Where can buy Cybercrime investigations: a comprehensive resource for everyone 1st edition john band by Education Libraries

1st Edition John Bandler

Visit to download the full and correct content document: https://ebookmass.com/product/cybercrime-investigations-a-comprehensive-resource -for-everyone-1st-edition-john-bandler/

More products digital (pdf, epub, mobi) instant download maybe you interests ...

Research Project Management and Leadership: A Handbook for Everyone Paprica

https://ebookmass.com/product/research-project-management-andleadership-a-handbook-for-everyone-paprica/

Cognitive Processing Therapy for PTSD: A Comprehensive Manual 1st Edition

https://ebookmass.com/product/cognitive-processing-therapy-forptsd-a-comprehensive-manual-1st-edition/

Op Amps for Everyone 5th Edition Carter B.

https://ebookmass.com/product/op-amps-for-everyone-5th-editioncarter-b/

Inquiry and Leadership A Resource For The DNP Project 1st Edition, (Ebook PDF)

https://ebookmass.com/product/inquiry-and-leadership-a-resourcefor-the-dnp-project-1st-edition-ebook-pdf/

Xero : A Comprehensive Guide for Accountants and Bookkeepers 1st Edition Amanda Aguillard

https://ebookmass.com/product/xero-a-comprehensive-guide-foraccountants-and-bookkeepers-1st-edition-amanda-aguillard/

Saunders Comprehensive Review for the NAVLEu00ae 1st Edition

https://ebookmass.com/product/saunders-comprehensive-review-forthe-navle-1st-edition/

Comprehensive Clinical Nephrology 6th Edition John Feehally

https://ebookmass.com/product/comprehensive-clinicalnephrology-6th-edition-john-feehally/

Cybercrime Investigators Handbook Graeme Edwards

https://ebookmass.com/product/cybercrime-investigators-handbookgraeme-edwards/

The Third Sector as a Renewable Resource for Europe 1st ed. Edition Bernard Enjolras

https://ebookmass.com/product/the-third-sector-as-a-renewableresource-for-europe-1st-ed-edition-bernard-enjolras/

CybercrimeInvestigations

AComprehensiveResourceforEveryone

JohnBandler AntoniaMerzon

Firsteditionpublished2020 byCRCPress

6000BrokenSoundParkwayNW,Suite300,BocaRaton,FL33487-2742 andbyCRCPress

2ParkSquare,MiltonPark,Abingdon,Oxon,OX144RN

CRCPressisanimprintofTaylor&FrancisGroup,LLC

InternationalStandardBookNumber-13:978-0-367-19623-3(Hardback)

InternationalStandardBookNumber-13:978-1-003-03352-3(eBook)

Reasonableeﬀortshavebeenmadetopublishreliabledataandinformation,buttheauthorandpublishercannot assumeresponsibilityforthevalidityofallmaterialsortheconsequencesoftheiruse.Theauthorsandpublishers haveattemptedtotracethecopyrightholdersofallmaterialreproducedinthispublicationandapologizeto copyrightholdersifpermissiontopublishinthisformhasnotbeenobtained.Ifanycopyrightmaterialhasnot beenacknowledgedpleasewriteandletusknowsowemayrectifyinanyfuturereprint.

ExceptaspermittedunderU.S.CopyrightLaw,nopartofthisbookmaybereprinted,reproduced,transmitted, orutilizedinanyformbyanyelectronic,mechanical,orothermeans,nowknownorhereafterinvented,including photocopying,microﬁlming,andrecording,orinanyinformationstorageorretrievalsystem,withoutwritten permissionfromthepublishers.

Forpermissiontophotocopyorusematerialelectronicallyfromthiswork,accesswww.copyright.comorcontact theCopyrightClearanceCenter,Inc.(CCC),222RosewoodDrive,Danvers,MA01923,978-750-8400.Forworks thatarenotavailableonCCCpleasecontactmpkbookspermissions@tandf.co.uk

Trademarknotice:Productorcorporatenamesmaybetrademarksorregisteredtrademarks,andareusedonlyfor identiﬁcationandexplanationwithoutintenttoinfringe.

LibraryofCongressCataloging-in-PublicationData

Names:Bandler,John,author.|Merzon,Antonia,author.

Title:Cybercrimeinvestigations:thecomprehensiveresourceforeveryone/byJohnBandler andAntoniaMerzon.

