Cybercrime Investigators Handbook
Graeme Edwards
Visit to download the full and correct content document: https://ebookmass.com/product/cybercrime-investigators-handbook-graeme-edwards/
More products digital (pdf, epub, mobi) instant download maybe you interests ...
The Palgrave Handbook of International Cybercrime and Cyberdeviance 1st ed. Edition Thomas J. Holt
https://ebookmass.com/product/the-palgrave-handbook-ofinternational-cybercrime-and-cyberdeviance-1st-ed-edition-thomasj-holt/
The Oxford Handbook of Jonathan Edwards (Oxford Handbooks) Douglas A. Sweeney
https://ebookmass.com/product/the-oxford-handbook-of-jonathanedwards-oxford-handbooks-douglas-a-sweeney/
Cybercrime and Digital Forensics: An Introduction
https://ebookmass.com/product/cybercrime-and-digital-forensicsan-introduction/
Rethinking Cybercrime: Critical Debates Tim Owen
https://ebookmass.com/product/rethinking-cybercrime-criticaldebates-tim-owen/
John Farnham’s Whispering Jack Graeme Turner
https://ebookmass.com/product/john-farnhams-whispering-jackgraeme-turner/
Bridling Dictators: Rules and Authoritarian Politics
Graeme Gill
https://ebookmass.com/product/bridling-dictators-rules-andauthoritarian-politics-graeme-gill/
Dark and Lonely Water Graeme Reynolds & Crystal Lake
Publishing
https://ebookmass.com/product/dark-and-lonely-water-graemereynolds-crystal-lake-publishing/
Deep Waters Martin Edwards
https://ebookmass.com/product/deep-waters-martin-edwards/
Mortmain Hall Martin Edwards
https://ebookmass.com/product/mortmain-hall-martin-edwards/
Cybercrime Investigators Handbook
Cybercrime Investigators Handbook
GRAEMEEDWARDS,PhD.
Copyright©2020byJohnWiley&Sons,Inc.Allrightsreserved.
PublishedbyJohnWiley&Sons,Inc.,Hoboken,NewJersey. PublishedsimultaneouslyinCanada.
Nopartofthispublicationmaybereproduced,storedinaretrievalsystem,or transmittedinanyformorbyanymeans,electronic,mechanical,photocopying, recording,scanning,orotherwise,exceptaspermittedunderSection107or108ofthe 1976UnitedStatesCopyrightAct,withouteitherthepriorwrittenpermissionofthe Publisher,orauthorizationthroughpaymentoftheappropriateper-copyfeetothe CopyrightClearanceCenter,Inc.,222RosewoodDrive,Danvers,MA01923,(978) 750-8400,fax(978)646-8600,orontheWebat www.copyright.com.Requeststo thePublisherforpermissionshouldbeaddressedtothePermissionsDepartment,John Wiley&Sons,Inc.,111RiverStreet,Hoboken,NJ07030,(201)748-6011,fax(201) 748-6008,oronlineat www.wiley.com/go/permissions.
LimitofLiability/DisclaimerofWarranty:Whilethepublisherandauthorhaveused theirbesteffortsinpreparingthisbook,theymakenorepresentationsorwarranties withrespecttotheaccuracyorcompletenessofthecontentsofthisbookand specificallydisclaimanyimpliedwarrantiesofmerchantabilityorfitnessfora particularpurpose.Nowarrantymaybecreatedorextendedbysalesrepresentatives orwrittensalesmaterials.Theadviceandstrategiescontainedhereinmaynotbe suitableforyoursituation.Youshouldconsultwithaprofessionalwhereappropriate. Neitherthepublishernorauthorshallbeliableforanylossofprofitoranyother commercialdamages,includingbutnotlimitedtospecial,incidental,consequential,or otherdamages.
Forgeneralinformationonourotherproductsandservicesorfortechnicalsupport, pleasecontactourCustomerCareDepartmentwithintheUnitedStatesat(800) 762-2974,outsidetheUnitedStatesat(317)572-3993,orfax(317)572-4002.
Wileypublishesinavarietyofprintandelectronicformatsandbyprint-on-demand. Somematerialincludedwithstandardprintversionsofthisbookmaynotbeincluded ine-booksorinprint-on-demand.IfthisbookreferstomediasuchasaCDorDVDthat isnotincludedintheversionyoupurchased,youmaydownloadthismaterialat http://booksupport.wiley.com.FormoreinformationaboutWileyproducts,visit www .wiley.com.
LibraryofCongressCataloging-in-PublicationData
Names:Edwards,Graeme(Financialandcybercrimeinvestigator),author. Title:Cybercrimeinvestigatorshandbook/GraemeEdwards.
Description:Hoboken,NewJersey:JohnWiley&Sons,Inc.,[2020]| Includesindex.
Identifiers:LCCN2019023231(print)|LCCN2019023232(ebook)|ISBN 9781119596288(cloth)|ISBN9781119596325(adobepdf)|ISBN 9781119596301(epub)
Subjects:LCSH:Computercrimes—Investigation.
