Basic cybersecurity awareness isn’t as hard as you might think. You don’t need a Ph.D. in software development. You don’t need an IQ of 140, or connections in the hacking community to be effective in fighting cybercrime. Practically speaking, there isn’t too much call for ethical hacking in local law enforcement anyway. The rest of us only need to know enough to decide how or if we should begin an investigation ourselves, and if we do, whom to call when things get too technical. This article provides a strategy to get your cyber toolkit in place.
What Exactly is Cybercrime?
Cybercrime is any crime in which a computer and a network play an instrumental part in the commission of that crime.1Identity theft, blackmail, harassment, stalking, child pornography, financial fraud, intellectual property theft and hacking are all examples of these types of crimes. They can be committed through the use of desktop or laptop computers and housed on smartphones, USB and flash drives.
The annual cost of global cybercrime today amounts to$100 billion, with estimates that reach as high as $120 billion by 2017.2 That translates to 556 million victims per year, 1.5 million per day, and 18 victims per second. At that rate, the call for cyber-trained law enforcement on the local level is growing. What was once handed over to the NSA, FBI and Secret Service is now becoming a local agency reality.
Step One: Gain Access to Digital Evidence
The Computer Crime Intellectual Property section of the U.S. Justice Department Criminal Division states for a cyber search to be reasonable, a warrant must satisfy the particularity and scope of the items seized.3 A warrant must include the number and type of electronic devices to be searched, “with sufficiently precise language so that it tells the officers how to separate the items properly subject to seizure from irrelevant items.”4 Locations are important—data can be stored in the cloud, on vendor-hosted accounts and offsite servers. That’s where a company’s systems administrator can come in handy. He or she will know the specs for the system.
Phraseology like “including but not limited to,” may not be enough to uphold admissibility of some evidence in court.5That’s why a preplan and even a template can help officers to get paperwork laser sharp.
How to Request Different Types of Cyber Information
The Electronics Communication Privacy Act of 1986 (EPCA) outlines specific guidelines on the three levels of service:
- Level one: obtain subscriber information—a subpoena is needed.
- Level two: transactional information—a court order is needed.
- Level three: content of email messages—a search warrant is needed.
Level one, the subpoena, provides basic subscriber information including the name, address, phone records, session times and durations and payment services such as bank or credit card details. It even allows email content when older than 180 days and already opened by the owner. Level one service might be used to name perpetrators in stalking or harassment cases where an alias has been used.
Level two, the court order or 2703d, allows the release of names of past email correspondents. That’s useful for building cases against child pornography or identity theft rings. It might also identify the right jurisdiction to prosecute a crime or series of crimes. Stalking and harassment are never usually a one-off. More times than not, they’re linked to other crimes. Having access to correspondent history can help build a weightier case.
Level three, the search warrant, must be in place in order to seize emails less than 180 days old. Each level encompasses the prior. For example, a court order also gets you the same information you’d get when using a subpoena. The search warrant gets you the same information you’d get in either a subpoena or court order.
In any of these cases, it’s up to the investigator to decide whether the suspect will be notified of the investigation; remaining discrete may be vital to safeguard evidence and secure a scene. Remote users may also be involved.
Working with Internet Service Providers (ISP)
“Getting an ISP to respond quickly to a subpoena gets easier as you move up the scale of agency hierarchy,” says Steve Burgess, a 30-year forensics specialist and professional expert witness. “Homeland Security and other federal agencies usually get an immediate response. State and local law enforcement have a tougher time.”
Part of the reason for this is that most ISP addresses are dynamic. That means, for example, a provider like Google might only have 50,000 addresses for all of their accounts, so addresses rotate among the entire pool. Research is required if you wish to view something specific, such as who was using what IP address at a particular date and time.
Having access to local computer experts is a great workaround. They can move things along with ISPs and pull digital evidence off of computers while building a case. That’s one of the things Burgess does for law enforcement agencies. The other benefit with contractors is budgets. Some local departments just don’t have the resources for a full-time staff member, and job-in consultants can be less expensive than opening a personnel requisition. After the crime scene is documented, a consultant might also be the best resource for powering down and packaging evidence for transport.
Protection and Presentation of Digital Evidence
Back in the forensics lab, the team duplicates digital drives so as to prevent problems with erasure. That includes deleted files that have not been overwritten. The duplicate drives are then sifted through and forensic analysis begins. Findings are later published in the forensics report.
