Cyber Investigations E-Book

Table of Contents

Cover

Title Page

Copyright Page

Preface

Companion Website

List of Contributors

List of Figures

List of Tables

List of Examples

List of Definitions

List of Legal Provisions

List of Equations

List of Abbreviations

1 Introduction

1.1 Introduction

1.2 Cybercrime and Cybersecurity

1.3 Cyber Investigations

1.4 Challenges in Cyber Investigations

1.5 Further Reading

1.6 Chapter Overview

1.7 Comments on Citation and Notation

1.8 Exercises

2 Cyber Investigation Process

2.1 Introduction

2.2 Investigation as Information Work

2.3 Developing an Integrated Framework for Cyber Investigations

2.4 Principles for the Integrated Cyber Investigation Process (ICIP)

2.5 ICIP's Procedural Stages

2.6 Cognitive and Human Error in Cyber Investigations

2.7 Summary

2.8 Exercises

3 Cyber Investigation Law

3.1 Cyber Investigation in Context

3.2 The Missions and Some Implications to Privacy Rights

3.3 The Different Mandates of the LEA, NIS, and the Police

3.4 Jurisdiction and International Cooperation

3.5 Human Rights in the Context of Cyber Investigations

3.6 The Private Cyber Investigator

3.7 The Way Ahead

3.8 Summary

3.9 Exercises

4 Perspectives of Internet and Cryptocurrency Investigations

4.1 Introduction

4.2 Case Examples

4.3 Networking Essentials

4.4 Networks and Applications

4.5 Open‐Source Intelligence (OSINT)

4.6 Internet Browsers

4.7 Cryptocurrencies

4.8 Preparation for Analysis

4.9 Summary

4.10 Exercises

5 Anonymity and Forensics

5.1 Introduction

5.2 Anonymous Communication Technologies

5.3 Anonymity Investigations

5.4 Summary

5.5 Exercises

6 Internet of Things Investigations

6.1 Introduction

6.2 What Is IoT?

6.3 IoT Investigations

6.4 IoT Forensics

6.5 Summary

6.6 Exercises

7 Multimedia Forensics

7.1 Metadata

7.2 Image Forensics

7.3 Video Forensics

7.4 Audio Forensics

7.5 Summary

7.6 Exercises

8 Educational Guide

8.1 Academic Resources

8.2 Professional and Training Organizations

8.3 Nonacademic Online Resources

8.4 Tools

8.5 Corpora and Data Sets

8.6 Summary

References

Index

End User License Agreement

List of Tables

Chapter 6

Table 6.1 Some application areas of IoT.

Table 6.2 IPv6 reserved addresses (Data from IANA (2018 )).

Table 6.3 OSI reference model for networking.

Table 6.4 1‐2‐3 Zones of digital forensics.

Table 6.5 Levels of certainty related to evidence, as proposed by Casey (20...

Table 6.6 Fault categorization (based on Avizienis

et al

. (2004 )).

List of Illustrations

Chapter 2

Figure 2.1 The Investigative Cycle

Figure 2.2 The cyber investigation queries.

Figure 2.3 The Integrated Cyber Investigation Process (ICIP).

Figure 2.4 The peer review hierarchy for digital forensics

Chapter 4

Figure 4.1 Illustration of investigation network for proxy application.

Figure 4.2 A screenshot of data gathered using BookmarkIntelligence

Figure 4.3 A typical PGP public key.

Figure 4.4 Decoding the Base64 encoded metadata of a PGP key.

Figure 4.5 A link diagram

Figure 4.6 Relational timeline.

Chapter 5

Figure 5.1 Tor Browser's security level

Figure 5.2 Message appearance at anonymizing network nodes in a sequence of ...

Figure 5.3 Anonymizing proxy. Low latency anonymity optimized to fit two‐way...

Figure 5.4 Cascading proxies.

Figure 5.5 DC‐net principle.

Figure 5.6 Setting up session encryption keys in onion routing

Figure 5.7 Small overhead when a circuit is established – the circuitID is c...

Figure 5.8 Number of nodes in the Tor network.

Figure 5.9 Selection of nodes.

Figure 5.10 Layered tunnels through the Tor network.

Figure 5.11 Setting up a hidden service connection (Øverlier, 2007 ).

Figure 5.12 The resulting hidden service connection (Øverlier, 2007 ).

Chapter 6

Figure 6.1 “Internet of Things” trends. The number of papers pr. Year in Sco...

Figure 6.2 Examples of smart home devices. From the upper left, we see an In...

Figure 6.3 (A–E) Schematic network architectures for IoT systems.

Figure 6.4 Protocol stacking in TCP/IP.

Figure 6.5 6LoWPAN/IETF IoT protocol stack.

Figure 6.6 Cooja simulator showing a DIO packet. To the left is a diagram th...

Figure 6.7 A Publish/Subscribe (or pub/sub) architecture.

Figure 6.8 Small devices that can act as simple web servers or offer other s...

Figure 6.9 Data processed in the cloud from a Google Home speaker.

Figure 6.10 IoT forensics has a huge overlap with other established digital ...

Figure 6.11 The relation between precision and accuracy.

Chapter 7

Figure 7.1 Some of the file and EXIF metadata from a photo taken by a DSLR c...

Figure 7.2 A simplified digital image capture process from the analog scene ...

Figure 7.3 Two popular Color Filter Arrays: Bayer to the left and X‐trans to...

Figure 7.4 The distortions in a photo due to the effects of the lens

Figure 7.5 Close‐up of a JPEG photo showing the blocking effect from the DCT...

Figure 7.6 Seam carving

Figure 7.7 The averaged DCT coefficients for 2000 StyleGAN2‐generated images...

Figure 7.8 A waveform representation of an audio signal zoomed in at various...

Figure 7.9 A word spliced into an audio recording in a combined picture of t...

Figure 7.10 The spectrogram showing a vacuum cleaner starting while talking....

Guide

Cover Page

Title Page

Copyright Page

Preface

List of Contributors

List of Figures

List of Tables

List of Examples

List of Definitions

List of Legal Provisions

List of Equations

List of Abbreviations

Table of Contents

Begin Reading

References

Index

Wiley End User License Agreement

Pages

iii

iv

xi

xiii

xv

xiv

xvii

xviii

xix

xxi

xxiii

xxiv

xxv

xxvii

xxix

xxx

xxxi

xxxii

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

68

69

70

71

72

73

75

76

77

78

79

80

81

82

83

84

85

86

87

88

89

90

91

92

93

94

95

96

97

98

99

100

101

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

225

226

227

228

229

231

232

233

234

235

236

237

238

Cyber Investigations

A Research Based Introduction for Advanced Studies

Edited by

This edition first published 2023© 2023 John Wiley & Sons Ltd

All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording or otherwise, except as permitted by law. Advice on how to obtain permission to reuse material from this title is available at http://www.wiley.com/go/permissions.