Classification:LCCHV8079.C65E392020(print)|LCCHV8079.C65(ebook) |DDC363.25/968—dc23
LCrecordavailableathttps://lccn.loc.gov/2019023231
LCebookrecordavailableathttps://lccn.loc.gov/201902323
CoverDesign:Wiley
CoverImage:©South_agency/iStock.com
PrintedintheUnitedStatesofAmerica 10987654321
ToMarieandBob.Longgonebutnotforgotten. ToLizandthegirls.Thankyouforputtingupwiththenumeroushours Ihavespentonwork,study,andresearchforthisbookandallthesupport youhavegiven
Chapter3:MotivationsoftheAttacker29
Chapter4:DeterminingThataCybercrimeIsBeing
Chapter6:LegalConsiderationsWhenPlanning anInvestigation53
Chapter7:InitialMeetingwiththeComplainant65
IdentifyingOffenses71 IdentifyingWitnesses71
IdentifyingSuspects71
IdentifyingtheModusOperandiofAttack72
Evidence:Technical73 Evidence:Other74 CybercrimeCaseStudy74
Chapter8:ContainingandRemediatingtheCyber SecurityIncident77 ContainingtheCyberSecurityIncident77 EradicatingtheCyberSecurityIncident80 Note82
Chapter9:ChallengesinCyberSecurityIncident
Chapter10:InvestigatingtheCybercrimeScene93 TheInvestigationTeam96 ResourcesRequired101 AvailabilityandManagementofEvidence104 TechnicalItems105 SceneInvestigation123 WhatCouldPossiblyGoWrong?152 CybercrimeCaseStudyI155 CybercrimeCaseStudyII156 Notes158
Chapter11:LogFileIdentification,Preservation, Collection,andAcquisition159 LogChallenges160 LogsasEvidence161 TypesofLogs162 CybercrimeCaseStudy164 Notes165
Chapter12:Identifying,Seizing,andPreservingEvidence fromCloud-ComputingPlatforms167 WhatIsCloudComputing?167 WhatIstheRelevancetotheInvestigator?172 TheAttractionofCloudComputingfortheCybercriminal173 WhereIsYourDigitalEvidenceLocated?174 LawfulSeizureofCloudDigitalEvidence175 PreservationofCloudDigitalEvidence177 ForensicInvestigationsofCloud-ComputingServers178 RemoteForensicExaminations182 CloudBarrierstoaSuccessfulInvestigation196 SuggestedTipstoAssistYourCloud-BasedInvestigation203 Cloud-ComputingInvestigationFramework206 CybercrimeCaseStudy219 Notes221
Chapter13:Identifying,Seizing,andPreservingEvidence fromInternetofThingsDevices225 WhatIstheInternetofThings?225 WhatIstheRelevancetoYourInvestigation?226
Chapter15:TheDarkWeb237
Chapter16:InterviewingWitnessesandSuspects243
Chapter17:ReviewofEvidence257 Chapter18:ProducingEvidenceforCourt265
ListofFigures
Figure10.1 Harddriveshowingserialnumberasaunique identifier.98
Figure10.2 Computerprintershowingserialnumberasaunique identifier.99
Figure10.3 Exampleofascenepropertyschedule.103
Figure10.4 Externalstoragedevices.113
Figure10.5 Printer.114
Figure10.6 Rubbishbagscontainingpotentialevidence.115
Figure10.7 Identifierofhallwayoffice.135
Figure10.8 ImageofdamagediPhone.136
Figure10.9 Networkcabling.142
Figure10.10 Ethernetcabling.143
Figure10.11 TracingEthernetcabling1.144
Figure10.12 TracingEthernetcabling2.145
Figure11.1 SystemlogsintheEventViewer.163
Figure11.2 ApplicationlogsintheEventViewer.164
Figure12.1 Cloud-computinginvestigationframework.207
Figure15.1 ImageofTorbrowserconnections.238
Figure15.2 Imageofcounterfeitcurrencyforsale.240
Figure15.3 Imageofhackingservice.240
Figure15.4 Imageofavendor’suserprofilewithreviewratings andcommentsfrompurchasers.241
Figure15.5 Imageofacriminalmarketbeingshutdownbylaw enforcement.242 xi
AbouttheAuthor
Dr.GraemeEdwards isafinancialandcybercrimeinvestigatorlocatedin Brisbane,Australia.Hehas26years’experienceinpolicing,with17yearsasa detectivespecializingintheinvestigationoffinancialcrimesandcybercrimes.
Hehassuccessfullycompletedadoctorateininformationtechnologywith histhesis,“InvestigatingCybercrimeinaCloud-ComputingEnvironment.” Hehasalsosuccessfullycompletedamasterofinformationtechnology (security).
Dr.Edwardsisaregularconferencepresenter,speakingonawiderange oftopicsrelatedtofinancialcrimesandcybercrimes;healsoconductstrainingeventsfororganizationsandseniormanagementaswellasundertaking postinvestigationanalysisofcyberevents.HewasthepresidentoftheBrisbane chapteroftheAssociationofCertifiedFraudExaminersfrom2016to2018.
Foreword
CYBERCRIMEINVESTIGATION isadisciplinerelevanttoanincreasingly diverseaudience.It’saprofessionthathasevolvedwithtechnology andthatisconstantlybeingpresentedwithchallengesindetermining thetruthbehindallegedevents.Aspartofthebroadercybersecurityprofession, investigatorsinlargepartarevaluedfortheirpracticalexperience,vendorcertifications,andtrustworthinessindeliveringinvestigativeoutcomes—whether thatbetoproveordisproveallegedoffending.
GraemeEdwardsembodiesthesequalities.Heforgedacareerasoneof Australia’sfirsttruecybercrimedetectiveswiththeQueenslandPoliceService. Likemanyinourprofessionhetookituponhimselftocontinuetoself-develop, throughlearningaboutandadaptingtonewtechnologyenvironments,and throughadvancinghisowneducation.Hisdoctoratefurtheredhisexpertise incloudinvestigationsandforensics,anticipatingthegrowingneedforthis subspecialization.
CybercrimeInvestigatorsHandbook isalifeworkforGraeme.Itprovidesan opportunityforreaderstodirectlybenefitfromhisuniqueexpertiseandlifelong learningexperiences.Itscontentstepsreadersthroughtheinvestigativeprocess fromacybercrimeperspective,capturingkeypracticalandobservationalgems readerscanreadilyapplytotheirownchallenges.
ThankstoauthorslikeGraeme,ourprofessioncancontinuetoevolveand benefitfromthepassingonofkeylessonsandknowledgeforthebetterment ofpractitionersandthoselookingtomoveintotheexcitingfieldofcybercrime investigations.It’saverytimelycontribution.Itrustyou’llbenefitfromitscontentasmuchasIhave.Thankyou,Graeme,foradvancingourprofessionin thisverymeaningfulway.
ProfessorDavidLacey ManagingDirector,IDCARE Director,InstituteforCyberInvestigationsandForensics,USC
Acknowledgments
ITISAPPROPRIATE tothankthosewhohavesupportedthewritingof thisbook.
First,thankyoutomyfamilyforputtingupwiththenumeroushours Ihavespentstudying,researching,andworkingtheveryantisocialhoursa policeofficeronshiftworkdedicatestotheirprofession.Withoutyoursupport, thisbookandyearsofstudyandresearchwouldnothavebeenachieved.
IalsowishtothankDennisDesmond,aformeragentfortheFBINational ComputerCrimeSquadinWashington,DC,andProfessorLacey,bothnow membersoftheInstituteforCyberInvestigationsandForensicsinQueensland, fortheirpeerreviewofthecontentsofthisbook.Iwouldalsoliketothank ProfessorLaceyforhisforeword.
Cybercrime Investigators Handbook
1 CHAPTERONE
Introduction
CYBER-ATTACKSAGAINST businessesandindividualshavebeen occurringfordecades.Manyhavebeensosuccessfultheywerenever discoveredbythevictimsandonlyidentifiedwhilethedatawas beingexploitedorbeingsoldoncriminalmarkets.Cyber-attacksdamagethe financesandreputationofabusinessandcausesignificantdamagetothose whosedatahasbeenstolenandexploited.