Description:Firstedition.|BocaRaton,FL:CRCPress/Taylor&FrancisGroup,2020.|Includes bibliographicalreferencesandindex.|Summary: “Cybercrimecontinuestoskyrocketbutwearenot combattingiteffectivelyyet.Weneedmorecybercrimeinvestigatorsfromallbackgroundsandworkinginevery sectortoconducteffectiveinvestigations.Thisbookisacomprehensiveresourceforeveryonewhoencountersand investigatescybercrime,nomattertheirtitle,includingthoseworkingonbehalfoflawenforcement,private organizations,regulatoryagencies,orindividualvictims.Itprovideshelpfulbackgroundmaterialabout cybercrime'stechnologicalandlegalunderpinnings,plusin-depthdetailaboutthelegalandpracticalaspectsof conductingcybercrimeinvestigations.Keyfeaturesofthisbookinclude:Understandingcybercrime,computers, forensics,andcybersecurity,lawforthecybercrimeinvestigator,includingcybercrimeoffenses;cyberevidencegathering;criminal,privateandregulatorylaw,andnation-stateimplications;cybercrimeinvestigationfromthree keyperspectives:lawenforcement,privatesector,andregulatory; financialinvestigation;identification (attribution)ofcyber-conduct;apprehension;litigationinthecriminalandcivilarenas.Thisfar-reachingbookis anessentialreferenceforprosecutorsandlawenforcementofficers,agentsandanalysts;aswellasforprivate sectorlawyers,consultants,informationsecurityprofessionals,digitalforensicexaminers,andmore.Italso functionsasanexcellentcoursebookforeducatorsandtrainers.Weneedmoreinvestigatorswhoknowhowto fightcybercrime,andthisbookwaswrittentoachievethatgoal.Authoredbytwoformercybercrimeprosecutors withadiversearrayofexpertiseincriminaljusticeandtheprivatesector,thisbookisinformative,practical,and readable,withinnovativemethodsandfascinatinganecdotesthroughout”— Providedbypublisher. Identifiers:LCCN2020000272|ISBN9780367196233(hardback)|ISBN9781003033523(ebook) Subjects:LCSH:Computercrimes–Investigation. Classification:LCCHV8079.C65B362020|DDC363.25/968–dc23 LCrecordavailableathttps://lccn.loc.gov/2020000272

VisittheTaylor&FrancisWebsiteat http://www.taylorandfrancis.com andtheCRCPressWebsiteat http://www.crcpress.com

Dedication

Toallcybercrimeinvestigators,past,present,andfuture,whose diligentandprofessionalworkkeepsussafe.

J.B.andA.M.

Tomywife,children,andparents. J.B.

Tomywonderfulfamily. A.M.

Chapter1 Introduction:TheNeedforGoodCybercrimeInvestigators................................3

1.1WhyThisBook............................................................................................3

1.2WhoInvestigatesCybercrime?.....................................................................5

1.3HowThisBookIsOrganized......................................................................6

1.4KeepingItFun:Anecdotes,Cases,Diagrams,andCartoons.......................7 1.5OnwardandUpward...................................................................................8

Chapter2 WhatIsCybercrimeandWhyIsItCommitted?..................................................9

2.1Introduction................................................................................................9

2.2WhatMakesa “Cyber” ActivityaCrime?AQuickIntroductiontoCybercrimeOﬀenses..............................................................................................9

2.2.1ComputerandNetworkIntrusions..............................................10

2.2.2DataBreaches,TheftofData,andDataTraﬃcking....................11

2.2.3TransmissionandUseofMalware...............................................11

2.2.4TamperingwithorDamagingaNetworkorSystem....................11

2.2.5IdentityTheftandImpersonation................................................12

2.2.6TheftofFundsandFraudSchemes.............................................12

2.2.7BlackmailandExtortion..............................................................13

2.2.8MoneyLaundering......................................................................13

2.2.9Harassment,Threats,Stalking,andRevengePorn.......................14

2.2.10Possessing,Selling,orSharingChildPornography......................15

2.2.11TraﬃckingofPhysicalContraband..............................................15

2.2.12Gambling.....................................................................................15

2.3Cybercrimevs.TraditionalStreetCrime:TheDiﬀerences.........................15

2.3.1Technology,InternetandNetworks...............................................16

2.3.2Distance:TheNationalandInternationalNexus..........................16

2.3.3InvestigationRateandSolveRate.................................................17

2.3.4ConnectiontoaBroadCriminalEcosystem..................................17

2.4MotivesandActors...................................................................................18

2.4.1ProﬁtandGreed............................................................................18

2.4.2PersonalAttack.............................................................................18

2.4.3ThrillandBraggingRights............................................................18

2.4.4Activism.........................................................................................19

2.4.5CorporateEspionage.....................................................................19 2.4.6Nation-StateObjectives.................................................................19 2.4.7Terrorism.......................................................................................20

2.5TheCybercrime-For-ProﬁtEconomy........................................................20

2.5.1TheConnectionbetweenIdentityTheftandCybercrime...............21

2.5.2TheCybercrimeEconomyEarnsMoneyandRequiresPayments

2.6DigitalEvidence:TheBackboneofAnyCyberInvestigation (andTraditionalInvestigations,Too).........................................................23

3.3.1Case.............................................................................................29

3.3.2PowerSource...............................................................................30

3.3.3Processors(CPUs)........................................................................30

3.3.4Memory(VolatileStorage

3.3.5PersistentStorage(HDD/SSD)....................................................31

3.3.6CommunicatingwiththeUser:InterfacesforInput andOutput...................................................................................31

3.3.7CommunicatingwithOtherComputers(NIC).............................32

3.5.1.1NICandMACAddresses...............................................35

3.5.1.2Cables,Wireless,andNetworkSwitches.........................36

3.5.1.3Modem...........................................................................36

3.5.1.4Router.............................................................................36

3.5.2NetworkingCommunicationandInternetProtocol(IP)

3.5.3TCPversusUDP...........................................................................39

3.6Proxies,VPNs,andTor..............................................................................41 3.7Encryption.................................................................................................43

3.7.1EncryptioninTransit.....................................................................43

3.7.2EncryptionatRest.........................................................................43

3.8DigitalForensicsandEvidenceGathering.................................................44