The right of André Årnes to be identified as the author of this work has been asserted in accordance with law.

Registered OfficesJohn Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, USAJohn Wiley & Sons Ltd, The Atrium, Southern Gate, Chichester, West Sussex, PO19 8SQ, UK

Editorial OfficeThe Atrium, Southern Gate, Chichester, West Sussex, PO19 8SQ, UK

For details of our global editorial offices, customer services, and more information about Wiley products visit us at www.wiley.com.

Wiley also publishes its books in a variety of electronic formats and by print‐on‐demand. Some content that appears in standard print versions of this book may not be available in other formats.

Limit of Liability/Disclaimer of WarrantyIn view of ongoing research, equipment modifications, changes in governmental regulations, and the constant flow of information relating to the use of experimental reagents, equipment, and devices, the reader is urged to review and evaluate the information provided in the package insert or instructions for each chemical, piece of equipment, reagent, or device for, among other things, any changes in the instructions or indication of usage and for added warnings and precautions. While the publisher and authors have used their best efforts in preparing this work, they make no representations or warranties with respect to the accuracy or completeness of the contents of this work and specifically disclaim all warranties, including without limitation any implied warranties of merchantability or fitness for a particular purpose. No warranty may be created or extended by sales representatives, written sales materials or promotional statements for this work. The fact that an organization, website, or product is referred to in this work as a citation and/or potential source of further information does not mean that the publisher and authors endorse the information or services the organization, website, or product may provide or recommendations it may make. This work is sold with the understanding that the publisher is not engaged in rendering professional services. The advice and strategies contained herein may not be suitable for your situation. You should consult with a specialist where appropriate. Further, readers should be aware that websites listed in this work may have changed or disappeared between when this work was written and when it is read. Neither the publisher nor authors shall be liable for any loss of profit or any other commercial damages, including but not limited to special, incidental, consequential, or other damages.

Library of Congress Cataloging‐in‐Publication Data applied for:Paperback ISBN: 9781119582311

Cover Design: WileyCover Images: Background ‐ © Mike Pellinni/Shutterstock; Left‐hand image ‐ Courtesy of Lasse Øverlier; Right‐hand image ‐ Courtesy of Jens‐Petter Sandvik

Preface

Dear cyber investigation student. You are holding in your hand the “Cyber Investigation” textbook written by faculty, associates, and former students of cyber security and digital forensics at the Norwegian University of Science and Technology (NTNU). The book is a sequel to our previous textbook on “Digital Forensics,” and it represents our shared philosophy of learning cyber investigations. The book covers both technical, legal, and process aspects of cyber investigations, and it is intended for advanced and graduate students of cyber investigations, digital forensics, and cyber security. It is based on research, teaching material, experiences, and student feedback over several years.

The reason for embarking on this project is that there was no literature currently available within the area suitable as a stand‐alone curriculum at an academic level, as most of the available literature is primarily intended for practitioners and technical readers. Consequently, literature tailored to academic education in cyber investigations is needed. As you can probably imagine, writing a textbook is a daunting task. While the authors have put much effort into making this version readable and easily available, we are keen to hear your feedback so that we can improve our teaching material over time.

I would like to thank the chapter authors for their dedicated and collaborative efforts to this project, as well as Professor Katrin Franke of the NTNU Digital Forensics Research Group. We are grateful for the support provided by the Norwegian Research Council through the ArsForensica project (project number 248094), the NTNU Center for Cyber and Information Security (CCIS), the Norwegian Police Directorate, Telenor Group, and the U.S. Embassy in Norway grant (grant number SNO60017IN0047) awarded by the U.S. State Department toward this work.

Good luck with learning Cyber Investigations!

Companion Website

The figures and tables from this book are available for Instructors at:

http://www.wiley.com/go/cyber 

List of Contributors

André Årnes, PhD, Siv.ing. (MSc), BA – Oslo, Norway

Professor

,

Norwegian University of Science and Technology (NTNU) and Partner & Co‐owner White Label Consultancy, Oslo, Norway

PhD and MSc in information security from NTNU, visiting researcher at UCSB, USA and Queens's University, Canada

White Label Consultancy 2022–: Partner and Co‐owner, with responsibility for cyber security

Telenor 2010–2022: SVP and Chief Security Officer (from 2015 to 2022), CIO Global Shared Services (from 2013 to 2015)

National Criminal Investigation Service (Kripos) 2003–2007: Special Investigator within computer crime and digital forensics

GIAC Certified Forensic Analyst (GCFA), IEEE Senior Member, and member of the Europol Cyber Crime Centre (EC3) Advisory Group for communications providers.

Petter Christian Bjelland, MSc – Oslo, Norway

Digital Forensics and Cyber Investigations Expert, Oslo, Norway

Manager Digital Forensics, EY Norway (2017–2018)

Advisor Digital Investigations at the National Criminal Investigation Service Kripos (2015–2017)

Senior Software Engineer in the Norwegian Defense (2011–2015)

MSc in digital forensics from Gjøvik University College 2014

Peer‐reviewed paper at DFRWS Europa 2014 and in Elsevier Digital Investigation.

Lasse Øverlier, PhD, Siv.ing. (MSc), MTM – Trondheim, Norway

Associate Professor, Department of Information Security and Communication Technology, Faculty of Information Technology and Electrical Engineering, Norwegian University of Science and Technology (NTNU), Trondheim, Norway and Principal Scientist, Norwegian Defence Research Establishment (FFI), Gjøvik, Norway

PhD Information Security, University of Oslo 2007

Associate Professor, NTNU (2002–

current

)

Principal Scientist, Norwegian Defence Research Establishment (FFI) (2002–

current

)

Research Scientist, Army Research Laboratory, California/Maryland (2015–2016)

Research Scientist, Naval Research Laboratory, Washington, DC (2005–2006)

Co‐founder and technical manager EUnet Media AS (later KPNQwest).

Kyle Porter, PhD, MSc – Gjøvik, Norway

Researcher

,

Department of Information Security and Communication Technology, Norwegian University of Science and Technology (NTNU), Gjøvik, Norway

PhD in Information Security with a focus in Digital Forensics, NTNU (2017–2022)

MSc in Information Security, NTNU (2017)

BA in Mathematics, University of Washington (2012)

Author of several scientific papers.

