitation and Pornography
			6.5.12 Vandalism
			6.5.13 Organized Crime
			6.5.14 Attempt and Conspiracy
				Attempt
				Conspiracy
		6.6 Conclusion
	Chapter 7. The Law Enforcement Legal Toolkit for Investigating Cybercrime: Laws for Gathering Criminal Cyber Evidence
		7.1 Introduction
		7.2 Privacy and Consent: Applying These Principles to Communications
			7.2.1 Communications and Privacy
			7.2.2 Communications and Consent
			7.2.3 Reasonable Expectation of Privacy in the Workplace
		7.3 The Nine Tools for Gathering Evidence
			7.3.1 Open-Source Investigation
			7.3.2 Obtaining Consent
			7.3.3 Subpoena Duces Tecum
			7.3.4 Section 2703(d) Order
			7.3.5 Search Warrant
			7.3.6 Pen Register and Trap-and-Trace Device
			7.3.7 Wiretap
			7.3.8 Letter of Preservation
			7.3.9 Non-Disclosure Request and Order
		7.4 The Electronic Communications Privacy Act (ECPA): Applying the Tools to Online Communications
			7.4.1 The Stored Communications Act: Records of Past Communications
				7.4.1.1 The Role of Third-PARTy Providers
				7.4.1.2 Services Covered by the SCA (ECS and RCS)
				7.4.1.3 “Content” vs. “Non-Content” Information
				7.4.1.4 Subscriber and Session Information
				7.4.1.5 Sensitive Non-Content Information
				7.4.1.6 Location Information
				7.4.1.7 Content Information
				7.4.1.8 SCA Rules for Letters of Preservation, Non-Disclosure,and Delayed Disclosure Orders
			7.4.2 The Pen/Trap Statute: Live Monitoring of Non-Content Information
			7.4.3 The Wiretap Act: Live Monitoring of Content Information
		7.5 Obtaining Evidence Located in Another State
			7.5.1 Federal Investigations
			7.5.2 State and Local Investigations
			7.5.3 Search Warrant Considerations for Out-of-State Devices and Physical Premises
		7.6 Obtaining Evidence Stored Overseas by U.S. Entities: The CLOUD Act
		7.7 Obtaining Evidence Located in Another Country
			7.7.1 Presence of Evidence or Its Custodian Corporation in the United States
			7.7.2 Mutual Legal Assistance Treaties (MLATs)
			7.7.3 Letters Rogatory
			7.7.4 Informal Assistance
			7.7.5 Egmont Request
			7.7.6 Suspects Located in Other States and Foreign Countries (Preview)
		7.8 Conclusion
	Chapter 8. Cyber Investigations Linked to Nation-States or Terrorists
		8.1 Introduction
		8.2 Laws and Measures Relating to Nation-State and Terrorist Activity
			8.2.1 Criminal Laws
			8.2.2 Civil Laws and the Foreign Sovereign Immunities Act (FSIA)
			8.2.3 International Treaties, Agreements, and Judicial Processes
			8.2.4 Laws and Principles of Sovereignty and Waging War
			8.2.5 Terrorism-Related Measures
			8.2.6 Espionage, Clandestine and Covert Operations, and Propaganda
		8.3 The Motives and Actions of Nation-States
			8.3.1 Generating Funds