3.8.1EnsuringIntegrityofStoredData:Hashing..................................45

3.8.2StoredData(PersistentStorage)inDevices:Forensically

3.8.3VolatileMemory:ConductingMemoryForensics.........................48

3.8.4WebsiteEvidence:ViewingandPreserving....................................48 3.8.5EmailsandEmailHeaders.............................................................48

4.2.1CIA:TheThreeInformationSecurityObjectives...........................51

4.2.2ControlstoProtectInformationSystems.......................................52

4.2.3AuthenticationtoGuardAccess...................................................52

4.2.4PrincipleofLeastPrivilege............................................................54

5.2.2TheCriminalJusticeProcess..........................................................66

5.2.3CriminalJusticeProtections...........................................................68

5.2.4HowInvestigationsandProsecutionsareStarted..........................69 5.2.5CategoriesofCriminalCharges.....................................................70

5.2.6ChargingtheDefendantandJudicialReview:Complaints,Indictments,GrandJury,PreliminaryHearings......................................71

5.2.7TheInvestigativeRoleoftheGrandJury.......................................72

5.3WhoInvestigatesandProsecutesCrimes?................................................72

5.3.1State/LocalEnforcementandFederalEnforcement.......................72

5.3.2JurisdictionandVenue...................................................................73

5.3.3Resources,Expertise,andCollaboration........................................74

5.4WhatConstitutesaCrimeandItsElements............................................74

5.4.1ActorOmission(actusreus)..........................................................75

5.4.2CulpableMentalStates(mensrea).................................................75

5.4.3AnticipatoryOﬀenses(SuchasAttemptandConspiracy).............76

5.5Defenses(SuchasSelf-defenseandEntrapment).....................................77

5.6TheFourthAmendment:ConstitutionalRulesforSearchandSeizure....77

5.6.1ExpectationofPrivacy...................................................................78

5.6.2Consent..........................................................................................79

5.6.3TheSearchWarrantRequirement..................................................80

5.6.4ExceptionstotheSearchWarrantRequirement............................80

5.6.5WorkplaceSearchesandMonitoring.............................................81

5.6.6PrivateSearchesversusPublicSearches.........................................81

5.7TheExclusionaryRule:ProtectionsandConsequences forImproperInvestigativeAction............................................................82

5.7.1PhysicalEvidence...........................................................................82

5.7.2OtherFormsofEvidence:UnlawfulArrests,Statements,andWitnessIdentiﬁcations.........................................................................82

5.7.3FruitofthePoisonousTreeDoctrine.............................................83

5.8CivilLawandProcedure..........................................................................84

5.8.1TheCivilLitigationProcess...........................................................84

5.8.2CausesofAction............................................................................85

5.8.2.1IntentionalTorts.............................................................85

5.8.2.2NegligenceTorts.............................................................86

5.8.2.3BreachofContract..........................................................87

5.8.2.4Cybercrime-SpeciﬁcCausesofAction............................87

6.3.1TheComputerFraudandAbuseAct(CFAA)...............................91 6.3.2TheWiretapAct............................................................................92

6.3.3UnlawfulAccesstoStoredCommunications.................................94

6.3.4TheControllingtheAssaultofNon-SolicitedPornographyand MarketingAct(CAN-SPAMAct).................................................94

6.3.5CommunicationInterference.........................................................95

6.4StateCybercrimeLaw................................................................................95

6.5 “Traditional” FederalandStateLawsthatApplytoCybercrime..............96

6.5.1Theft/Larceny...............................................................................97

6.5.2Possession/ReceivingofStolenProperty......................................98

6.5.2.1Property:AChangingConceptintheCyberAge...........98

6.5.3IdentityTheft...............................................................................99

6.5.4Impersonation............................................................................100

6.5.5Credit/DebitCardFraud...........................................................101

6.5.6BankFraud................................................................................102

6.5.7WireFraud.................................................................................102

6.5.8Forgery.......................................................................................102

6.5.9MoneyLaundering....................................................................103

6.5.10Harassment,Stalking,andSextortion........................................105

6.5.10.1FirstAmendmentConsiderations................................105

6.5.11ChildExploitationandPornography.........................................106

6.5.12Vandalism..................................................................................106

6.5.13OrganizedCrime........................................................................107

6.5.14AttemptandConspiracy............................................................107

6.6Conclusion................................................................................................108

Chapter7 TheLawEnforcementLegalToolkitforInvestigatingCybercrime: LawsforGatheringCriminalCyberEvidence..................................................110

7.1Introduction.............................................................................................110

7.2PrivacyandConsent:ApplyingThesePrinciplestoCommunications......111

7.2.1CommunicationsandPrivacy......................................................111

7.2.2CommunicationsandConsent.....................................................112

7.2.3ReasonableExpectationofPrivacyintheWorkplace..................113

7.3TheNineToolsforGatheringEvidence...................................................113

7.3.1Open-SourceInvestigation...........................................................114

7.3.2ObtainingConsent.......................................................................114

7.3.3SubpoenaDucesTecum...............................................................114

7.3.4Section2703(d)Order..................................................................115

7.3.5SearchWarrant............................................................................116

7.3.6PenRegisterandTrap-and-TraceDevice.....................................117

7.3.7Wiretap........................................................................................118

7.3.8LetterofPreservation..................................................................118

7.3.9Non-DisclosureRequestandOrder.............................................119

7.4TheElectronicCommunicationsPrivacyAct(ECPA):Applying theToolstoOnlineCommunications.......................................................119