Jens‐Petter Sandvik, Cand. Scient. – Oslo, Norway

Senior Engineer in Digital Forensics

,

National Cybercrime Center/NC3, National Criminal Investigation Service/Kripos, Oslo, Norway and Department of Information Security and Communication Technology, Faculty of Information Technology and Electrical Engineering, Norwegian University of Science and Technology (NTNU), Trondheim, Norway

PhD student at NTNU Digital Forensics Laboratory (2017–

current

)

Senior Engineer in Digital Forensics, Kripos, the Norwegian Criminal Investigation Service (2006–

current

)

Software Developer Malware Detection, Norman ASA (2001–2005)

Cand. Scient., University of Oslo 2005.

Inger Marie Sunde, PhD, LLM, BA – Oslo, Norway

Professor, The Norwegian Police University College, Oslo, Norway

The Norwegian Police University College

2010

–

current

: Professor (from 2014)

The Strategic Group on Ethics, reporting to the European Clearing Board of Innovation in the Europol Innovation Lab. Co‐leader. 2022–

Bergen University, The Police and Prosecution Project

2019–2022:

Professor II

The Norwegian Parliamentary Oversight Committee on Intelligence and Security Services – 2014–2019

The Norwegian Defense University College

2004:

Chief's Main Study

Senior Public Prosecutor; Head of the Norwegian Cybercrime Center; Visiting researcher Max Planck Institute; PhD University in Oslo; Founder and leader of the Research Group “Police and Technology”

Author and editor of publications on cybercrime law

Nina Sunde, MSc – Oslo, Norway

Police Superintendent, Lecturer at Department for Post Graduate Education and Training, The Norwegian Police University College, Oslo, Norway

PhD student in Cybercrime Investigations, Faculty of Law, University of Oslo (2018–)

MSc in Information Security and Cybercrime Investigation, NTNU (2017)

Lecturer at The Norwegian Police University College (2012–current)

Police Superintendent at National Criminal Investigation Service (Kripos), investigation of cybercrime (2003–2009)

Permanent member at European Working Party on Information Technology Crime (EWPITC), Interpol (2007–2010)

Police Detective, Department for Investigation of Homicide, The Oslo Police District (2001–2003).

List of Tables

Table 6.1 Some application areas of IoT

Table 6.2 IPv6 reserved addresses (Data from IANA (2018))

Table 6.3 OSI reference model for networking

Table 6.4 1‐2‐3 Zones of digital forensics

Table 6.5 Levels of certainty related to evidence, as proposed by Casey (2002)

Table 6.6 Fault categorization (based on Avizienis et al. (2004))

List of Examples

Example 1.1 Operation Avalanche

Example 2.1 The Call4U case – investigation initiation stage

Example 2.2 The Call4U case – modeling stage

Example 2.3 The Call4U case – planning and prioritization stage

Example 2.4 Impact and risk assessment stage

Example 2.5 Action and collection stage

Example 2.6 Analysis and integration stage

Example 2.7 Documentation and presentation stage

Example 2.8 Evaluation stage

Example 2.9 Guccifer hacking of social media accounts

Example 4.1 The proxy seller

Example 4.2 The scammer

Example 4.3 The disgruntled employee

Example 5.1 anon.penet.fi

Example 6.1 Jeep Cherokee hack

Example 6.2 SmartSantander Smart City

Example 6.3 Fish farming cases

Example 6.4 Precision of many imprecise nodes vs. one precise

Example 6.5 MQTT publish and subscribe

Example 6.6 Mirai botnet

Example 6.7 Stuxnet

Example 6.8 Fishing for databases

List of Definitions

Definition 1.1 Investigation

Definition 1.2 Cybercrime

Definition 1.3 Cyber threat actor

Definition 1.4 Cybersecurity

Definition 1.5 Cyber investigations

Definition 1.6 Digital forensics

Definition 1.7 Digital evidence

Definition 1.8 Chain of custody

Definition 1.9 Evidence integrity

Definition 1.10 Attribution

Definition 1.11 Cyber threat intelligence

Definition 1.12 Open‐source intelligence

Definition 2.1 The ABC rule (Cook, 2016)

Definition 2.2 Investigation initiation stage

Definition 2.3 Refuting a hypothesis

Definition 2.4 The golden hour

Definition 2.5 Modeling stage

Definition 2.6 Planning and prioritization stage

Definition 2.7 Impact and risk assessment stage

Definition 2.8 Action and collection stage

Definition 2.9 Analysis and integration stage

Definition 2.10 Documentation and presentation stage

Definition 2.11 Evaluation stage

Definition 3.1 Covert criminal investigation

Definition 3.2 Infiltration

Definition 3.3 Observation

Definition 5.1 Anonymity and anonymity set

Definition 5.2 Identity

Definition 5.3 Traffic flow confidentiality (TFC)

Definition 5.4 Forward anonymity

Definition 5.5 Privacy

Definition 6.1 Edge computing

Definition 6.2 Fog computing

Definition 6.3 Machine‐to‐machine communication

Definition 6.4 Cyber‐physical system

Definition 6.5 Web of things

Definition 6.6 Triage

Definition 6.7 1‐2‐3 Zones

Definition 6.8 Next‐best‐thing model

List of Legal Provisions

Legal Provision 3.1 TM2.0 Rule #2 on Sovereign Authority

Legal Provision 3.2 TM2.0 Rule #9 on Territorial Jurisdiction

Legal Provision 3.3 TM2.0 Rule #36 on Human Rights

Legal Provision 3.4 TM2.0 Rule #37 on International Human Rights

List of Equations

Equation 7.1 Discrete cosine transform (DCT)