Evidence may also appear on outside servers and in the cloud. A cache folder on a computer can provide an Internet activity trail, which may disappear when a computer is shut down. That’s another reason why investigators might not want to alert suspects.
Computer forensic software packages are available—such as EnCase and Forensic Tool Kit. As there may be legalities involved, it’s best to check with your local agency for the approved software. Whenever digital evidence is being prepared for a case, the two primary considerations are that it meets scientific criteria and that chain of custody has been well-documented.
Specialized Training Options
Robert Moore, CEO of Mortec Solutions based in Philadelphia, runs EC Council, a company specializing in training law enforcement agency personnel. They train detectives as well as agents in the NSA, FBI and Secret Service on computer hacking procedures. Certificates include Certified Ethical Hacker and Computer Hacking Forensic Investigator
Many colleges and universities offer classes in cybercrime. Armstrong University, in Savannah (Ga.) offers a cybercrime certificate. It also offers a masters degree in cyber forensics, which focuses on case law and digital evidence. Captain John Taylor, a retired U.S. Army JAG attorney developed the graduate course there. One law officer went on to join federal law enforcement after completing her masters degree. In addition to training, Armstrong University also offers forensic services.
Here’s is a sampling of ways you can get up to speed on cybersecurity:
- Follow a blog or website on the subject, such as TeMerc or DDoSAttackProtection.org. DDoSAttackProtection has a list of more than 100 useful blogs where you can learn about the latest advancements from the experts. TeMerc has updates on specific tactics that criminals are using. It also has forums where you can find out what the experts are doing to combat specific problems.
- Follow influencers and groups on LinkedIn and read their forums. Groups like Cyber Law & Information Security publish regular articles on specific crimes and how experts interpret them.
- Set Google alerts to appear in your email inbox. All you need to do is choose a search term such as “identity theft” or “cyber forensic” and set the timer on how often you want the alerts to appear. Daily can be a bit much if you’re already overwhelmed with work.
- Subscribe to a magazine, such as PCWorld, ZDNet, orTechCrunch to get the latest news in technology. You’ll also hear about cybersecurity symposiums and how to register.
- Take a local training class in cybersecurity awareness.
- Take a specialized training class through the InfoSec Institute. InfoSec is well-respected in the cyber community, but if you’re new to cyber subjects, this might be over your head. They offer certifications in computer forensics in addition to online training and bootcamps. Having a certification like this definitely makes it easier for law enforcement organizations to quantify career development and promote accordingly.
- Take a free online training course such as Cyber Aces, a self-paced opportunity suitable for someone trying to decide if they want to develop their inner geek. Users download a virtual computer and learn the three fundamentals of information security: operating systems, networking and systems administration. The course is open to anyone from high schoolers to retirees, but you need to have a basic level of understanding to be successful.
- Read law enforcement-targeted books. The great thing about textbooks is they’re designed to cover a broad spectrum of information on a given subject. They also receive close editorial scrutiny and are generally reliable. Topics tend to be evergreen, whereas blogs and newspapers may have a decay factor. A few suggestions are Cybercrime: Investigating High-Technology Computer Crime; Cybercrime: The Investigation, Prosecution and Defense of a Computer-related Crime and Cybercrime and Digital Forensics: An Introduction.
These are not one size fits all solutions. Just start somewhere. Once you get going, you’ll be able to tweak what does and doesn’t work for your application.
1. Moore, R.: Cybercrime: Investigating High-technology Computer Crime, 2nd edition. Elsevier: Oxford. 4, 2011.
2. Cybercrime Statistics and Trends. InSecPro. Retrieved on June 5, 2015, fromwww.insecpro.com/index.php/articles/cyber-crime-statistics.
3. Searching and Seizing Computers and Obtaining Electronic Evidence in Criminal Investigations. DOJ Computer Crime and Intellectual Property Section, Criminal Division. Retrieved on June 5, 2015, fromwww.justice.gov/criminal/cybercrime/docs/ssmanual2009.pdf.
4. Marron v. United States, 275 U.S. 192, 296 (1927)
5. United States v. Hunter, 1998
Rita Mailheau is a freelance blogger and information security copywriter based in San Diego, Calif. Her credits include blogging for the first responder and law enforcement community. Contact her at firstname.lastname@example.org.