7.4.1TheStoredCommunicationsAct:RecordsofPast Communications..........................................................................120

7.4.1.1TheRoleofThird-PartyProviders.................................121

7.4.1.2ServicesCoveredbytheSCA(ECSandRCS)...............121

7.4.1.3 “Content” vs. “Non-Content” Information...................123

7.4.1.4SubscriberandSessionInformation...............................123

7.4.1.5SensitiveNon-ContentInformation...............................123

7.4.1.6LocationInformation....................................................124

7.4.1.7ContentInformation......................................................124

7.4.1.8SCARulesforLettersofPreservation, Non-Disclosure,andDelayedDisclosureOrders............126

7.4.2ThePen/TrapStatute:LiveMonitoringofNon-Content Information.................................................................................127

7.4.3TheWiretapAct:LiveMonitoringofContentInformation........127

7.5ObtainingEvidenceLocatedinAnotherState..........................................128

7.5.1FederalInvestigations..................................................................129

7.5.2StateandLocalInvestigations.....................................................129

7.5.3SearchWarrantConsiderationsforOut-of-State DevicesandPhysicalPremises.....................................................130

7.6ObtainingEvidenceStoredOverseasbyU.S.Entities: TheCLOUDAct......................................................................................131

7.7ObtainingEvidenceLocatedinAnotherCountry....................................132

7.7.1PresenceofEvidenceorItsCustodianCorporation intheUnitedStates......................................................................133

7.7.2MutualLegalAssistanceTreaties(MLATs).................................133

7.7.3LettersRogatory..........................................................................133

7.7.4InformalAssistance.....................................................................134

7.7.5EgmontRequest..........................................................................134

7.7.6SuspectsLocatedinOtherStatesandForeignCountries (Preview)......................................................................................134

8.2LawsandMeasuresRelatingtoNation-StateandTerroristActivity........137

8.2.1CriminalLaws..............................................................................138

8.2.2CivilLawsandtheForeignSovereignImmunitiesAct(FSIA)....138

8.2.3InternationalTreaties,Agreements,andJudicialProcesses..........139

8.2.4LawsandPrinciplesofSovereigntyandWagingWar..................140

8.2.5Terrorism-RelatedMeasures........................................................141

8.2.6Espionage,ClandestineandCovertOperations, andPropaganda...........................................................................142

8.3TheMotivesandActionsofNation-States...............................................143

8.3.1GeneratingFunds........................................................................143

8.3.2Nation-StateCommercialEspionage...........................................145

8.3.3AttacksonInfrastructure............................................................146

8.3.4AttackstoAdvanceStrategicInterests........................................147

8.4TerroristFunding,Recruiting,Vandalism,andAttacks...........................150

8.4.1TerroristFunding.........................................................................150

8.4.2Recruitment.................................................................................151

8.4.3CyberVandalismandHacktivism................................................151

8.4.4IncitingLocalAttacks.................................................................151

8.5WhattoDoiftheInvestigationLeadstoaNation-StateorTerrorist.......152

8.6Conclusion................................................................................................152

9.1Introduction............................................................................................153

9.2Attorney

9.3CivilLawsuitsagainstCybercriminals:ActionsforIntentionalTorts.....154

9.4 “HackingBack”:IntentionalActsbyCybercrimeVictimsthatCould IncurLiability.........................................................................................155

9.5CybercrimeStatutoryCausesofAction..................................................156

9.6NegligentCyberTorts:TheReasonablePersonandtheStandardof

9.6.1NegligencethatDirectlyCausestheHarm..................................157

9.6.2NegligencethatAllowstheCommissionofaCrimebyaThird

9.6.2.1TheftofAutomobile......................................................159

9.6.2.2PremisesLiability...........................................................159

9.6.2.3CybercrimeLiability......................................................159

9.8.1FederalandStateLaws................................................................162

9.8.2TemporaryRestrainingOrders(TROs)........................................163

9.8.3BurdenofProof...........................................................................163

9.9.4.1FTCandStateAttorneysGeneral.................................167

9.9.4.2GDPR............................................................................167

9.9.4.3CaliforniaConsumerPrivacyAct..................................168

9.9.4.4ColoradoProtectionsforConsumerDataPrivacyAct

9.10CivilLawsandRegulationsforSpeci

9.10.1.1GLBA:Gramm-Leach-BlileyAct................................169

9.10.1.2FFIECandSECRequirements....................................169

9.10.1.3NewYorkInformationSecurityRequirementsforthe

9.10.2HealthSectorRegulations:HIPAAandHITECH.....................170

Chapter10 EmbarkingonaCybercrimeInvestigation:TheThreePerspectivesandKey AreasofFocus.................................................................................................173

10.1Introduction............................................................................................173

10.2CybercrimeInvestigationfromThreePerspectives:PrivateSector,Law Enforcement,andRegulatory.................................................................173 10.2.1PrivateSector.............................................................................174

10.2.2LawEnforcement.......................................................................175

Chapter11 GeneralInvestigationMethods:Organization,OpenSource,Records,and

11.7RecordsEvidence..................................................................................191

11.8.1ReadingEmailHeaders..............................................................196

11.8.2AnalyzingLargeSetsofEmails..................................................197

12.2IncidentResponse(andPrevention)......................................................201

12.3DiscoveryofCybercrimeIncidentsbyPrivateParties...........................202

12.3.1IsThisaCrimethePrivateEntityCanand ShouldInvestigate?....................................................................203