Equation 7.2 Photo signal model

Equation 7.3 Image noise pattern

Equation 7.4 Estimation of the PRNU signal, K

Equation 7.5 Image noise correlation

Equation 7.6 Location of a light source

Equation 7.7 p‐Norm distance measure

Equation 7.8 Noise needed to misclassify an image

Equation 7.9 Lagrangian relaxation

Equation 7.10 Minimizing the error from dictionary reconstruction

Equation 7.11 Expectation‐maximization algorithm

List of Abbreviations

5WH

Who, Where, What, When, Why, and How

6LoWPAN

IPv6 over Low‐power Wireless Personal Area Network

ABC

Assume nothing, Believe nothing, Challenge everything

ACM

Association for Computing Machinery

ACPO

Association of Chief Police Officers

ADC

Analog‐to‐Digital Converter

AFF

Advanced Forensics File format

AI

Artificial Intelligence

ANB

Analyst's Notebook

API

Application Programming Interface

APT

Advanced Persistent Threat

ATT&CK

Adversarial Tactics, Techniques, and Common Knowledge

BGP

Border Gateway Protocol

BSI

German Federal Office for Information Security

C2

Command and Control

CCD

Charge‐Coupled Device

CETS

Council of Europe Treaty Series

CFA

Color Filter Array

CFREU

Charter of Fundamental Rights of the European Union

CIA

Central Intelligence Agency

CIDR

Classless Inter‐Domain Routing

CIS

Center for Internet Security

CMOS

Complementary Metal‐Oxide Semiconductor

CNN

Convolutional Neural Network

CoAP

Constrained Application Protocol

CPS

Cyber‐Physical System

DDoS

Distributed Denial‐of‐Service

DFRWS

Digital Forensics Research Workshop

DHCP

Dynamic Host Configuration Protocol

DNS

Domain Name System

ECHR

European Court of Human Rights

EEC

European Economic Community

EM

Expectation‐Maximization

ENF

Electric Network Frequency

ENFSI

European Network of Forensic Science Institutes

EU

European Union

EUCFR

European Union Charter of Fundamental Rights

EWF

Expert Witness Format

EXIF

Exchangeable Image File Format

FAIoT

Forensic‐Aware IoT

FBI

United States Federal Bureau of Investigation

FEMS

Forensic Edge Management System

FISA

Foreign Intelligence Surveillance Act

FKIE

Fraunhofer Institute for Communication, Information Processing, and Ergonomics

FTP

File Transfer Protocol

GAN

Generative Adversarial Network

GDPR

General Data Protection Regulation

GIAC

Global Information Assurance Certification

GNSS

Global Navigation Satellite System

GOP

Group of Pictures

GPS

Global Positioning System

HDFS

Hadoop Distributed File System

HEVC

High‐Efficiency Video Coding

HTTP

HyperText Transfer Protocol

ICANN

Internet Corporation for Assigned Names and Numbers

ICCPR

International Covenant on Civil and Political Rights

ICIP

Integrated Cyber Investigation Process

ICJ

International Court of Justice

ICMP

Internet Control Message Protocol

IDS

Intrusion Detection System

IEC

International Electrotechnical Commission

IEEE

Institute of Electrical and Electronics Engineers

IETF

Internet Engineering Task Force

IFTTT

If This Then That

IIoT

Industrial Internet of Things

IMAP

Internet Message Access Protocol

IoT

Internet of Things

IP

Internet Protocol

IPTC

International Press Telecommunications Council

IPv6

Internet Protocol version 6

ISO

International Organization for Standardization

ISP

Internet Service Provider

ITS

Intelligent Transportation System

JAP

Java Anon Proxy

JIT

Joint Investigation Team

JPEG

Joint Photographic Experts Group

LAN

Local Area Network

LE

Law Enforcement

LEA

Law Enforcement Agency

LED

Law Enforcement Directive (European Union)

LoWPAN

Low‐power Wireless Personal Area Network

LPWAN

Low‐Power Wide Area Network

LTE

Long‐Term Evolution

M2M

Machine‐to‐Machine

MAC

Media Access Protocol

MB

Megabyte

MCH

Multiple Competing Hypotheses

NB‐IoT

Narrow‐Band IoT

NER

Named Entity Recognition

NIS

National Intelligence Services

NIST

National Institute of Standards and Technology

NSA

United States National Security Agency

NTLK

Natural Language Toolkit

OCR

Object Character Recognition

OMP

Ortholinear Matching Pursuit

OSINT

Open‐Source Intelligence

Pˆ5

Peer‐to‐Peer Personal Privacy Protocol

PCI

Private sector Investigator

PDF

Portable Document Format

PET

Privacy Enhancing Technologies

PFS

Perfect Forward Secrecy

PGP

Pretty Good Privacy

PI

Private Investigator

PRNU

Photoresponse Non‐uniformity

RFC

Request for Comments

RFID

Radio Frequency Identification

ROC

Receiver Operating Characteristic

RPL

IPv6 Routing Protocol for Low‐power and lossy networks

SANS

SysAdmin, Audit, Network, and Security Institute

SDN

Software Defined Network

SIFT

Scale‐Invariant Feature Transform

SMB

Server Message Block

SNA

Social Network Analysis

SNR

Signal to Noise Ratio

SOA

Service Oriented Architecture

SOCMINT

Social Media Intelligence

SVM

Support Vector Machine

TB

Terrabyte

TCP

Transmission Control Protocol

TFC

Traffic Flow Confidentiality

TLS

Transport Layer Security

TM

Tallinn Manual 2.0

UDP

User Datagram Protocol

VANET

Vehicular Ad Hoc Network

VPN

Virtual Private Network

WPAN

Wireless Personal Area Network

WSN

Wireless Sensor Network

XMP

Extensible Metadata Platform

1Introduction

André Årnes1,2,*

1 White Label Consultancy, Oslo, Norway

2 Norwegian University of Science and Technology (NTNU), Oslo, Norway

As of 2021, there are more than 5 billion Internet users globally, representing close to 60% of the world's population (Internet World Stats, 2021). The growth of the Internet is coupled with an estimated 35 billion Internet of Things (IoT) connections as of 2020, expected to grow by an estimated 20 billion connected devices, expected to grow by 180% by 2024 (Juniper Research, 2020). As a result, digital services are becoming central to and often a necessity in criminal investigations, ranging from traditional evidence like telecommunication call data records and location data and financial transactions to the comprehensive personal tracking of Google timeline, personal health trackers like Fitbit, connected cars, bitcoin transactions. The criminal system is drowning in digital evidence (Burgess, 2018).

1.1 Introduction

One of the earliest public accounts of cybercrime and cyber investigations, “Crime by Computer,” was given by Donn B. Parker as early as 1976 (Parker, 1976), documenting a wide range of “startling new kinds of million‐dollar fraud, theft, larceny & embezzlement.” The widely known firsthand accounts of cyber investigations told by Cliff Stoll in “The Cuckoo's Egg: Tracking a Spy Through the Maze of Computer Espionage” (Stoll, 1989) has later set the standard for hunting hackers, and the author remains a cybersecurity icon (Greenberg, 2019). Throughout this story, Stoll takes us through a detective story in its own right, where he detects, investigates, and documents evidence of cyber espionage. In another classic paper based on an actual event from 1991, “An Evening with Berferd – In Which a Cracker is Lured, Endured, and Studied,” Cheswick (1997) of the AT&T Bell laboratories retells the story of how they followed a hacker for months to trace his location and learn his techniques.

Even in these early stories, we learned that cyber investigations are complex processes that require dedication, persistence, and efforts, a strong sense of curiosity, as well as expert competencies. There is a call for a systematic approach, like the cyber investigation process in this book. A central topic in any cyber investigation will be digital forensics, which was the topic of our previous textbook (Årnes, 2018).