Fromthecriminal’sperspective,thecurrentcyberenvironmenteffectively givesthemafreepasswhenitcomestoattackingtheirtarget.Theycando whatevertheyliketoanindividualorbusinessonline,causeimmensedamageofaprofessionalorpersonalnature,andmakelargesumsofmoneysafein theknowledgethecomplainantwillrarelyreportthemattertopolice.Infact, thisisastrangeanomalyaboutcybercrime:acompanyhasmillionsofdollars ofintellectualproperty(IP)stolenfromthem,hasallthepersonallyidentifyinginformation(PII)ofthestaffandclientsstolen,andtheactionofreporting ittopoliceorinvestigatingwhoisbehindtheattackisrarelyconsideredor undertakenunlessforcedbylocallegislation.Consequently,fromthecriminal’s perspective,thereislittletonodownsidetobeingacybercriminal.Theyoperate onahigh-financial-return,low-riskmodel.
Duetothehighvolumeandcomplexityofcyber-attacks,shouldavictim decidetoreferacomplainttopolicetheycannotalwaysrelyuponthemtobe
availabletoundertakeaninvestigationandlocatetheoffender.Policeresources arestretchedandskilledcyberinvestigatorsinlawenforcementarefewand overworked.Thismeansorganizationssubjecttoacyber-attackthatwishto findinformationaboutwhoisbehindtheattackwillneedtohireanexperiencedcyberinvestigator(scarceandveryexpensive)orinvestigatethematter themselves.Alternatively,theywillnotconductaninvestigationandinstead focusonincreasingsecurity.
Thedecisionbyvictimstonotinvestigateacybercrimeismadeformany reasons,includingthetimeandmoneytobeexpendedonaninvestigation,the focusofthebusinessbeingdirectedontheinvestigation,theinternaldisruptionitcauses,andthereputationalharmcausedwhenthecommunityfinds thecompanysecurityhasbeenbreachedandallthedataentrustedtothem stolen.Also,directorswouldnotlookforwardtothedaythattheystandbefore apublicannualgeneralmeetingandexplaintotheshareholdersthatallthe companydatawasstolenontheirwatchandthattheyhavemadenoeffortto recoveritoridentifywhotookit.
Tothemembersofanincidentresponse(IR)teamorthecyberinvestigator, respondingtoanattackisoftenaninexactscienceastheattackers’motivesand skilllevelsvary.Whereasanattackagainstasingledesktopcomputermaybe easilycontainedandinvestigated,anattackagainstacompletedistributedcorporatenetworkwillrequiresignificantresourcesandanexperiencedresponse teamtoprotectthecompany,theirdata,andclients.Astheattackmethodologiesvary,theinvestigationstrategywillnotnecessarilyfollowtheexactsame patheachtime.
Investigatingacyber-attackmaybeacriticalpartofthecontinuationof thebusiness.Whentheattackisdiscovered,amixtureofpanic,stress,anxiety, andfearisseenamongstaff,andthosetaskedtomitigateanderadicate theattackmayfeelthefutureofthecompanyrestsupontheirshoulders. Manyemployeeswillbeconcernedastotheirpersonalfuture,astheywill befamiliarwiththemanystoriesofbusinesseshitbyacyber-attackthat nolongerexistsixmonthslater.Staffmembersoftheorganizationbeing interviewedasapartoftheincidentresponsemayalsofeelthattheyare beingheldresponsibleandthattheinterviewisamethodoflayingblameat theirfeet.
Sowhyconductaninvestigationandgatherevidence?Whyshouldacompanystartinvestigatingthecybercrimeandtrytotrackdowntheoffender? Withtheproliferationintheinstancesofcybercrime,thereisanexpectation amongthecommunitythatthosewhoareentrustedwiththeirPIItaketheir responsibilitiesseriouslyandensuretheirdataissecure.
Shareholdersofcompanieswhofindthatthevalueoftheirsharesand/or dividendsisaffectedbyabreachmaydemandeffortsbythecompanytoidentify andprosecutetheattacker.Intheinitialaftermathoftheattack,theremaybe thepossibilityoflocatingthesuspectandthedigitalpropertytakenandrecoveringitbeforeitisexploited.Itmaybearguedthatthedutiesandresponsibilitiesofadirectorincludetryingtorecoverthestolencorporatedatabeforeitis exploited.
Outsideoflawenforcementandseverallargebusinesses,suchasthemajor accountingcompanies,therearefewoptionsforthosewhowanttohavean investigationintoacyber-attackconducted.TheIRteammayfindevidence pointingtoasuspect,butitisgenerallynottheirjobtoprepareacaseforreferraltopoliceorlawyers.Acyberinvestigatorisaveryspecializedpositionand isroughlytheequivalentofapolicedetectiveconductingacriminalinvestigation,astherulesofevidencethecourtdemandsarethesamewhetheryouare anexperienceddetectiveoracivilianinvestigator.
Thecyberinvestigatorisviewedasthepersonwhoistaskedwithfinding evidenceofthepersonbehindtheattack,andinsomecasespreparingareferraltopoliceorcommencingacivilprosecution.Whilemanyattacksoriginate fromoverseasandarehiddenbehindmultiplelegaljurisdictions,anonymizers,bots,orothertechnology,peoplehavetheirownmotivationstocommit crimes—andthesepeoplemayincludecurrentorformeremployeesresiding withinyourlocaljurisdiction.
Theroleofthecyberinvestigatorisanextensionofthedigitalinvestigator. Forthebenefitofthisbook,thedigitalinvestigatoristhepersonwhoconducts aforensicexaminationofadeviceornetworkandproducesareportonthe evidenceseizedandidentified.
Thisbookisintendedforthepersonassignedthetaskofinvestigatingthe cybereventwithaviewtogainingafullunderstandingoftheeventandwhere possiblerecoveringtheIP/PIIbeforeitisexploited.Theymayalsobetaskedwith findingevidencetosupportanactioninatribunal(e.g.,employmentcourt)or apotentialprosecutioninacivilorcriminalcourtshouldtheattackerbeidentified.Itwillalsobeofbenefittothemanager/executive/lawyerwhoistaskedto reviewaninvestigationtounderstandtheactionsoftheinvestigationteamand whycertaindecisionsweremadeandtogainanunderstandingoftheevidence availablefromacybercrimesceneandthefollow-upinvestigation.Thisisnota bookthatdescribeshowtotechnicallyrespondtoandmitigateacyber-attack, astherearemanybookscoveringthistopicingreatdetail.Therearealsomany coursesofferedbyorganizationsthatteachthemanyaspectsofrespondingto acyber-attackfromthetechnicalperspective.