12.4DeterminingInvestigationGoalsandScope.........................................205

12.5ActivatingNecessaryPersonnel:In-HouseandExternal......................207

12.5.1ExternalServicestoConsider....................................................208

12.6ReportingandNotiﬁcationstoLawEnforcement,Regulatory Agencies,andOtherParties..................................................................209

12.6.1ReportingtoLawEnforcement..................................................209

12.6.2ReportingtoRegulatorsandAgenciesEnforcing SimilarLaws..............................................................................211

12.7IdentifyingPotentialWitnessesandEvidence:InternalandExternal...212

12.8CollectingEvidenceAvailableInternally...............................................212

12.8.1InterviewingInternalPersonnel.................................................213

12.8.2InternalRecordsandData.........................................................213

12.8.3ForensicsonInternalDevicesandNetworks.............................214

12.9CollectingEvidencefromExternalSources..........................................215

12.9.1Open-SourceResearchRevisited................................................215

12.9.2RequestingDataandInformationfromThirdParties...............215

12.9.3CivilLegalProcesstoCompelExternalPartiestoProduce Evidence:JohnDoeLawsuitsandSubpoenas............................216

12.9.4RespectingtheRightsofThirdParties.......................................218

13.4IsThisaCrimethatLawEnforcementCanandShouldInvestigate?....222

13.4.1NatureandExtentoftheHarm.................................................222

13.4.2NatureofInitiallyAvailableEvidence........................................222

13.4.3JurisdictionalAnalysis...............................................................223

13.4.4ResourcesandPersonnelNeeded...............................................223

13.4.5LikelihoodofApprehendingSuspects........................................223 13.4.6RelatedCivilImplications..........................................................224

13.4.7ImpactonSocietyandDeterrence.............................................224

13.4.8AdvisingtheVictim....................................................................224

13.5OpeningaCase.....................................................................................225

13.6AssessmentofInitialEvidence:WhatDoWeHave,What DoWeNeed?........................................................................................226

13.7GettingReadytoInvestigate:ARecapoftheTools..............................226 13.7.1Open-SourceInvestigation.........................................................227

13.7.2Consent......................................................................................227

13.7.3LetterofPreservation(IfAdditionalProcessIsContemplated) .....228

13.7.4Non-DisclosureOrderandRequest...........................................228

13.7.5Subpoena...................................................................................228

13.7.62703(d)Order.............................................................................229

13.7.7SearchWarrant..........................................................................230

13.7.8PenRegisterandTrap/TraceDevice(Includingwith LocationData)...........................................................................230 13.7.9Wiretap......................................................................................231

13.8SIMPLE:TheSix-StepInitialMini-PlanforLawEnforcement............232

13.9TheRecordsPhase:DiggingforCluesandConnections......................233

13.10TheDataSearchPhase:ZeroinginonInternetAccountsand theCriminalsUsingThem....................................................................235

13.11ThePhysicalWorldPhase:SearchingSpacesandDevices....................237

15.6.1WheretoFindEvidenceofFinancialActivity...........................261

15.6.2InvestigatingVirtualCurrencyTransactions:SpeciﬁcToolsand Resources...................................................................................262

15.6.3CryptocurrencyTransactionRecords.........................................263

15.7Conclusion..............................................................................................264

Chapter16 IdentiﬁcationoftheSuspect:AttributingCyberConducttoaPerson.............265

16.1Introduction............................................................................................265

16.2DoingIllicitBusinessOnline:CyberNicknamesandPseudonyms.........265

16.3TheAttributionProcessandDevelopingaSuspect:MappingCriminal ConducttoCyberPedigreeandPhysicalPedigreeInformation..............266

16.3.1TwoKindsofPedigreeInformation:PhysicalandCyber...........267

16.3.2TheID-PLUSAttributionProcess:SixStepstoLinkCriminal ConducttoCyberPedigreeandPhysicalPedigree.....................268

16.3.3Example:UsingID-PLUStoBuildanIdentiﬁcation.................275

16.3.4Example:ASampleAttributionSummary(Workingfromthe CrimetoaSuspect)....................................................................277

16.3.5TheAttributionProcessfromAnotherLens:TypesofEvidence thatCanIdentifyCybercriminals...............................................279

16.4WritingandArticulationRevisited:ClearandEﬀectiveCyber Identiﬁcation...........................................................................................281

16.5ExaminingIssuesofProof......................................................................282

16.6Apprehension:ConﬁrmingPedigreethroughStatementsandForensics.282

16.7Conclusion..............................................................................................284

17.2ChargingDecisions.................................................................................285

17.2.1MethodsforChargingaSuspect................................................286

17.2.2 “Sealing” ChargesversusPublicizingThem...............................287

17.3InterstateProceduresforArrestingandExtraditingDefendants............287

17.4InternationalProceduresforArrestingandExtraditingDefendants.......289

17.5ArrestStrategiesandtheHuntforEvidence...........................................290

17.6ASuccessfulArrestDoesNotMean “CaseClosed” ...............................291

18.1Introduction...........................................................................................295

18.2GoalsoftheLitigation...........................................................................295

18.3LitigationBegins:FilingofanAccusatoryInstrument...........................296

18.4TheDefendantEnterstheLitigation:Apprehension,Extradition,and Arraignment...........................................................................................297

18.5GuiltyPleas:PleaPositionandNegotiation...........................................298

