It’s a question that I am asked at least once every few months, “How exactly do authorities catch cyber criminals?”
It’s also a question that isn’t so easy to answer. Cybercrime (like many crimes) are dynamic in their attack as well as execution to capturing them. However there are a few standards that are followed when authorities get a search warrant or are investigating a cybercrime.
Seizure of logs and details online / phone / etc.
One of the first tasks performed is to confiscate all data containing electrical equipment (Desktops, Laptops, Tablets, Phones, iPods, DS, etc.). Equipment seizure is not as simple as shutting everything down, pulling the wires and taking it with them however. They must first capture the memory of the device – that part of the computer that holds everything in a temporary space while it is operating. Once shut down electronics clear the memory and everything that is running is lost forever. Hard data (on the hard drive, USB drives, etc.) is another matter, but if a computer is shutdown that hard data will not be affected. So, the first thing a cyber-crime investigator will do is use a special program in conjunction with a special device to capture that memory for analysis and cataloging at a later date.
Pulling data from Internet service providers (ISP) and social websites
If an ISP is involved, which it almost always is, investigators will collect the unique number that all users are given; IP Address along with as many details as possible that the ISP may contain. Most ISPs are required by law to retain logs of who has what IP address and even some of their browsing activities for an established amount of time. Investigators will also contact social websites such as Twitter, Facebook and Instagram to request logs, photographs and details from the sites concerning the suspect’s activities. This is often a difficult and laborious process as social websites usually prefer to maintain a level of privacy for their users, regardless of their activities. The sites will often push the letter of the law to the edge to protect themselves.
Cataloging and entered into evidence
Computers are then taken back to a lab for analysis and cataloging just as other evidence might be. There are special programs such as Forensic Toolkit (FTK), that investigators use to catalog every byte of data so that it can be used in court showing; when the data was created, who created it, when it was last modified and where it came from. If a hard drive shows evidence of mass deletion or formatting, they may use a program to do a deep disk analysis which can recover deleted data after a perpetrator has formatted the drive.
All of this allows the district attorney to gather evidence against the suspect. Investigators have to be extremely careful as defense attorneys will take any hole in the evidence to sway a juror in their direction. Investigators also want to ensure that the person being suspected of the crime is actually guilty and that the evidence wasn’t just put there maliciously by someone else.
Presentation in court
Cyber investigators will then be called in to appear in court, testifying on the data that they collected, where it was collected and how it connected the dots to lead investigators to believe beyond a shadow of a doubt that the suspects are guilty.