Skip to main content

Cybercrime Investigators Handbook





Cybercrime Investigators Handbook

Graeme Edwards

ISBN: 978-1-119-59628-8 November 2019 306 Pages



The investigator’s practical guide for cybercrime evidence identification and collection

Cyber attacks perpetrated against businesses, governments, organizations, and individuals have been occurring for decades. Many attacks are discovered only after the data has been exploited or sold on the criminal markets. Cyber attacks damage both the finances and reputations of businesses and cause damage to the ultimate victims of the crime. From the perspective of the criminal, the current state of inconsistent security policies and lax investigative procedures is a profitable and low-risk opportunity for cyber attacks. They can cause immense harm to individuals or businesses online and make large sums of money—safe in the knowledge that the victim will rarely report the matter to the police. For those tasked with probing such crimes in the field, information on investigative methodology is scarce. The Cybercrime Investigators Handbook is an innovative guide that approaches cybercrime investigation from the field-practitioner’s perspective.

While there are high-quality manuals for conducting digital examinations on a device or network that has been hacked, the Cybercrime Investigators Handbook is the first guide on how to commence an investigation from the location the offence occurred—the scene of the cybercrime—and collect the evidence necessary to locate and prosecute the offender. This valuable contribution to the field teaches readers to locate, lawfully seize, preserve, examine, interpret, and manage the technical evidence that is vital for effective cybercrime investigation.

  • Fills the need for a field manual for front-line cybercrime investigators
  • Provides practical guidance with clear, easy-to-understand language
  • Approaches cybercrime form the perspective of the field practitioner
  • Helps companies comply with new GDPR guidelines
  • Offers expert advice from a law enforcement professional who specializes in cybercrime investigation and IT security

Cybercrime Investigators Handbook is much-needed resource for law enforcement and cybercrime investigators, CFOs, IT auditors, fraud investigators, and other practitioners in related areas.

List of Figures

About the Author



Chapter 1: Introduction

Chapter 2: Cybercrime offences

2.1 Potential cybercrime offences

2.2 Cybercrime case study

2.3 References

Chapter 3: Motivations of the attacker

3.1 Common motivators

3.2 Cybercrime case study

3.3 Cybercrime case study

3.4 References

Chapter 4: Identifying a cybercrime is being committed

4.1 Cyber incident alerts

4.2 Attack methodologies

4.3 Cybercrime case study

4.4 Cybercrime case study

4.5 References

Chapter 5: Commencing a cybercrime investigation

5.1 Why investigate a cybercrime?

5.2 The cyber investigator

5.3 Management support

5.4 Is there a responsibility to try and get the data back?

5.5 Cybercrime case study

5.6 References

Chapter 6: Legal considerations for planning an investigation

6.1 Role of the law in a digital crimes investigation

6.2 Protecting digital evidence

6.3 Preservation of the Chain of Custody

6.4 Protection of evidence

6.5 Legal implications of digital evidence collection

6.6 Cybercrime case study

6.7 References

Chapter 7: Initial meeting with the complainant

7.1 Initial discussion

7.2 Complainant details

7.3 Event details

7.4 Cyber security history

7.5 Scene details

7.6 Identifying offences

7.7 Identifying witnesses

7.8 Identifying suspects

7.9 Identifying Modus Operandi of attack

7.10 Evidence: Technical

7.11 Evidence: Other

7.12 Cybercrime case study

Chapter 8: Containing and remediating the Cyber Security Incident

8.1 Containing the cyber security incident

8.2 Remediating the cyber security incident

Chapter 9: Challenges in cyber security incident investigations

9.1 Unique challenges

9.2 Cybercrime case study

Chapter 10: Investigating the cybercrime scene

10.1 The investigation team

10.2 Resources required

10.3 Evidence available and management

10.3.1 Technical

10.3.2 Non-technical and physical items

10.3.3 Evidence capture and handling

10.3.4 Identification of Evidence

10.3.5 Collection of Digital Evidence

10.3.6 Acquisition of Digital Evidence

10.3.7 Preservation of Evidence

10.4 Scene Investigation

10.4.1 Prior to leaving for the scene

10.4.2 Scene action by investigators

10.4.3 Identifying the network architecture

10.4.4 Dealing with fixed and networked devices

10.4.5 Return to your location

10.5 What could possibly go wrong?

10.6 Cybercrime case study

10.7 Cybercrime case study

10.8 References

Chapter 11: Log files Identification, preservation, collection and acquisition

11.1 Log challenges

11.2 Logs as evidence

11.3 Types of logs

11.4 Cybercrime case study

11.5 References

Chapter 12: Identification, seizure and preservation of evidence from cloud computing platforms

12.1 What is cloud computing?

12.2 What is the relevance to the investigator?

12.3 Attraction of cloud computing to the cybercriminal

12.4 Where is your digital evidence located?

12.5 Lawful seizure of cloud digital evidence

12.6 Preservation of cloud digital evidence

12.7 Forensic investigations in cloud computing servers

12.7.1 Identification of Evidence

12.7.2 Collection of Evidence

12.7.3 Acquisition of Evidence

12.7.4 Preservation of Evidence

12.8 Remote forensics examinations

12.8.1 Identification of Evidence

12.8.2 Collection of Evidence

12.8.3 Acquisition of Evidence

12.8.4 Preservation of Evidence

12.8.5 Presentation of Evidence

12.9 Cloud barriers to a successful investigation

12.10 Suggested tips to assist your cloud-based investigation

12.11 Cloud-computing investigation framework

12.11.1 Proposed investigative framework

12.12. Cybercrime case study

12.13 References

Chapter 13: Identifying, seizure and preservation of evidence from Internet of Things devices

13.1 What is the Internet of Things?

13.2 What is the relevance to your investigation?

13.3 Where is your IoT digital evidence located?

13.4 Lawful seizure of IoT evidence

13.5 References

Chapter 14: Open source evidence

14.1 The value of open source evidence

14.2 Examples of open source evidence

14.3 References

Chapter 15: The Dark Web

15.1 Crime and the dark web

15.2 References

Chapter 16: Interviewing witnesses and suspects

16.1 Suspect interviews

16.2 Witness interview

16.3 Preparing for an interview

16.4 The interview process

16.4 Closing the interview

16.5 Review of interview

16.6 Preparation of brief for referral to police

Chapter 17: Review of evidence

Chapter 18: Producing evidence for court

18.1 Digital evidence and its admissibility

18.2 Preparing for court

18.3 References

Chapter 19: Conclusion