18.6Discovery:SharingtheInvestigationwiththeDefense...........................299

18.7MotionPractice,Hearings,andPre-TrialDecisions:Testingthe

18.8Trial:TheInvestigationLaidBare..........................................................302

18.8.1PickingaJury............................................................................303

18.8.5TheDefense:Cross-ExaminationandCounterattackingwith

19.2.2CivilActionagainstCybercriminalforIntentionalTort............316

19.2.3CivilActionagainstCybercriminalunderaCybercrimeStatutory

19.2.4CivilActionagainstAnotherVictimforNegligent

19.2.7CivilActionbyCriminalProsecutortoFreezeandSeizeAssets318

19.3.1GovernmentAgencies................................................................319

19.3.2PrivateLitigants.........................................................................319

AbouttheAuthors

JohnBandler and AntoniaMerzon servedtogetherasAssistantDistrictAttorneysatthe NewYorkCountyDistrictAttorney’sOffice(DANY),hiredbythelegendaryRobertMorgenthau.Theyinvestigatedandprosecutedawidevarietyofcriminaloffenses,rangingfromthose thatgarneredheadlinestothemanythatreceived littleattentionbutwereequallyessentialforthe administrationofjusticeandprotectionofthepublic.AntoniafoundedandledtheIdentityTheft Unit(sincerenamedtheCybercrimeandIdentityTheftBureau),recruitingJohnasanearly member.Theunit’sworkquicklyrevealedthecloseconnectionbetweenidentitytheftandcybercrime,andbroughtamazingcases,includingtheWesternExpresscase,whichyouwillreadabout. AsUnitChief,Antoniasupervisedtheworkofhundredsofprosecutorsandthousandsofinvestigations,guidinganddevelopingbothpeopleandcases.This fledglingunitwithscarceresources didterrificworkinanewandevolvingareaofcrime.Eventually,theirserviceatDANYcameto anend,andtheysharetheirexpertisenowaslawyersandconsultantsinavarietyofareas.

TheirexperiencesduringandafterDANYarewhatconvincedthemtowritethisbook together.

JohnBandler runsalaw firmandaconsultingpracticethathelpsorganizationsandindividuals withcybersecurity,cybercrimeinvestigations,andanti-moneylaunderingeffortsamongother areas.Beforebecomingaprosecutor,heservedasaStateTrooperintheNewYorkStatePolice foreightyears,assignedtooneofthestate’sbusieststationsthatprovidedfullpoliceservicesto thelocalcommunity.WhileservingintheStatePoliceheattendedlawschoolatnightatPace UniversitySchoolofLaw,andupongraduatinghewenttoworkforMr.Morgenthau.Since leavinggovernmentservicehehasrepresentedarangeofclients,fromindividualstobanks,on manyissuesrangingfromcybersecurity,privacy,anti-fraud,andthreats.Johnisadmittedto thebarsofNewYork,Connecticut,andWashingtonD.C.,holdsanumberofcertifications, andwrites,lectures,andteachesonlaw,cybersecurity,cybercrime,andmore.

AntoniaMerzon provideslegalandconsultingexpertiserelatedtosecurity,investigations, andlawenforcement,especiallyastheyintersectwiththeworldsoflaw,technology,privacy, andfraud.ShegraduatedfromFordhamUniversitySchoolofLawandthenwashiredby Mr.Morgenthau.DuringhertimeatDANY,shebuiltthenewIdentityTheftUnitthat investigatedandprosecutedcybercrimeandvirtualcurrencymoneylaundering – before theseareaswereinthepublicawareness – anddevelopedtheunit’sdigitalforensicand investigativecapacity.Cybercrimeandtraditionalinvestigationsareamongherspecialties, includingdevelopingbestpractices.Shealsoisanexpertonadiversearrayofinvestigation andlitigationbestpracticesforlawenforcement,includingtheuseofbody-worncameras, eyewitnessidentiﬁcation,andtheelectronicrecordingofcustodialinterrogations.

JohnandAntoniacanbecontactedthroughtheirbookwebsite: CybercrimeInvestigationsBook.com

Mailcanbedirectedto:

JohnBandler

AntoniaMerzon

c/oBandlerLawFirmPLLC

BandlerGroupLLC 48WallStreet,11thFloor NewYork,NY,10005

Acknowledgments

Therearemanypeoplewhomadethisbookpossibleandcontributedtoit.

TracySuhrprovidedinvaluableanddetailedassistanceinalltheareasofthebook, includingcybercrime,law,investigations,andeditingandgrammar.Thisbookisvastly improvedthankstoher.WehadtheprivilegetoworkwithheratDANY,wheresheroseto becomeDeputyBureauChiefoftheCybercrimeandIdentityTheftBureau.

RobBandler,John’scousin,formerDeputyDirectorofITSecurityatCornellUniversity andcareerITprofessional,madethebookbetterfromstartto ﬁnish,providingvaluable assistancethroughoutonbothsubjectmatterandediting.

ChristopherJonesgaveextensivehelpthroughoutaswell.

Manyothersalsohelpedwiththisbook,readingchapters,providingvaluablefeedback, andbringingdiverseexpertiseinareasthatincludedcybersecurity,cybercrime,law,business, andediting.Theyinclude:WilliamDarrow,RobertBarnsby,PrestonMiller,J-MichaelRoberts,BretRubin,StephenHines,JoshuaLarocca,ElizabethRoper,NicoletteEndaraPopovitch,andStephenMoccia.