Althoughthisbookmakessomereferencestomaterialfromthirdparties, itisnotintendedtobeanacademicbook.Thisisbecausemuchofthematerialisnotfromacademicliteratureorwebsources,butfromtheexperienceof theauthorasacybercrimeinvestigator.ThemajorexceptiontothisisChapter 12,whichreliesonevidencefromtheauthor’sdoctoralthesisoncybercrime investigationinacloud-computingenvironmentandwhereacademicreferencesfromaliteraturereviewarenoted.Whereexplanationsareprovided,as intheglossary,theyarelargelykeptatalow-leveltechnicaldefinitiontoallow thosenewtothisfieldofworktounderstandthematerialanditsrelevance withouthavingtolearnawholenewlanguagecalledtechnology.
Duetothedynamicnatureofevidence,advancesintechnology,andthe evolutionoflegislation/courtdecisions,thisbookisnotintendedtobeanexclusiveguideineverylegaljurisdictionortocovereverypotentialcyberevent. Wherematerialinthisbookconflictsinanywaywiththelawsofyourjurisdiction,thelegalenvironment(s)youoperateinwillalwaystakeprecedence. Thebookintends,however,toprovokecriticalthinkingamongmanagement, IRteammanagers,andinvestigatorsfacingacomplexlegalandtechnicalenvironmentshouldasuspectbeidentifiedandsubsequentevidenceneedtobe presentedtoatribunalorcourt.
Thisbookcontainsmanyofthestepsacybercrimeinvestigatorwillundertake,fromtheinitialidentificationofacybereventthroughtoconsideringa prosecutionincourt.Therearemanylistsofthingstheinvestigatormayconsider.Thesearenotexhaustivelistsandareprovidedtoexpandthethinkingas towhattodo,whereevidencemayreside,andhowtolegallyobtainandmanageit.Usethisbookasapromptandnotasadefinitivestep-by-steptemplate, aseachcyberinvestigationisdifferentandeachjurisdictionhasitsownlegal requirements.
Thelistsinthisbookprovideahandypointofdirectionineachstageofthe investigation.Asyouwilldiscover,ateachstagetherearemanythingstobe doneandnoonecanrememberthemalleverytime.So,thelistsareprovided asamemorypromptofthingstoconsiderandapplyasthecircumstances,legislationinyourjurisdiction,andyourexperiencedictate.Notallitemsinthelists willberelevantinallinstances.Theexplanationsareinplainlanguageand technicaltermsarekepttoaminimumtoassistyourunderstandingofnew concepts.
InChapter2weprovideanintroductiontothecybercriminalandaseries ofoffensesaninvestigatormaybecalledupontoinvestigate.Thesewillvary accordingtothelawsofthejurisdiction(s)youareoperatinginandtermsfor theoffenseswillvary.Bygaininganunderstandingofthecybercriminaland
theirchosencybercrimes,wegainanunderstandingofhowthecrimewas committedandwhyitwascommittedinthemanneritwas,aswellasgaining someunderstandingofthetypeofidentityweareseeking.
Onceweunderstandtypicaloffenses,inChapter3welookatthemotivationsoftheattacker.Insomeinstances,understandingtheattacker’smotives willprovideastrongpointerastowhotheoffenderis,especiallyincasesofinternaloffenses.Motivationswillvaryacrossthemanyformsofcyber-attackyou willinvestigate.Itisworthunderstandingthereasonswhyacriminalattacks aspecifictarget,asthiswillmakegreatsensetothem,evenifthemotivation seemsunusualtotheinvestigator.
InChapter4wewilllookatexamplesofthealertsthatmaybethefirstindicatorsofthecyberevent,aswellastheoffender’smethodologies.Thesealerts andmethodologiesmaybeevidenceintheirownrightandprovideindicators astotheidentityoftheoffender.Whileanalertwillbegeneratedbeforethe investigatorisbroughtin,theevidencefromthealertwillprovidedirectionfor theinvestigatortouseasaplatformfortheirinvestigation.
InChapter5wewilllearntheprocessofcommencingacybercrimeinvestigation.Wewilldiscussthemanyreasonswhyaninvestigationiscommenced andintroducewhoacyberinvestigatoris.Whilethecommonresponsetoa cybereventistofixthesystemandpreventanattackfromhappeningagain,we alsowillaskwhetherthereisaresponsibilityonthepartofthedataownerto identifytheattackerandattempttogetthestolendatabackbeforeitisexploited.
Oncewehaveanunderstandingofoffenses,offenders’motivations,initial alerts,andattackmethodology,inChapter6wewilllearnabouttheroleofthe lawinyourinvestigation.Shouldanattackerbeidentifiedandpresentedbefore thecourt,everyaspectofyourinvestigationissubjecttocriticalexamination incourtbythedefendant’slawyers,andyouractionsandtheirlegalitymaybe asmuchontrialastheactivityofthedefendant.
Whetheryouareconductingacivilorcriminalinvestigation,thecomplainantwillprovidedirectiontotheinvestigationtheywantfromyou.They willhaveinformationonwhichtobaseyourinvestigationaswellasthe authoritytoprovidetheresourcesyourequire.InChapter7wewillcover themanyaspectsofyourinitialmeetingwiththecomplainant,including numerousquestionsyoumayfindrelevanttoaskthematthismeeting.
Chapter8providesageneralintroductiontotheroleofthedigitalinvestigatorforthecyberinvestigator.Althoughthecyberinvestigatorwillnotnecessarilybeinvolvedinthetechnicalaspectoftheincidentresponsewhiletheattack isunderway,itwillbeofbenefittothemtounderstandwhattheIRexaminers aredoingandtheconsequencesoftheiractionsinvolvingthedigitalevidence.
Thecyberinvestigatorwillbeinvolvedinpreservingevidenceandindiscussion withthedigitalinvestigatorandIRteamsastotheseizureofevidence,includingplacingapriorityonpreservingdigitalevidence,especiallythatwhichis mostvolatile.
Thecyberenvironmentprovidesmanyuniquechallengestotheinvestigator,andavarietyofthesechallengesareintroducedinChapter9.Asyouare operatinginadynamicenvironment,thechallengesyoufacewillvaryaccordingtothecircumstancesofyourcaseandtheevidenceyouareseeking.