			8.3.2 Nation-State Commercial Espionage
			8.3.3 Attacks on Infrastructure
			8.3.4 Attacks to Advance Strategic Interests
		8.4 Terrorist Funding, Recruiting, Vandalism, and Attacks
			8.4.1 Terrorist Funding
			8.4.2 Recruitment
			8.4.3 Cyber Vandalism and Hacktivism
			8.4.4 Inciting Local Attacks
		8.5 What to Do if the Investigation Leads to a Nation-State or Terrorist
		8.6 Conclusion
	Chapter 9. Civil and Regulatory Implications of Cybercrime: Cyberlaw in the Civil and Regulatory Sectors
		9.1 Introduction
		9.2 Attorney–Client Privilege
		9.3 Civil Lawsuits against Cybercriminals: Actions for Intentional Torts
		9.4 “Hacking Back”: Intentional Acts by Cybercrime Victims that Could Incur Liability
		9.5 Cybercrime Statutory Causes of Action
		9.6 Negligent Cyber Torts: The Reasonable Person and the Standard of Care
			9.6.1 Negligence that Directly Causes the Harm
			9.6.2 Negligence that Allows the Commission of a Crime by a Third PARTy
				9.6.2.1 Theft of Automobile
				9.6.2.2 Premises Liability
				9.6.2.3 Cybercrime Liability
		9.7 Actions under Contract Law
			9.7.1 Cyber Insurance Policies
		9.8 Civil Actions for Asset Forfeiture by the Government
			9.8.1 Federal and State Laws
			9.8.2 Temporary Restraining Orders (TROs)
			9.8.3 Burden of Proof
		9.9 General Civil Laws and Regulations Regarding Cybersecurity and Privacy
			9.9.1 Data Disposal Laws and Rules
			9.9.2 Information Security Laws
			9.9.3 Data Breach Notification Laws
			9.9.4 Privacy Laws and Who Enforces Them
				9.9.4.1 FTC and State Attorneys General
				9.9.4.2 GDPR
				9.9.4.3 California Consumer Privacy Act
				9.9.4.4 Colorado Protections for Consumer Data Privacy Act (PCDPA)
		9.10 Civil Laws and Regulations for Specific Sectors
			9.10.1 Financial Sector
				9.10.1.1 GLBA: Gramm-Leach-Bliley Act
				9.10.1.2 FFIEC and SEC Requirements
				9.10.1.3 New York Information Security Requirements for the Financial Sector
			9.10.2 Health Sector Regulations: HIPAA and HITECH
		9.11 Conclusion
PART III: The Cybercrime Investigation
	Chapter 10. Embarking on a Cybercrime Investigation: The Three Perspectives and Key Areas of Focus
		10.1 Introduction
		10.2 Cybercrime Investigation from Three Perspectives: Private Sector, Law Enforcement, and Regulatory
			10.2.1 Private Sector
			10.2.2 Law Enforcement
			10.2.3 Regulatory
		10.3 Key Investigative Topics
		10.4 Ending the Investigation: Success or Exhaustion of Leads or Resources
			10.4.1 The End of Law Enforcement’s Investigation
			10.4.2 The End of the Private Sector Investigation
			10.4.3 The End of the Regulatory Investigation
		10.5 Conclusion
	Chapter 11. General Investigation Methods: Organization, Open Source, Records, and Email