Wehaveworkedalotofgreatinvestigationsandcybercrimecases,includingoneyouwill readaboutinthisbook,andwelearnedalotalongtheway.Noneofthat – andnoneof thisbook – couldhavebeenpossiblewithoutthemanydedicatedprofessionalswithwhom weworked.Thankyoutotheparalegals,analysts,policeoﬃcers,detectives,investigators, specialagents,prosecutors,victims,privatesectorinvestigators,andcorporationswho helpedusbecomebetterinvestigators.

SpecialthankstoCharlesD.Tanseywhosemagniﬁcentcartooncharactersgraceourdiagrams.Artisbutoneofhismanytalents,andwearegratefulforthechancetousehis workinthisbook.

Finally,noneofthiswouldbepossibleorworthwhilewithoutthesupportofourfamilies, andourdeepestthanksgotothem.

JohnBandler NewYork,NY

AntoniaMerzon, Boulder,Colorado April,2020

PartI

UnderstandingCybercrime, Computers,andCybersecurity

1 Introduction TheNeedforGood CybercrimeInvestigators

Thischapter(andbook)isfor:

• You

• Lawenforcementofalltypes:police,investigators,agents,prosecutors,analysts

• Thoseintheprivatesectorinvestigatingordealingwithcybercrime

• Regulators

• Thetechnicallyskilledandthosewhoarenot

• Beginningcyberinvestigators,intermediate,andevenexperiencedlookingfor acomprehensiveview

• Lawyersandnon-lawyers.

Atthestartofeachchapter,wewillidentifythetypeofcybercrimeinvestigatorfor whomthatchapterisprimarilyintended.Cybercrimeinvestigatorsdonotjusthavethe titleof “investigator”.Theycomefrommanyjobsandbackgrounds – lawyersandnonlawyers;technicalexpertsandtechnicalbeginners;experiencedtraditionalinvestigators whoarelearningaboutcybercrime,andinvestigatorswhoseonlyexperienceiswith cybercrime;lawenforcementagents,industryregulators,andmembersoftheprivate sector;andstudentsandtraineesjuststartingout.Giventhisdiversityofbackgrounds, werecognizethatsomereadersmightreadthebookstraightthrough,andsomemight skipchaptersbecausetheyareworkingonatime-sensitivematter,orbecauseexisting skillsetsmakecertainchapterslesscritical.Thatsaid,wethinkyouwillgetsomething outofeverychapter.

1.1WHYTHISBOOK

Letusstartwiththreefundamentaltruthsaboutinvestigatingcybercrime:

1. Weallcaninvestigatecybercrime.Cybercriminalsarerunningamokonlinepartly becauseofthemisconceptionthatonlyspecializedinvestigatorswithvasttechnologicalresourcescanworkthesecases.Techskillsandgadgetsaregreattohave, buttheyare,bynomeans,arequirementforhandlingacyberinvestigation.

2. Cybercrimecanbesolved.Justbecauseitisacybercrime,doesn’tmeanitishardto solve.Cybercriminals – likeeverytypeofcriminal – runthegamut,fromlow-level scammerstohighlysophisticatedorganizations.Theyarenotalltech-wizards. Theyarenotallhardto ﬁnd.

3. Eventhemostsophisticatedcybercriminalscanbecaught.

Bottomline:thecommonpreconceptionthatcybercrimeistoodiﬃculttoinvestigateis wrong.Everycasecanandshouldbeinvestigated.Everyinvestigatorcantakepositivesteps tosolveacase.Insteadoflookingatacyberincidentandassumingthereisnotmuchthat canbedone,wecanusethesecoretruthsaboutcybercrimetoframeaplanofaction.

Cybercrimeisarelativelynewphenomenon.Maliciousactorsnolongerneedtobein theimmediatevicinityoftheirvictims,butcanattackandstealremotely,evenfromabroad. ThereachoftheInternetmeanscybercrimeisasafetyandsecurityproblemforeverycommunity,industry,business,andlawenforcementagency – largeorsmall.

Investigatingcybercrimeisanevennewerendeavorthancybercrimeitself,andbecauseit involvestechnology,itcanseemdauntingtomanyinvestigatorsandvictims.Howdoyou startinvestigatingwhenoneoftheseincidentshappens?Howdoyou ﬁgureoutwhodidit whentheperpetratorishidingonline?Whatdoyoudowithacrimethatseemstolead acrossthecountry,letalonearoundtheworld?

Whenwe firststartedworkingoncybercrimecasesasprosecutors,wehadthesame questions.Wedidnotcometothisworkfromatechbackground,andweoftenhadminimalresourcesavailable.Butthroughtime,effort,andcreativitywelearnedhowto findthe answers.Welearnedthatcybercrimecanbeinvestigated,offenderscanbefound,andcases canbesuccessfullyprosecuted.

Wewrotethisbooktosharethisknowledgewithyou,andtoinspiremorepeopleto becomecybercrimeinvestigators – especiallythosewhomightthinkcybercrimeistoochallengingtotakeon.