InChapter10wemoveintothecybercrimesceneinvestigationand covermanyoftheareasofasearchyouneedtobeawareofandunderstand. Cybercrimeinvestigationsinvolveuniquechallengestotheinvestigatorand theseareidentifiedanddiscussed.Asyouareoperatinginaphysicaland digitalenvironmentthechallengesfacedwilldifferamonginvestigations, andtheinvestigatorwillneedtoexpandtheirthinkingtounderstandtheir changingenvironment.
Logfilesarecriticaltocybercrimeinvestigations:whenactivatedand secured,theywilltellyoualotabouttheattacker,theirmethodologies,and thedatatheyaccessed.InChapter11wewillintroducemanylogtypes,where theycanbefound,andwhattheymeantoyouasaninvestigator.
Logfilesarelikevideocamerasatacrimescene.Theycanbeeffective—or, likeacamera,iftheyareturnedofforoutputnotpreserved,canbetotallyunusable.Logrecordactivityonadeviceandnetworkmayprovideveryvaluable evidenceastowhathappened,howithappened,whenthebreachoccurred, andinsomeinstances,whowasbehindit.Theinvestigatormayneedtowork withthedigitalinvestigatortounderstandwhatthelogsaresaying;however, thisformoftechnicalevidencemaybecrucialtoyourinvestigation—tothe pointwhereyoumaybecriticizedincourtifyoudidnotfollowthispotential evidencetrail.
Chapter12addresseslegalandtechnicalissuesinvolvedinlocatingand lawfullyseizingevidencefromacloud-computingplatform.Asdataisnow storedonmultiplecomputerserversinmultiplelegaljurisdictions,evidence identificationandpreservationhasbecomeafarmorecomplexprocedure thanwhentheexaminercouldphysicallyseizeadevicethatwassuspectedof beingbreached.Chapter12coversmanyofthelegalandtechnicalissuesto beconsideredbytheinvestigator,withsuggestedpathwaystoadvancingyour investigationinthecloud.
Chapter13providesaverybriefintroductiontotheInternetofThings (IoT),whichincludesthemultitudeofdevicesnowconnectedonline.Evidence
maynowbegatheredfromanywherethereisadeviceconnectedtothe Internet,andthedigitalinvestigatormayusethistechnologytosupporttheir investigation.
Opensourcematerialismaterialthatcanbecapturedfromonlinesources. Therearenumerousformsofopensourceinformationavailableonline andmanycyberinvestigatorsarefindingvaluableinformationtosupport theirinvestigationsbyconductingonlinesearches.Chapter14introducesa sampleofthemanyformsofopensourceinformationavailableandhowthis informationcanassistyourinquiries.
Ascybercrimehasbecomemoreprofessionaloverthepastdecade,the criminalcommunityhascreatedspecializedmarketswheretheycantrade goodsandserviceswithcustomers.CriminalmarketssuchasSilkRoad andAlphaBayobtainedagreatdealofpublicitythroughidentifyingthe mannerinwhichmembersofthecriminalcommunityoperateandthelevel ofsupportprovidedtoeachotherintrainingandothersupportmechanisms. InChapter15wewillintroducethedarkwebanddiscussitsrelevancetothe investigator,withawarningnottoventureintothecriminalmarketsunless youasaninvestigatorarewelltrainedandunderstandtheenvironmentin whichyouwillbeoperating.Insomejurisdictions,itisanoffensetoaccessthe darkweb.
Interviewingwitnessesandsuspectsisanartthatmanypoliceofficersand investigatorstakeyearstomaster.Itisnotasimpleprocess,aseachinterviewis uniqueandmaybeevidenceinitsownright.Chapter16willdiscussmanyof theconsiderationstobeundertakenwhenconductinganinterviewandsafeguardsthatmaybeapplieddependingonthejurisdictionyouareoperating within.
Chapter17discusseshowtoreviewevidencecollectedandprovidedirectionastohowtoproceed.Sometimesyouwillhavestrongleadstothesuspect, sometimesyoumayhaveenoughevidencetocommenceorreferaninvestigation,andsometimesyouwillbefacingadeadendwitharecommendationto completeyourinvestigation.
Shouldyouhaveenoughevidencetorefertoatribunal,civilcourt, orpolice,Chapter18discussesideasforhowtoprepareyourevidencefor court.Eachjurisdictionhasitsownrules,andyourprioritywillbetoobtain experiencedlegaladvicetoensuretherequirementsofthelawandcourtare met.Howyoupresentyourevidenceissometimesasvaluableasthestrength ofyourprosecution.
Finally,inChapter19weprovideasummaryofthecontentsofthebook.
Aglossaryisalsoprovided.Itispreparedusingnontechnicallanguage,as readerswillcomefrommanybackgrounds,manyofwhicharenottechnical. Itsaimistoprovideaverygeneralunderstandingofthenewterminologymentioned,soyoumaycontinuereadingwithanunderstandingoftheconcept andthecircumstancesinwhichitisreferenced.Shouldyourequireamore technicalunderstandingoftheseconcepts,therearemanyonlineresources availabletoyou.
Asaprimereasoncybersecurityexistsisthecybercriminal,wecommence thisbookwithanexaminationofthepotentialcriminaloffensesthatmaybe committedinadigitalandcyberenvironment.
TCHAPTERTWO
2
CybercrimeOffenses
HEPOTENTIAL offensesacriminalmaycommitagainstanentity orindividualislimitedonlybytheimaginationoftheattacker.The cybercriminalmaybealong-termtrustedemployeewithintheorganizationorapersonlocatedontheothersideoftheworld.Theycouldalsobea contractorwhotakesadvantageofoperatingwithinthecorporatenetworkto installmalicioussoftwareoraccessinformationbyinstallingaserveronthe networktointerceptandrecordalltrafficwithouttheauthorityofthesystem’s administrator.
Thischapterseekstopresenttotheinvestigatoranunderstandingofthe manyformsofcybercrimetheymayberequiredtoinvestigate.Whiletheinvestigationtechniquespresentedinthisbookmaybesimilaracrosseachcrime type,anunderstandingofthecrimegoesalongwaytowardunderstanding thecriminal.Thisthenprovidesdirectionastowheretolocatedigitalevidence withinthephysicalanddigitalcrimesceneaswellastounderstandingthe criminal’smotivation.