		11.1 Introduction
		11.2 Cybercrime Investigation: The Cyclical Process of Building Evidence
		11.3 Managing Cybercrime Evidence: Readily Available vs. Proprietary Investigation Tools
			11.3.1 Proprietary Tools
			11.3.2 Readily Available Tools
		11.4 Evidence Admissibility in Litigation
		11.5 Writing for Cybercrime Investigations
			11.5.1 The Dangers of Automatic Hyperlinking
		11.6 Open Source Investigation
			11.6.1 Open Source Investigation Resources
			11.6.2 Viewing and Preserving Open Source Clues
			11.6.3 Practical Tips to Maximize the Admissibility of Open Source Data
		11.7 Records Evidence
			11.7.1 The Workflow for Records Evidence
			11.7.2 Tracking Records Requests
			11.7.3 Organizing the Records
			11.7.4 Analyzing the Information in Records
			11.7.5 Admissibility of Records Evidence in Litigation
		11.8 Email Evidence
			11.8.1 Reading Email Headers
			11.8.2 Analyzing Large Sets of Emails
		11.9 The Importance of Cybercrime Intelligence
		11.10 Conclusion
	Chapter 12. Private Entity’s Cybercrime Investigation
		12.1 Introduction
		12.2 Incident Response (and Prevention)
		12.3 Discovery of Cybercrime Incidents by Private PARTies
			12.3.1 Is This a Crime the Private Entity Can and Should Investigate?
		12.4 Determining Investigation Goals and Scope
		12.5 Activating Necessary Personnel: In-House and External
			12.5.1 External Services to Consider
		12.6 Reporting and Notifications to Law Enforcement, Regulatory Agencies, and Other PARTies
			12.6.1 Reporting to Law Enforcement
			12.6.2 Reporting to Regulators and Agencies Enforcing Similar Laws
		12.7 Identifying Potential Witnesses and Evidence: Internal and External
		12.8 Collecting Evidence Available Internally
			12.8.1 Interviewing Internal Personnel
			12.8.2 Internal Records and Data
			12.8.3 Forensics on Internal Devices and Networks
		12.9 Collecting Evidence from External Sources
			12.9.1 Open-Source Research Revisited
			12.9.2 Requesting Data and Information from Third PARTies
			12.9.3 Civil Legal Process to Compel External PARTies to Produce Evidence: John Doe Lawsuits and Subpoenas
			12.9.4 Respecting the Rights of Third PARTies
		12.10 Conclusion
	Chapter 13. Law Enforcement’s Cybercrime Investigation
		13.1 Introduction
		13.2 How Cybercrime Comes to Law Enforcement’s Attention
		13.3 Was There a Crime?
		13.4 Is This a Crime that Law Enforcement Can and Should Investigate?
			13.4.1 Nature and Extent of the Harm
			13.4.2 Nature of Initially Available Evidence
			13.4.3 Jurisdictional Analysis
			13.4.4 Resources and Personnel Needed
			13.4.5 Likelihood of Apprehending Suspects
			13.4.6 Related Civil Implications
			13.4.7 Impact on Society and Deterrence
			13.4.8 Advising the Victim
		13.5 Opening a Case
		13.6 Assessment of Initial Evidence: What Do We Have, What Do We Need?
		13.7 Getting Ready to Investigate: A Recap of the Tools
			13.7.1 Open-Source Investigation
			13.7.2 Consent
			13.7.3 Letter of Preservation (If Additional Process Is Contemplated)
			13.7.4 Non-Disclosure Order and Request
			13.7.5 Subpoena
			13.7.6 2703(d) Order
			13.7.7 Search Warrant
			13.7.8 Pen Register and Trap/Trace Device (Including with Location Data)
			13.7.9 Wiretap
		13.8 SIMPLE: The Six-Step Initial Mini-Plan for Law Enforcement
		13.9 The Records Phase: Digging for Clues and Connections
		13.10 The Data Search Phase: Zeroing in on Internet Accounts and the Criminals Using Them
		13.11 The Physical World Phase: Searching Spaces and Devices
		13.12 The Wiretap Phase: Special Cases Using Live Monitoring of Targets’ Communications
		13.13 Traditional Shoe Leather Techniques
		13.14 Writing for Law Enforcement Investigations
		13.15 Working with the Private Sector
		13.16 Cybercrime Intelligence and Law Enforcement Investigations
		13.17 Conclusion
	Chapter 14. The Regulator’s Investigation
		14.1 Introduction
		14.2 Regulatory Recap: Regulated Industries and Regulatory-Type Laws
		14.3 ACybercrime Occurs: Reviewing the Report of the Affected Business
		14.4 Investigating the Cybercrime: Sufficiency of Cybersecurity Measures and Accuracy of the Report
		14.5 Balancing the Roles of Compliance and Enforcement