Weunderstandthat,insomeplaces,lawenforcementandprivatesecuritylackexperience,training,andresourceswhenitcomestocybercrime.Thatisanotherreasonwewrote thisbook.Wewanttogiveanyinterestedinvestigatortheknowledgeandtoolstohandle thesecases.Ascybercrimecontinuestogrow,weneedmoreinvestigatorsonthefrontlines ready,willingandabletotakeiton.Thereareconcretestepsthateveryinvestigatorcan taketotacklecybercrime.Thisbookisdesignedtomakethesestepsunderstandableand doableforinvestigatorseverywhere.

Whyisitsoimportanttobolstertheinvestigativeresponsetocybercrime?Let’slookat someofthemajorrepercussionsofcybercrimeintoday’sworld.

• ProﬁtandLosses.Cybercrimeisimmenselyproﬁtableforcybercriminals,but immenselycostlytotherestofus.Eachyear,U.S.businessesandconsumerslose billionsofdollarsthroughcybercrimewhilethecriminalandprivateinvestigation oftheseeventsremainscompletelyinadequate.Itisastonishingtoconsiderthatbillionsofdollarscanbestolenannuallywithoutproperinvestigationorredress.

• TerrorismandEspionage.Theproﬁtableanddisruptivenatureofcybercrimemeans itisanactivityofinterestforterroristsandnation-statesseekingincome,intelligence,orsimplyanewwaytoinﬂictharm.TheInternetprovidesagatewayand anetworkforallmannerofnefariousactivityatthelocal,national,andinternationallevels.Ourwilltoinvestigatethisactivitymustmeasureuptothethreatit presents.

• NewWaystoMoveMoney.Cybercriminalshavedevelopedinnovativemoneylaunderingtechniquestopayeachotheranddisguisetheirillicitincome.Virtualcurrenciesandcryptocurrencies,internationalwiretransferschemes,moneyheldand

movedinstored-valuecards(likegiftcards),criminalproceedsfunneledthrough multiplayervideogames – thesearesomeofthemethodscybercriminalsuse,along withmoretraditionalmoneylaunderingmechanisms.Onceprovensuccessful,these techniquesareadoptednotjustbycyberthieves,butbyothercriminalslookingto conductillicittransactions,suchaschildpornographers,narcoticsdealers,and terrorists.

• Stalking,Revenge,andHarassment.Stealingisnottheonlyformofcybercrime –theInternetisusedtocommitawidevarietyofcrimesmeanttoharass,stalk, menace,orotherwisetargetspecificindividuals.Theincreasinglysophisticated methodsusedtoconductthesecrimesarecapableofinflictingtremendous,ongoing harmtovictims.Thescenariosrangefromteensextingtocyber-revengeactsdirectedatemployers,intimatepartners,andpolitical figures – andoftenrequire aresponsefromacombinationoflawenforcementandprivatesectorinvestigators.

• CivilLiabilityandRegulation.Thescourgeofcybercrimehasanenormousimpact onbothourcivillawandregulatorysystems.Whencybercriminalsstealfundsor data,injuredvictimsmayusethecivillegalsystemtoseekredress,includingfor cybersecuritynegligence.Governmentregulatorscreateandenforcerulesthatdeal withtherealthreatsthatcybercrimepresentstosensitivedataandonline commerce.

Thisbookdiscussesallofthesetopics,andmanyotherpressingissuesaroundcybercrime, inamannerdesignedtohelpeverykindofinvestigator ﬁndusefulinformation.

1.2WHOINVESTIGATESCYBERCRIME?

Cybercrimecreatesmanytypesofvictims,anditsrippleeﬀectshaveledtoanintensefocus oncybersecurity,informationsecurity,andprivacy.Asaresult,cybercrimeisinvestigated foravarietyofreasons.Toprovideinformationinthemosteﬀectivewaythroughoutthis book,weconsideredtheneedsandconcernsofinvestigatorsrepresentingthesethree importantgroups:

• LawEnforcement

Lawenforcement,includingpolice,federallawenforcement,andprosecutors,receivethousandsofcybercrimereportseveryyearfromindividualandcorporatevictims.Whenstate andlocalpoliceinvestigatecybercrimes,alongwithprosecutors,itisusuallybecausethey getthe firstcallswhenlocalresidentsarevictimized.Traditionally,morecomplexcasesare tackledbyfederallawenforcementagencies(suchastheFBI,U.S.SecretService,and DepartmentofHomelandSecurity)andfederalprosecutors.Theseagenciesusemonetary thresholdsandothercriteriatotakeonaselectnumberofinvestigations.SomestateAttorneyGeneral’ sofficesalsohandle “bigger” cybercrimecases.AfewlocalDistrictAttorneys’ (DA)officeshandlesignificantcybercrimecases,aswedidwhileworkingattheManhattan DA’ soffice.Butthetruthis,thevastmajorityofcybercrimesgouninvestigated.

Oneofthisbook’sgoalsistochangethewayinvestigatorslookatcybercases.Historically,investigatorshavecategorizedcasestooquicklyasbeing “local” or “small”,onlyrealizing,aftersomeinvestigation,thattheyarereallyonepieceofalargerscheme.Nowadays, allpoliceagencies,whetheranenormousdepartmentliketheNewYorkCityPoliceDepartment,orasmall-townforcewithfewerthan20swornoﬃcers,willbecalledupontotake acybercrimecomplaintandconductaninitialinvestigation – actionsthatmayleadto uncoveringlarger,additionalcrimes.Sincetheseinvestigationsnormallyrequireprosecutorialassistance,itisessentialthatprosecutorsinlocalDAs’ oﬃcesalsoknowhowto