Astechnologyevolves,sodotheopportunitiesforthecriminalcommunity toevolvewithit.Asnewtechnologicalproductsarereleasedintothemarketplace,criminalsviewtheproductorservicewithaviewastohowitmaybe exploitedtoprogresstheircriminalventures.Forexample,whengamingconsolesprovidedaninternalharddrivetostorethegamesaswellastoprovide
Internetconnectivity,criminalsstartedstoringevidenceoftheircrimes—such asChildExploitationMaterial(CEM)—withintheharddriveoftheconsole,so shouldpoliceconductasearchwarrantattheiraddress,theywerelesslikelyto seizeagamingconsolethanalaptopordesktopcomputer.Ascriminalsdevelop theseskills,lawenforcementreactstothemanddevelopstheirevolvingfieldof investigativeknowledge.
Cybercriminalssharetheirknowledgeonopensourceandclosedcriminal forums,resultinginahigherstandardofcriminalwhocanseekexperienced assistancewhentheirattemptedcrimemeetsahurdle.Cybercriminalsalso providetutorialsforthosenewtotheindustry,includingstep-by-stepmethodologiesonhowtocommitcybercrimewithoutleavingbehinddigitalevidence leadingtotheiridentity.Shoulditberequired,somesitesprovideone-on-one tutorialsandpeerreview.Inessencecybercrimeisaprofession,withmany resourcesavailabletothecriminals.Thesesameresourcescanalsobeuseful totheinvestigatorinunderstandingdevelopingmethodologiesandtheways criminalsconducttheiractivities.
Anadvantageofcybercrimetoacriminal,whencomparedtootherforms ofcrime,isthelackofstructuralcomplexity.Whencomparedtoacrimesuch asillegaldrugtrafficking,cybercrimelacksthestructuralmanagerialcomplexitiesthatareprevalentincrimesinvolvingphysicalproperty.Adrugtrafficker mayberequiredtostructurethebusiness,distribution,processing,transporting,competition,physicalthreats,salesnetwork,andmoneylaundering.In cybercrime,therearefeweroftheseconsiderationsinvolved.Asopposedto theillegaldrugtrade,wherepartiesinvolvedmaybepersonallyknowntoeach otherandbuildrelationships,thoseinvolvedinpartnershipsincybercrimemay noteverphysicallymeeteachother,assistingeachotherbasedontheirareas ofexpertise.Also,avaluableconsiderationistherearenoturfwarsinvolved incybercrime,asthereareintheillegaldrugstrade.1
Therearemanyotherreasonswhycybercrimeisattractivetothecriminal. Oneoftheseisthefinancialrewardavailablecomparedtootherformsofcrime. JosephSchaferandhiscolleaguesfoundthatonaveragethebankrobbermay obtain$2,500,thebankfraudster$25,000,andthecybercriminal$250,000. Theyalsofoundthatthecostofthetheftoftechnologytoanorganizationis approximately$1.9million.2
Alongsidethefinancialrewards,afurtherattractionofcybercrimetothe criminalisthattheactionsrequiredareeasytocarryoutandhardtodetect. TheInternetprovidesanonymityforskilledcybercriminals,whouseavailable technologicalresources(suchasfreeweb-basedemailaccounts).Schaferand hiscolleaguesfoundthattheanonymitycybercriminalsareoperatingunder
onlinereducestheirpersonalinhibitions,especiallysincethepotentialforbeing identifiedandheldaccountablefortheiractionsislow.2
Offurtherbenefittothecybercriminalisthattheproceedsoftheircrime (data)canbevirtualizedandgeographicallydistributed,creatingtechnicaland jurisdictionalchallengesforlawenforcementandotherinvestigatingagencies. Digitalforensicinvestigationstoobtainevidencemaynotbeabletobeobtained inatimelymanner,meaningvaluableevidencemaybenotavailabletoinvestigators.3
Anadditionalbenefittothecybercriminalisthattheircrimescanbe committedanywhere.Datacanbedisseminatedveryquickly,andthecrossjurisdictionalmannerofthecrimeresultsintheneedforcollaborationbetween policeservicesatthenationalandinternationallevel.2 Toaddafurtherlayer ofcomplexityforaninvestigatingagency,cybercriminalsmayoperateinfailed orfailingstatesthatprovideasafehaven.4
Thespecificcivilorcriminaloffenseineachinstancedependsuponthe legaljurisdictionandthewordingofthespecificsoftheoffenseasdefinedin legislation.Whiletherearemanyformsofcivilandcriminaloffensesinvolving technology,thischapterlistsexamplesofoffenseswheretechnologyisamajor factorinthecrimethecyberinvestigatorisrequiredtorespondto.Alsounderstandthatwhenyouaredealingwithacybereventandthesuspectlivesina foreignlegaljurisdiction,eventhoughtheiractionmaybeaveryseriouscriminalorciviloffenseinyourjurisdiction,theactmaynotbeanoffenseintheir country.Ineffect,intheirjurisdictiontheyaredoingnothingwrong.
Asaninvestigator,beawaretheremaybemorethanoneoffenseoccurring atthesametime.Whileyouarerespondingtoacertainformofcybercrime,this maybemerelyadistractiontodiverttheattentionoftheIncidentResponse(IR) securityteam,astheattacker’smaingoalmaybeelsewhereonthenetwork.For example,theremaybeanattackagainstthecompanywebserver,andwhilethe IRteamisfocusedonmitigatingthisattack,thecriminalcanbestealingdata fromtheemailserverorcorporatedatabase.
Theremainderofthischapterprovidesexamplesofdifferentformsofcybercriminaloffendingfollowedbyabriefexplanation.Thesearenotlistedasspecificoffenses,aseachjurisdictionwillhavedifferentwordingfortheseactivities andtheremaybemultipleoffensesyoucanidentifyfromasingledescription.
POTENTIALCYBERCRIMEOFFENSES
Eachofthefollowingsectionswillprovidesomeconsiderationtheinvestigator maythinkabouttosupporttheirinvestigation.Therewillbereplicationacross
theoffenses;however,thecommentsarepresentedtoprovideafewthoughts toadvanceyourinvestigation.
IndustrialEspionage
Thisoffenseisalsosometimescalledcorporateespionage.Thisisastandard formofcybercrime,withthecriminalbreakingthroughthedefensesofacompanytolocatetheIntellectualProperty(IP)forsaleortheirownuse.Acompetitormayitselfconducttheattack,ortheattackmayberandom,withthe criminalbreakingintoseewhattheycanfindandexploit.Thisoffensehaswell predatedtheInternet,withinsidersbeingusedtostealIPordocumentsbeing stolenfromtrashbinsafterbeingdiscarded.