		14.6 Confidentiality and Information Sharing
		14.7 Conclusion
	Chapter 15. Financial Investigation: Following the Cybercrime Money
		15.1 Introduction
		15.2 Money Laundering 101
		15.3 Traditional Currency and Value
		15.4 Virtual Currency and Cryptocurrency
			15.4.1 History of Virtual Currency and Its Evolving Terminology
		15.5 Getting Started on the Money Trail: How Financial Details Can Prove Crimes and the Criminal’s Identity
		15.6 Finding and Following the Money
			15.6.1 Where to Find Evidence of Financial Activity
			15.6.2 Investigating Virtual Currency Transactions: Specific Tools and Resources
			15.6.3 Cryptocurrency Transaction Records
		15.7 Conclusion
	Chapter 16. Identification of the Suspect: Attributing Cyber Conduct to a Person
		16.1 Introduction
		16.2 Doing Illicit Business Online: Cyber Nicknames and Pseudonyms
		16.3 The Attribution Process and Developing a Suspect: Mapping Criminal Conduct to Cyber Pedigree and Physical Pedigree Information
			16.3.1 Two Kinds of Pedigree Information: Physical and Cyber
			16.3.2 The ID-PLUS Attribution Process: Six Steps to Link Criminal Conduct to Cyber Pedigree and Physical Pedigree
			16.3.3 Example: Using ID-PLUS to Build an Identification
			16.3.4 Example: A Sample Attribution Summary (Working from the Crime to a Suspect)
			16.3.5 The Attribution Process from Another Lens: Types of Evidence that Can Identify Cybercriminals
		16.4 Writing and Articulation Revisited: Clear and Effective Cyber Identification
		16.5 Examining Issues of Proof
		16.6 Apprehension: Confirming Pedigree through Statements and Forensics
		16.7 Conclusion
	Chapter 17. Apprehending the Suspect and the Investigation that Follows
		17.1 Introduction
		17.2 Charging Decisions
			17.2.1 Methods for Charging a Suspect
			17.2.2 “Sealing” Charges versus Publicizing Them
		17.3 Interstate Procedures for Arresting and Extraditing Defendants
		17.4 International Procedures for Arresting and Extraditing Defendants
		17.5 Arrest Strategies and the Hunt for Evidence
		17.6 A Successful Arrest Does Not Mean “Case Closed”
		17.7 Conclusion
PART IV: Litigation
	Chapter 18. Criminal Litigation
		18.1 Introduction
		18.2 Goals of the Litigation
		18.3 Litigation Begins: Filing of an Accusatory Instrument
		18.4 The Defendant Enters the Litigation: Apprehension, Extradition, and Arraignment
		18.5 Guilty Pleas: Plea Position and Negotiation
		18.6 Discovery: Sharing the Investigation with the Defense
		18.7 Motion Practice, Hearings, and Pre-Trial Decisions: Testing the Investigation and Prosecution
		18.8 Trial: The Investigation Laid Bare
			18.8.1 Picking a Jury
			18.8.2 Opening Statements
			18.8.3 Presenting the Evidence: Legal Admissibility and Jury Comprehension
			18.8.4 The “Baby Step Exhibit” Technique
				18.8.4.1 The “Baby Step” Technique and the Laptop Computer
				18.8.4.2 The “Baby Step” Technique and Financial Records
			18.8.5 The Defense: Cross-Examination and Counterattacking with Evidence
				Defense Cross-Examination during the People’s Case
				The Defense Case (If Presented)
			18.8.6 Closing Arguments
			18.8.7 Jury Instructions
			18.8.8 Jury Deliberations and Verdict
			18.8.9 Sentencing
		18.9 Appeals and Post-Conviction Litigation
		18.10 Conclusion
	Chapter 19. Civil Litigation
		19.1 Introduction
		19.2 Potential Litigation Scenarios Following a Cybercrime Investigation
			19.2.1 Civil Action to Further the Investigation or Stop Cybercrime Activity
			19.2.2 Civil Action against Cybercriminal for Intentional Tort
			19.2.3 Civil Action against Cybercriminal under a Cybercrime Statutory Cause of Action
			19.2.4 Civil Action against Another Victim for Negligent Cybersecurity
			19.2.5 Civil Action for Breach of Contract
			19.2.6 Civil or Regulatory Action by Government for Inadequate Cybersecurity
			19.2.7 Civil Action by Criminal Prosecutor to Freeze and Seize Assets
		19.3 Goals and Expectations
			19.3.1 Government Agencies
			19.3.2 Private Litigants
		19.4 Experts
		19.5 Settlement Negotiations
		19.6 The Civil Lawsuit and the Role of the Investigation
		19.7 Arbitration
		19.8 Conclusion
	Chapter 20. Conclusion
Index