As described in Årnes (2018), an investigation is a systematic examination to identify or verify facts. A key objective during an investigation is to determine facts related to a crime or incident. A standard methodology is the 5WH model, which defines the goals of an investigation as Who, Where, What, When, Why, and How (Stelfox, 2013 ; Tilstone et al., 2013). In this book, we define an investigation as follows:

Definition 1.1:Investigation

A systematic collection, examination, and evaluation of all information relevant to establish the facts about an incident or an alleged crime and identify who may have committed or contributed to it.

1.2 Cybercrime and Cybersecurity

Cybercrime generates around 1.5 trillion USD per year, and global damages are estimated to be more than 6 trillion per year by 2021. Almost 700 million people are victims of cybercrime, and businesses take an average of 196 days to detect an attack. The rate and broad impact of successful attacks lead to claims that the system is broken and calls for new and more intelligent measures (Gault, 2015). In Europol's annual cybercrime report (Europol, 2019), Europol asserts that “Cybercrime is continuing to mature and becoming more and more bold, shifting its focus to larger and more profitable targets as well as new technologies. Data is the key element in cybercrime, both from a crime and an investigate perspective.”

1.2.1 Cybercrime

As society increasingly depends on our digital infrastructure, the potential for digital abuse, criminal activity, and even warfare on the Internet increases. Cybercrime is a frequently used term that refers to both crimes targeting the Internet itself and activities that utilize the Internet to perform a crime. In this book, we use the following simple definition:

Definition 1.2: Cybercrime

“Crime or illegal activity that is done using the Internet.” (Cambridge Dictionary, 2022)

For an additional perspective, cybercrime was defined as either advanced cybercrime or cyber‐enabled crime in a publication by Interpol (2018):

Advanced cybercrime

(

or high‐tech crime

): “sophisticated attacks against computer hardware and software.”

Cyber‐enabled crime

: “traditional crimes that have taken a new turn with the advent of the Internet, such as crimes against children, financial crimes, and terrorism.”

1.2.2 Cybercriminals and Threat Actors

To understand cybercrime, one needs to understand the cybercriminals, or threat actors, which is the common reference in cybersecurity. A threat actor is an actor in cyberspace that performs malicious or hostile activities. There are many categorizations, and for this book, we will depend on the definitions by RAND Corporation and the Canadian Centre for Cybersecurity as discussed below.

In a testimony presented before the House Financial Services Committee, Subcommittee on Terrorism and Illicit Finance, on March 15, 2018, the RAND Corporation classified the threat actors as follows (Ablon, 2018):

Cyberterrorists

Hacktivists

State‐sponsored Actors

Cybercriminals

In a more extensive list intended for public use, the Canadian Centre for Cyber Security (2018) classifies the threat actors as follows:

Nation States

Cybercriminals

Hacktivists

Terrorist Groups

Thrill Seekers

Insider Threats

Based on the models outlined above, we will adopt a three‐tier cyber threat actor (CTA) model in this book, distinguished through the resources available and level of organization, often referred to as a threat actor pyramid:

National

: Nation‐states

Organized

: Cybercriminals, hacktivists, and terrorist groups

Individual

: Thrill seekers and insider threats

Definition 1.3: Cyber threat actor

“A CTA is a participant (person or group) in an action or process that is characterized by malice or hostile action (intending harm) using computers, devices, systems, or networks.” (Center for Cyber Security (CIS), 2019).

1.2.3 Cybersecurity

To protect our digital infrastructure against cybercrime, we depend on cybersecurity or measures to protect a computer or computer system against unauthorized access or attack. As a result, cybersecurity has become a rapidly growing industry, as society is scrambling to protect our rapidly developing technology against increasingly advanced cybercriminals.

Definition 1.4: Cybersecurity

“Measures taken to protect a computer or computer system (as on the Internet) against unauthorized access or attack.” (Marriot Webster, 2022)

1.2.4 Threat Modeling – Cyber Kill Chain and MITRE ATT&CK

To support cybersecurity efforts against nation‐state threat actors (so‐called APTs – advanced persistent threats), Lockheed Martin developed the Cyber Kill Chain (Hutchins, 2011), which defined the stages of an attack starting with reconnaissance and resulting in actions on objectives. The term “kill chain” refers to a military term describing the structure of an attack. The Cyber Kill Chain defines the following phases of a successful attack:

Reconnaissance

Weaponization

Delivery

Exploitation

Installation

Command and Control (C2)

Actions on Objectives

While the Cyber Kill Chain provided an increased understanding of the anatomy of cyberattacks, the concept needed to be developed further to perform threat modeling and threat assessments effectively. MITRE ATT&CK™ (MITRE, 2022) is a comprehensive description of cyber attackers' behavior once inside and embedded in a computer network. The model is based on publicly known adversarial behavior and is continuously updated. The highest level of abstraction, referred to as tactics represent the adversary's tactical goals, are:

Reconnaissance

Resource development

Initial access

Execution

Persistence

Privilege escalation

Defense evasion

Credential access

Discovery

Lateral movement

Collection

Command and control

Exfiltration

Impact

1.3 Cyber Investigations

The investigation of cybercrime (a criminal event) or a cybersecurity incident (a breach of security) can be referred to as a cyber investigation or a cybercrime investigation. The purpose of a cyber investigation depends on the event or incident at hand, ranging from preparing for a criminal case in court to identifying the root cause and impact of a cyber intrusion in a corporate network. We have adopted a definition based on Definition 1.1 on investigations above, encompassing both law enforcement and other applications.

Definition 1.5: Cyber investigations

A systematic collection, examination, and evaluation of all information relevant to establish the facts about an Internet‐related incident or an alleged cybercrime and identify who may have committed or contributed to it.

1.3.1 Digital Forensics

A key component in any cyber investigation is digital forensics, which is the topic of our previous textbook (Årnes, 2018). In digital forensics, we process digital evidence (see below) according to well‐defined scientific processes to establish facts that can help a court of law to conclude with regard to a criminal case. For the purpose of this book, we have adopted the definition by the National Institute of Standards and Technology (NIST) (2006).

Definition 1.6: Digital forensics

“The application of science to the identification, collection, examination, and analysis, of data while preserving the integrity of the information and maintaining a strict chain of custody for the data.”

As a helpful reference, the Digital Forensics Workshop (DFRWS) proposed the more comprehensive definition in 2001: “The use of scientifically derived and proven methods toward the preservation, collection, validation, identification, analysis, interpretation, documentation, and presentation of digital evidence derived from digital sources for the purpose of facilitating or furthering the reconstruction of events found to be criminal, or helping to anticipate unauthorized actions shown to be disruptive to planned operations.”

1.3.2 Digital Evidence

The evidence addressed in digital forensics is referred to as digital evidence, “any digital data that contains reliable information that can support or refute a hypothesis of an incident or crime,” as based on the definition originally proposed by Carrier and Spafford (2004).