Ascompaniesdevelopnewproducts,competitorsmayfindastrategic advantageinknowingwheretheircompetitionisplanningonbeingin 12months.Thetheftofstrategyanddevelopmentplansallowstheattackerto developtheircountermeasures,savingyearsofdevelopmentandexpensein newproductdesign.
SpecificIPmaybesubmittedforpatentbythedeveloper,ensuringalevel ofindustryprotectionagainstitbeingcopiedbycompetitors.However,should theIPbestolenpriortothepatentbeingissuedandthensubmittedforpatent bythethief,complicatedandexpensivecourtcasesorevenoveralllossofthe developedIPmayresult.
AlongwithcorporateIP,tenderdocuments,whichareduetobe submittedinthefollowingdays,areavaluabletarget.Withthisinformationthebusinesscompetitorwhoinitiatedorcontractedahacker toundertaketheattackontheirbehalfmayupdatetheirdocuments toincreasetheirchancesofwinningthetenderagainstthevictim company.
InvestigatorConsiderations
Industrialoreconomicespionageisaveryseriouscriminaloffense,asthefuture ofthevictimcompanymaybeatstake.Companiesputveryseriousmoneyinto thedevelopmentofIP,andhavingitstolenbycompetitorsorputupforsale tothehighestbidderwillcauseveryseriousstresstothecomplainants.Inthe instanceofpubliccompanies,disclosureofIPbeingstolenmayhaveanegative effectontheirsharevalue.
Astheinvestigatoratthescene,alwaysrespectandunderstandthestressof thecompanyexecutivesandowners.Identifywhomaybenefitfromthetheftof theIP,suchascompetitorsornewcompaniesseekingtoestablishthemselves.
Itmaybeofbenefittocontractwithacompanythatspecializesinoperatingin thecriminalmarketstoidentifywhetheritcomesupforsale.
Donotdiscountthepotentialforaninternalemployeetobetheparty takingtheIPandseekingtoestablishtheminarivalbusinessinthenear future.IftheIPisofsignificantfinancialvalueandnotpatented,recommend tothecomplainantthattheystillgothroughthisprocess,astheywillhave theproductdevelopmenthistorytosupporttheirclaimastoownership oftheIP.
Aninvestigationsuchasthismayneedtobeconductedintothefuturein amonitoringphase,asthecomplainantmonitorswhointheindustrydevelopsaproductverysimilartotheirIPorseekstopatentit.Thisnowprovides youwithareversestartingpointwithasuspect.Bythistimeyouwillhaveconductedyourinitialinvestigations;whenasuspecthasbeenidentified,youmay resurrectyourinvestigationwithasuspectinmind.Thisisequallyapplicable ifthesuspectwasinvolvedintheinitialtheftoftheIPorpurchaseditthrough thecriminalmarkets.
TheftofInformationSuchasIdentities,StaffFiles,and Accounts
Similartoindustrialespionage,thismaybeaspecificallytargetedorrandom attack.Theidentitiesmaybesoldonline,heldforlaterexploitation,orsoldback tothecompanyasaransom.Theseattacksmaybeinternalorexternaltothe network.
ExamplesofPersonallyIdentifiableInformation(PII)stoleninclude names,addresses,SocialSecuritynumbers,passwords,phonenumbers,email accounts,creditcardnumbers,next-of-kindetails,mother’smaidenname, andsoon.Thevalueofthisinformationtotheattackeristhatitmaybeuseful increatingdatabasesonpersonsofspecificinterestwithintheorganization; otherdatacanthenbelocatedthroughopensourceinvestigation(suchas socialmedia)todevelopamoredetailedprofileoftheindividual.Theprofile maybeusedtocommitidentifytheftagainsttheorganizationorafinancial institution,orsoldonthecriminalmarketsasaproduct.
InvestigatorConsiderations
Althoughthisisaverycommoncrime,withhundredsofmillionsofidentities andcreditcarddetailsstoleneveryyear,theconsequencestovictimsare notlessened.Thereisasayinginthelawthatyoutakeyourvictimsasyou findthem,andwhileonevictimofidentityorcreditcardfraudmaytakethe
newsandmoveonwithoutconcern,anothermaysufferseverefinancialand emotionalstress.
Asaverygeneralalthoughnotexclusiverule,stolenidentitiesaresoldon thecriminalmarkets.Investigatinginthisenvironmentisthetaskofavery skilledandexperiencedinvestigator,andifyoudonothavetheseskills,seek themelsewhere,asthesecybercriminalsemploycountersurveillance,which youneedtoavoid.
Theevidenceyouwilllocatemaycomefromtheinitialinvestigationofthe digitalevidence.Didthecybercriminalproceedstraighttothisevidenceordid theynavigatetheirpathwaythroughthenetworkbeforelocatingthisevidence? Lookatthebusinessofthevictimcompanyandwhetheritisacompanywhose collectionofsuchinformationisabyproductofitscorebusinessoractually thecorebusinessitself,suchasbeingapaymentgateway.Thisinformationwill assistinunderstandingtheattacker’smotivationsandthetypeofcybercriminalyouareseeking.
Chapter15willprovidemoreinformationastoconductinginvestigations inthisenvironmentandevidenceyoumaylocatethroughcriminalvendors.
ComputerHackingtoGainAccesstoSystemResources
Corporationsandeducationalandgovernmentalorganizationshaveaccess tolargeandpowerfulcomputersystemswithprocessorsandbandwidth.An attackermaybreakintoasystemtohostacriminalsite(suchasafraudulent onlinepharmacy)ortousethebandwidthtolaunchaDenialofService (DoS)attackagainstanothertarget.Alternatively,theymayseektousethese resourcestomineBitcoin.
Thisformofattackmaybelostinthetrafficofnormalday-to-dayactivitywherethereisahighvolumeofactivityoninternalandexternalnetworks; however,useofthebandwidthresourcesconfersacosttothevictimcompany.
InvestigatorConsiderations
Thisisauniqueformofinvestigation,asmanyvictimsofthisformofcybercrimedonotmakecomplaintsduetothepotentialforreputationaldamage.If youareentrustedtoinvestigatethesecrimes,looktowardwhoisthebeneficiaryoftheoffense,suchastheonlinepharmacyortheBitcoinminer.Details aboutthecompromisemayalsobeofinterest,astheobviousoffensemaybethe byproductofaninitialhackseekingIPandstudent/staffdetails.
AcademicinstitutesareahavenforvaluableIPbeingdevelopedby postgraduateanddoctoralstudents,whichishighlyprizedbynationstates,
especiallyinfieldssuchasrobotics,artificialintelligence,andnanotechnology. Lookverycloselyatwhatelsethecybercriminalwasdoing,especiallybefore thetakeoveroftheinfrastructure,anddonotfocusexclusivelyonthemost obviousoffendingyouhavebeentaskedtoinvestigate.
GainingorExceedingAuthorizedAccessLevelstoObtain HighlyRestrictedData
Usersofanetworkmayseektoincreasetheirlevelofaccesstohighlyconfidentialdata.Alternatively,ahackermaygainauser’scredentialswithintheorganizationandworkonescalatingtheiraccesstotheconfidentialdatathrough compromisingaccountsassociatedtotheuser.Forexample,ahackermaygain accesstothepersonnelclerk’sinternalaccount,thenusethistogainaccessto theirsupervisor’saccount,thenusethistogainaccesstothepersonnelmanager’saccount,andsoon.
Thisisamajorconcernforallorganizationsandgovernmentagenciesand theircontractorswhohavebeencompromisedinthismanner.
InvestigatorConsiderations
Escalatingprivilegesinvolvesnavigatingapathwaythroughaseriesofusers’ accountsfromlowtohigherlevelstofindwhereusersgainaccesstoconfidentialdata.Youmayhavetoworkbackwardsfromthepointofidentificationof thebreachtofindwhoseaccountwascompromisedinthefirstinstanceand howthiswasachieved.Thiswillprovideevidenceoftheattackerenteringthe organizationandgainingthelowestlevelsofprivilege.Youmay,forexample, findalinkbetweentheattacker’sInternetProtocoladdressfoundattheinitial compromiseofthejuniorpersonnelclerk’saccountandtheInternetProtocol addressthestolendatawasforwardedto.
Understandingpre-offensebehaviors,includingreconnaissance,testingof vulnerabilities,andphishingattacks,mayprovidedetailsaboutoffenderbehaviorandattribution.
ExploitingInformationSecurityWeaknessesthroughthe SupplyChain,IncludingThird-PartyContractors
Third-partycontractorsoftenfailtoprovidethelevelofsecuritytheirclientis capableofproviding.Forexample,independentcontractorsinHollywoodmay havebeentheoneshackedwhenmoviesaretakenandheldforextortionprior toreleasetothepublic.Thecriminalshavedetermineditiseasiertohackinto
thecomputerofacontractorratherthanamajorHollywoodstudio,whichhas moreresourcestodefenditself.
InvestigatorConsiderations
Lookcloselyatwhatwastakenandwhomaybenefitfromtheattack.Inthe examplegivenofaHollywoodcontractor,looktoseewhethertheoffenderwent directlytotheIPorwhethertheIPwasonlylocatedasabyproductofexamining thesystem.
Whilewemaythinkcybercriminalsareverystructured,motivated,and skilledtypesofpeople,sometimestheyareluckyandstumbleacrossveryvaluableIPwithoutinitiallyunderstandingthetargettheyarehacking.Ineffect, theygotlucky.
StealingCreditCardDataforSellingOnline, orCard-Not-PresentFraud
Theseattacksdeliberatelytargetcreditcardinformationforexploitationorfor sellingonlinethroughthecriminaltradingmarkets.Thisinformationincludes names,addresses,creditcardnumbers,datesofbirth,nextofkin,phonenumbers,andsoon.
Thecardnumbersareusedtopurchasegoodsfromonlineretailers usingInternetservices,withthecybercriminalhavingthegoodsdelivered toapredeterminedaddress.Thismaybeanunknowingcolleague’saddress, workaddress,rentalproperty,orapickuppointthatspecializesinreceiving parcelsforclients,assomepostalservicesoperate.Thisisknowntoretailersas “card-not-present”fraudandcarriesasignificantfinancialcostfortheretailer, asthecreditcardcompanyreversesthechargetotheretailer.
Asanalternative,acybercriminalmaysellinformationfromthecardsto clientsasabulkitem,chargingperunitoratavolumediscount.Shouldthe informationbefromcardsofparticularvalue,suchasanAmericanExpress Platinumcard,itmaybesoldindividuallyatanegotiatedprice.
InvestigatorConsiderations
Thesetendtobelarge-volumecrimes,withhundredsofmillionsofcreditcards availableforsaleonlineinthecriminalmarkets.Asmentionedpreviously,do notevenconsidergoingontothecriminalmarketsunlessyouareveryskilled inonlinetradecraft,orevenbetter,havebroughtincyberinvestigatorwhois experiencedinthisfield.
Identifyingwhoisthebeneficiaryofthetransactionisamoreproductive pathwayfortheinvestigatorinvestigatingindividualcard-not-presentfrauds.
GainingAccesstoaSystemorDevicethrough MaliciousSoftware
Theseattacksseektogainaccesstoacomputersystemthroughthedelivery ofmalicioussoftware.Thismaybeeitheraninternalorexternalattack.An exampleisanAdvancedPersistentThreat(APT),whereapersongainsunlawfulaccesstoacomputerdeviceandmaintainstheirhiddenpresence,gathering newdataeachday.AnAPTmaybepresentfromaweekuptoseveralyears beforebeingfound.
InvestigatorTechniques
Identifyingthemalicioussoftwareusedinthecrimeisoneofthefirststepsfor theinvestigator.Contacttheorganization’ssecurityvendor,whichmayhave resourcesavailabletoimmediatelyidentifythemalicioussoftwareanditscharacteristics.Manyofthesecompanieshaveveryknowledgeableinvestigators whocanprovideyouwithinformationaboutthepersonsand/orsyndicates behindtheattack.Youmayusethisvaluableinformationtoleverageofftheir technicalinquiries.
Thiswillbeaportionofyourinvestigationandsupplementtheinvestigationintothecrimecommittedviausageofthemalicioussoftware.
DamagingtheReputationofaCompetitortoGain aMarketAdvantage
Ascompetitionistoughinthemarketplace,damagingthereputationofacompetitormayprovidetheattackeranadvantage.Anexamplewouldbeatender submitterlaunchinganonlineattackonacompetitorjustbeforeatendercommitteesitstodecidewhowillwinthelatesttender,raisingseriousquestions aboutthevictim’scybersecurity.
InvestigatorConsiderations
Intheearlydaysoftheinvestigation,looktoseewhoisthebeneficiaryofthereputationaldamageofyourclient.Whilethismaybearandomattackerwithan extortionmotive,ifthecompanyisintheprocessofdelicatenegotiationswith apotentialclientortenderingforanewcontract,theremaybeclearsignalsas