Definition 1.7: Digital evidence

“Digital evidence is defined as any digital data that contains reliable information that can support or refute a hypothesis of an incident or crime.”

In digital forensics, the two principles chain of custody (keeping a record of all actions when processing digital evidence) and evidence integrity (ensuring that evidence is not willfully or accidentally changed during the process) are central, as defined in Årnes (2018).

Definition 1.8: Chain of custody

Chain of Custody refers to the documentation of acquisition, control, analysis, analysis, and disposition of physical and electronic evidence.

Definition 1.9: Evidence integrity

Evidence integrity refers to the preservation of evidence in its original form.

1.3.3 Attribution

An essential question in cyber investigations is “who did it?”, generally referred to as attribution, which is defined as “determining the identity or location of an attacker or an attacker's intermediary.” The terms “traceback” or “source tracking” are frequently used terms addressing the same question (Larsen, 2003). However, it is generally understood that attribution is as much an art as a science (Buchanan, 2015), and advanced cybercriminals will make efforts to hide their tracks in order to mislead investigators. Therefore, one should be very careful with concluding on an attribution without firm facts.

Definition 1.10: Attribution

“Determining the identity or location of an attacker or an attacker's intermediary.” (Larsen, 2003).

1.3.4 Cyber Threat Intelligence

An important category of intelligence in cybercrime and cybersecurity is Cyber Threat Intelligence, as defined by the Center for Internet Security (2022). Cyber threat intelligence can help an investigator or forensic analyst identify and understand the evidence in a case in the context of information gathered from other sources.

Definition 1.11: Cyber threat intelligence

“Cyber threat intelligence is what cyber threat information becomes once it has been collected, evaluated in the context of its source and reliability, and analyzed through rigorous and structured tradecraft techniques by those with substantive expertise and access to all‐source information.”

1.3.5 Open‐Source Intelligence (OSINT)

Another important category of intelligence is open‐source intelligence (OSINT). We will adopt a slightly modified definition based on a recent publication by the RAND Corporation (Williams & Blum, 2018). A broad range of OSINT is available on the Internet and on the dark web, including technical information that is essential for attribution.

Definition 1.12: Open‐source intelligence

We define OSINT as publicly available information discovered, determined to be of intelligence value, and disseminated by an intelligence function.

OSINT is further discussed in Section 4.5.

1.3.6 Operational Avalanche – A Real‐World Example

In order to better understand the practical aspects of cyber investigations, this book will provide a variety of examples from known media and court cases. We start with “Operation Avalanche,” a major international law enforcement operation resulting in the dismantling of the criminal infrastructure platform “Avalanche” in 2016 (Europol, 2016).

Example 1.1: Operation Avalanche

On November 30, 2016, after more than four years of investigation by FBI, Europol, Eurojust, several global partners, and prosecutors in the United States and Europe, the cybercrime platform Avalanche (Europol, 2016) was dismantled. Avalanche was used by cybercriminals worldwide for global malware attacks and money mule recruitment campaigns. The total monetary losses are estimated to be in the order of hundreds of millions of Euros.

Criminal groups had used Avalanche since 2009 for malware, phishing, and spam activities. The criminal groups had sent more than 1 million infected emails to unsuspecting victims as part of their phishing campaigns. At any time, more than 500,000 computers were infected and part of the Avalanche network, with victims in more than 180 countries.

As detailed in Europol (2016), the investigation started in Germany in 2012 when encryption ransomware blocked users' access to their computer systems, and millions of computers were infected with malware enabling criminals to collect personal information (e.g., bank and email passwords). Avalanche enabled the criminals to perform bank transfers from victim accounts. A “double fast flux infrastructure” was employed to secure the proceeds and complicated the investigation.

Throughout the investigation, the German Federal Office for Information Security (BSI) and the Fraunhofer Institute (FKIE) collected and analyzed more than 130 TB of captured data to identify the botnet infrastructure successfully. On the day of the Avalanche takedown, a command post at Europol was established, with representatives of the involved countries, Interpol, the Shadowserver Foundation, ICANN, domain registries, and several cybersecurity companies.

Throughout the investigation, prosecutors, and investigators from 30 countries were involved, resulting in 5 arrests, more than 30 premises searched, more than 30 servers seized, more than 200 servers taken offline, and more than 800,000 domains seized, “sinkholed” or blocked.

1.4 Challenges in Cyber Investigations

Cyber investigations remain a challenging and dynamic field of research, and practitioners are always racing to innovate investigative tools and methods in response to new threats, attack tools, and exploited vulnerabilities in an everlasting cat and mice game. In the research leading up to this book, the authors have identified several research questions that would benefit from additional research as an inspiration to students, with the objective of strengthening investigative capabilities:

Artificial intelligence

(

AI

),

machine learning

(

ML

), and automation:

The use of AI and ML to automate the processing of large data volumes for investigative purposes for more effective cyber investigations and digital forensics. At the same time, CTAs are using AI and ML to automate cyber‐attacks to improve their capabilities to reach their objectives and decrease the likelihood of successful detection, response, and investigations. How can we leverage AI, ML, and automation to increase the effectiveness of cyber investigations?

Internet of Things

(

IoT

) and 5G

: IoT and 5G provide rapidly increasing numbers of connected devices with highly diverse use cases in complex ecosystems. While the technologies provide a new generation of security capabilities, they also represent a challenge for cyber investigations in terms of access to data and acquisition of digital evidence, ability to perform security monitoring and lawful intercept, as well as legal and jurisdiction challenges. What are the challenges of 5G and IoT investigations, and how do we overcome them?

Operational coordination

: Cyber investigations are highly time‐sensitive, and we discuss the importance of the golden hour of cyber investigations in

Chapter 2

. In order to succeed with cyber investigations, we are dependent on establishing efficient and, to a more significant degree, automated operational coordination for law enforcement, public‐private cooperation, and cross‐border data transfer for digital evidence. How can we enable cyber investigations through more efficient and automated operational coordination?

Attribution

: As we discuss in

Section 1.3.3

, attribution is a challenging, sometimes impossible process that requires careful consideration of the available evidence as part of the cyber investigations process, and there is an asymmetry between offensive and defensive capabilities (i.e., the threat actor has an advantage). Attribution, however, remains a critical objective for criminal, national intelligence, and incident investigations. Unfortunately, the uncertainty is often so high that the attribution is not openly disclosed and only stated as a hypothesis. How can we improve the confidence in attributions?

Standardization

: Cyber investigations and digital forensics depend on extensive data processing, but there is a lack of common standards for storage and exchange of digital evidence (Flaglien et al.,

2011

), and we are, to a large degree, dependent on proprietary systems. In order to enable automation and efficient operational coordination, improvements in standardization are required, ranging from forensic readiness standards (Dilijonaite,

2018

) throughout the cyber investigation process. How can we adopt common standards for digital forensic readiness and cyber investigations?

Privacy vs. Security

: While privacy and security often have a common purpose (i.e., protecting data), there are also inherent conflicting objectives related to areas such as, on one hand, potentially privacy‐intrusive technologies such as security monitoring, data loss prevention, and forensic readiness, and on the other hand privacy measures that hamper detection and investigations of crimes and incidents, such as encryption (this is often referred to as “going dark”), locked handsets and unavailability of who is registration data. How can we enable cyber investigations while maintaining both privacy and security?

1.5 Further Reading

We recommend that students of this book study supplementary literature to better understand Cyber Investigations. For this purpose, here is a list of relevant textbooks that are recommended by the editor and authors of this book:

Årnes, A. (Ed.) (2018).

Digital Forensics

. John Wiley & Sons.

Bazzel, M. (2018).

Open‐Source Intelligence Techniques: Resources for Searching and Analyzing Online Information

. CreateSpace Independent Publishing Platform.

Moore, M. (2016).

Cybersecurity Breaches and Issues Surrounding Online Threat Protection

. Information Science Reference.

Bollinger, J., Enright, B., & Valites, M. (2015).

Crafting the InfoSec Playbook: Security Monitoring and Incident Response Plan

. O'´Reilly.

Golbeck, J. (2015).

Introduction to Social Media Investigation

. Syngress.

Shipley, T., Bowker, A., & Selby, N. (2013).

Investigating Internet Crimes

. Syngress.

Davidoff, S. & Ham, J. (2012).

Network Forensics: Tracking Hackers through Cyberspace

. Prentice‐Hall.

Clifford, R. D. (2011).

Cybercrime: The Investigation, Prosecution, and Defense of a Computer‐Related Crime

. Carolina Academic Press.

Stelfox, P. (2009).

Criminal Investigation: An Introduction to Principles and Practices

, 1st ed. Willan.

Reyes, A., Brittson, R., O'Shea, K., & Steele, J. (2007).

Cyber Crime Investigations: Bridging the Gaps Between Security Professionals, Law Enforcement and Prosecutors

. Syngress.

Stephenson, P. & Gilbert, K. (2004).

Investigating Computer Related Crime

, 2nd ed. CRC Press.

We have also provided extensive resources in the Educational Guide (Chapter 8).

1.6 Chapter Overview

This book is divided as follows:

Introduction

. Introducing the area of cyber investigations related to cyber security and cybercrime investigations. Clarifying the difference between forensics and investigations, both from a criminal and industry perspective. Introducing central definitions and modes of crime. (

Professor André Årnes, Ph.D

.)

Cyber Investigations Process

. Defining the investigation process step by step, mainly from a criminal investigation perspective. Discussing law enforcement cooperation across jurisdictions and current state‐of‐the‐art research. (

Ph.D. student Nina Sunde, MSc

)

Cyber Investigation Law

. Legal aspects of cybersecurity and cybercrime investigations, following up on the Cybercrime Law chapter in the Digital Forensics book. Focus on the criminal process, evidence exchange, and cooperation between jurisdictions. Applications of data protection and national security law. (

Professor Inger Marie Sunde, Ph.D. and LL.M

)

Perspectives of Internet and Cryptocurrency Investigations

. The fundamentals of tracing and attribution on the Internet, building on the Internet Forensics chapter in the Digital Forensics book. Topics of interest include cloud computing, virtualization, cryptography, cryptocurrency, financial transactions, and open‐source intelligence. (

Petter C. Bjelland, MSc

)

Anonymization Networks

. How do anonymization networks work, and how do they impact investigations? Addressing aspects of tracing, monitoring, evidence acquisition, de‐anonymization, and large investigations. (

Associate Professor Lasse Øverlier, Ph.D

.)

IoT Investigations

. Performing investigations and digital forensics in the context of Internet of Things (IoT) technologies, including aspects of embedded systems, devices, connected systems, data fusion, and state‐of‐the‐art research. (

Ph.D. Student Jens‐Petter Sandvik, Cand. Scient

.)

Multimedia Forensics

. The role of multimedia (video, images, sound) in investigations, including how to leverage similarity matching, content‐based tracing, and media metadata. (

Ph.D. Student Jens‐Petter Sandvik, Cand. Scient. and Associate Professor Lasse Øverlier, Ph.D

.)

Educational Guide

. The Educational Guide includes guidance for teachers and students, with a wealth of references and practical information to be applied as part of research and studies. (

Kyle Porter, Ph.D

.)

1.7 Comments on Citation and Notation

For the benefit of the reader, the following standards have been adopted in the book:

Citations

: Citations to authoritative textbooks, research papers, and online sources are provided throughout. Students are encouraged to research the primary sources to understand the subject matter better.

Grey boxes

: Definitions, Examples, Legal Provisions, and Equations are highlighted in separate grey boxes. Examples can be either real‐world case examples or illustrative scenarios.

Figures

: All photographs and illustrations are made by the chapter authors unless otherwise specified.

Software

: All software and hardware tools references are included as examples only. They do not represent a recommendation or preference regarding tool choices, and they should not be interpreted as guidelines or instructions on tool usage.

Index

: Key terms are indexed in the Index. All Definitions are included in the Index.

1.8 Exercises

Define Cyber Investigations and explain the difference between Cyber Investigations and Digital Forensics. Provide examples to illustrate the two concepts.

What is Cybercrime? Explain the two main interpretations of cybercrime.

What is a Cyber Threat Actor? Define the term and detail the simplified three‐tier model used in this book.

What is the Cyber Kill Chain? Explain why it is essential and explain and provide examples of its seven phases.

What is MITRE ATT&CK™? Provide a definition and explain the main elements of the framework. How can MITRE ATT&CK™ be applied in a digital investigation?

What are the two main principles of Digital Forensics, and why are they essential to Cyber Investigations?

What is attribution, and how can it be addressed during an investigation? Explain why attribution is challenging and propose steps to increase the level of confidence in the attribution in an investigation.

Explain how intelligence can support Cyber Investigations and provide examples of Threat Intelligence and Open‐Source Intelligence sources.

Summarize “Operation Avalanche” and outline the most critical challenges law enforcement must address during such a complex and long‐lasting investigation.

Note

*

Professor André Årnes is a Partner and Co‐Owner of White Label Consultancy. He has served as the Global Chief Security Officer of Telenor Group from 2015 to 2022, and he was a Special Investigator with the Norwegian Criminal Investigation Service (Kripos) from 2003 to 2008. He is a part‐time Professor at Norwegian University of Science and Technology within cyber security and digital forensics.

2Cyber Investigation Process

Nina Sunde*

Department for Post Graduate Education and Training, The Norwegian Police University College, Oslo, Norway

Conducting a high‐quality and effective cyber investigation can be a complex task. Different competencies are necessary to uncover and produce relevant and credible evidence about what has happened, by whom, against whom, and with which purpose. At least two processes are involved in investigating cyber‐dependent or cyber‐enabled crimes – the criminal investigation and the digital forensic processes. These processes originate from different scholarly traditions and are often described in isolation. This chapter presents a novel concept that integrates the two processes: the integrated cyber investigation process (ICIP) aimed to facilitate structured and well‐coordinated cyber investigations.

The procedural stages of ICIP dynamically interact with the concept we have named The Cyber Investigation Queries, a model for addressing the different phenomena of cybercrime and guides the systematic development and testing of investigative hypotheses. We emphasize that the human factor is essential for reaching the goal of a high‐quality and fair investigation. At the same time, we recognize the need for awareness and domain‐adequate measures to minimize the risk of human error during cyber investigations.

2.1 Introduction

The Internet was initially created for military and scientific purposes, and nonexperts did not widely use it until the early 1990s (Choi et al., 2020). Expanded bandwidth, increased reliability, reduced surfing fees, and user‐friendly interfaces are factors that have made cyberspace more accessible to the public (Curran, 2016 ; Greenstein, 2015). However, technological changes can result in new types of crimes, and as people move – crime follows. As Internet access has become more widespread, crime in digital spaces has begun to affect individuals and organizations in new ways adversely.

However, crime associated with technology did not “begin” with the Internet. For example, the factories and railroads in the first industrial revolution enabled train robberies. Along with the electricity and cars from the second industrial revolution, car thefts emerged (Choi et al., 2020). The third industrial revolution is linked to an interconnected society enabled by computers and the Internet, with crimes such as hacking, cyber theft, and malware development and distribution (Choi et al., 2020). The fourth Industrial Revolution is currently being shaped and developed using the Internet and technology such as Internet of things (IoT), cryptocurrency, and artificial intelligence (Schwab, 2016). With these technologies, new forms of crime appeared, such as fraud by using deep fake technology and cryptocurrency ransomware (Choi et al., 2020).

Alongside the technology development and the rise of novel crime phenomena, law enforcement has changed to control and investigate it. Technology has provided new tools and techniques for the police, such as surveillance, analysis of big data, and crime prediction. Forensic science has evolved, with advancements in, e.g., DNA technology. Investigating cyber‐enabled and cyber‐dependent crimes have necessitated the police to develop in‐house technological expertise or hire experts to investigate such crimes. The police must continuously develop and update their knowledge about the crime phenomenon and modus operandi to effectively investigate these novel crime types. Such knowledge is crucial for predicting where relevant evidence may be located and the typical perpetrators or victims.

For a long time, a criminal investigation was perceived as a craft learned through experience and by observing more experienced colleagues, or an art – where instincts, intuition, and feelings played an important role (Hald & Rønn, 2013). However, the field has matured and is today a profession with a more research‐based foundation derived from or inspired by other areas than what may be perceived as “pure” policing, such as the scientific methodology, sociology, criminology, psychology, philosophy, and technology (Bjerknes & Fahsing, 2018).

An effective cyber investigation requires many different knowledge components, mainly from criminal investigation methodology, law, and technology (Sunde, 2017). However, merely mixing these components will not necessarily lead to success. High‐quality and effective cyber investigations require the right people are at the right place, at the right time, and do the right things correctly and for the right reasons. An adequate framework for collaboration and coordination is necessary to achieve this goal.

This chapter presents a novel concept for cyber investigation: the ICIP, which includes the following stages: Investigation initiation, modeling, planning and prioritization, impact and risk assessment, action and collection, analysis and integration, documentation, and presentation, and evaluation. The procedural stages of ICIP are in dynamic interaction with the model that we have named The Cyber Investigation Queries, where the different phenomenological components of cybercrime are addressed, facilitating the systematic development, and testing of investigative hypotheses.

The following section will zoom in on what investigation is, and Section 2.3 presents and discusses the models that have inspired the development of ICIP. The principles on which ICIP is based are explained in Section 2.4, and its procedural stages are presented and exemplified in Section 2.5. Section 2.6 describes cognitive and human factors relevant to a cyber investigation. We elaborate upon how these factors may be sources of bias and appropriate measures to minimize bias.

2.2 Investigation as Information Work

The criminologist Martin Innes states that criminal investigations, in essence, are information work, acted out in a distinct order, with the primary function of reducing uncertainty (see Innes, 2003 , 2007). Innes (2003) described three interconnected movements that are present in the order of an investigation:

Identify and acquire

Interpret and understand

Order and represent

A criminal investigation often starts with bits and pieces of uncertain, unverified, and incomplete information. The threshold for when the information can be acted upon depends on the context and purpose. Within a criminal investigation, the systematic work toward reducing uncertainty is closely connected to the legal evidential requirement for conviction, often expressed by the phrase “proven beyond any reasonable doubt.” Within other contexts (military, private industry), the primary function of the investigation order would often be the same. However, the thresholds for probability or certainty before the information is acted upon may be different.

Within an investigation, the traces are converted into several key modes (Maguire, 2003). Data ordered and communicated can be defined as information (Innes, 2003). When the relevance and credibility of the information are established, the information develops a factual status of knowledge. Information of varying provenance that can be used internally by the police organization to plan future actions and lines of inquiry is intelligence. Evidence is information assembled into a format suitable for use in the legal process.

We will now move from the high‐level abstraction model of investigation to a more detailed framework for cyber investigation.

2.3 Developing an Integrated Framework for Cyber Investigations

Conducting a cyber investigation will involve at least two parallel processes: first, the investigation process (or order) (see Fahsing, 2016 ; Innes, 2003 , 2007) concerned with the “tactical” investigation of various evidence types, such as testimonial and tangible evidence and second, the digital forensic process (Flaglien, 2018) where digital evidence is handled. These processes should be conducted by personnel with specialized competence and experience. To ensure close cooperation between the personnel involved in the two processes, a mutual understanding of the common goal and a well‐defined structure for cooperation are necessary. The following section will describe an integrated framework for cyber investigation, where the investigation process and the digital forensic process are assembled in a joined structure. The framework is named the ICIP. Before describing its procedural stages, the rationale behind ICIP and the principles on which it is built are outlined.

One of the first to move from a narrow focus on the processing of digital evidence to cybercrime investigation was (Ciardhuáin, 2004) with the “Extended model of cybercrime investigation,” which had particular attention toward the information flow within the investigation. Later, Hunton (2009 , 2011a , 2011b