| About the Authors |
|
xxi | |
| Acknowledgments |
|
xxiii | |
|
PART I Understanding Cybercrime, Computers and Cybersecurity |
|
|
1 | (62) |
|
Chapter 1 Introduction: The Need for Good Cybercrime Investigators |
|
|
3 | (6) |
|
|
|
3 | (2) |
|
1.2 Who Investigates Cybercrime? |
|
|
5 | (1) |
|
1.3 How This Book Is Organized |
|
|
6 | (1) |
|
1.4 Keeping It Fun: Anecdotes, Cases, Diagrams, and Cartoons |
|
|
7 | (1) |
|
|
|
8 | (1) |
|
Chapter 2 What Is Cybercrime and Why Is It Committed? |
|
|
9 | (17) |
|
|
|
9 | (1) |
|
2.2 What Makes a "Cyber" Activity a Crime? A Quick Introduction to Cybercrime Offenses |
|
|
9 | (6) |
|
2.2.1 Computer and Network Intrusions |
|
|
10 | (1) |
|
2.2.2 Data Breaches, Theft of Data, and Data Trafficking |
|
|
11 | (1) |
|
2.2.3 Transmission and Use of Malware |
|
|
11 | (1) |
|
2.2.4 Tampering with or Damaging a Network or System |
|
|
11 | (1) |
|
2.2.5 Identity Theft and Impersonation |
|
|
12 | (1) |
|
2.2.6 Theft of Funds and Fraud Schemes |
|
|
12 | (1) |
|
2.2.7 Blackmail and Extortion |
|
|
13 | (1) |
|
|
|
13 | (1) |
|
2.2.9 Harassment, Threats, Stalking, and Revenge Porn |
|
|
14 | (1) |
|
2.2.10 Possessing, Selling, or Sharing Child Pornography |
|
|
15 | (1) |
|
2.2.11 Trafficking of Physical Contraband |
|
|
15 | (1) |
|
|
|
15 | (1) |
|
2.3 Cybercrime vs. Traditional Street Crime: The Differences |
|
|
15 | (3) |
|
2.3.1 Technology, Internet and Networks |
|
|
16 | (1) |
|
2.3.2 Distance: The National and International Nexus |
|
|
16 | (1) |
|
2.3.3 Investigation Rate and Solve Rate |
|
|
17 | (1) |
|
2.3.4 Connection to a Broad Criminal Ecosystem |
|
|
17 | (1) |
|
|
|
18 | (2) |
|
|
|
18 | (1) |
|
|
|
18 | (1) |
|
2.4.3 Thrill and Bragging Rights |
|
|
18 | (1) |
|
|
|
19 | (1) |
|
2.4.5 Corporate Espionage |
|
|
19 | (1) |
|
2.4.6 Nation-State Objectives |
|
|
19 | (1) |
|
|
|
20 | (1) |
|
2.5 The Cybercrime-For-Profit Economy |
|
|
20 | (3) |
|
2.5.1 The Connection between Identity Theft and Cybercrime |
|
|
21 | (1) |
|
2.5.2 The Cybercrime Economy Earns Money and Requires Payments |
|
|
22 | (1) |
|
2.6 Digital Evidence: The Backbone of Any Cyber Investigation (and Traditional Investigations, Too) |
|
|
23 | (1) |
|
|
|
24 | (2) |
|
Chapter 3 Introduction to Computers, Networks, and Forensics |
|
|
26 | (24) |
|
|
|
26 | (1) |
|
|
|
27 | (2) |
|
3.3 Basic Hardware Parts of Computers |
|
|
29 | (5) |
|
|
|
29 | (1) |
|
|
|
30 | (1) |
|
|
|
30 | (1) |
|
3.3.4 Memory (Volatile Storage - RAM) |
|
|
31 | (1) |
|
3.3.5 Persistent Storage (HDD/SSD) |
|
|
31 | (1) |
|
3.3.6 Communicating with the User: Interfaces for Input and Output |
|
|
31 | (1) |
|
3.3.7 Communicating with Other Computers (NIC) |
|
|
32 | (1) |
|
|
|
32 | (1) |
|
3.3.9 Putting the Parts Together |
|
|
32 | (1) |
|
3.3.10 External Storage, Servers and More |
|
|
32 | (2) |
|
3.4 Basic Computer Software Categories |
|
|
34 | (1) |
|
|
|
34 | (1) |
|
|
|
34 | (1) |
|
|
|
35 | (1) |
|
3.5 Basic Networking and Internet Usage |
|
|
35 | (6) |
|
3.5.1 Networking Hardware |
|
|
35 | (1) |
|
3.5.1.1 NIC and MAC Addresses |
|
|
35 | (1) |
|
3.5.1.2 Cables, Wireless, and Network Switches |
|
|
36 | (1) |
|
|
|
36 | (1) |
|
|
|
36 | (1) |
|
3.5.2 Networking Communication and Internet Protocol (IP) Addresses |
|
|
37 | (2) |
|
|
|
39 | (1) |
|
3.5.4 Domain Name System (DNS) |
|
|
39 | (1) |
|
|
|
40 | (1) |
|
3.6 Proxies, VPNs, and Tor |
|
|
41 | (2) |
|
|
|
43 | (1) |
|
3.7.1 Encryption in Transit |
|
|
43 | (1) |
|
|
|
43 | (1) |
|
3.8 Digital Forensics and Evidence Gathering |
|
|
44 | (5) |
|
3.8.1 Ensuring Integrity of Stored Data: Hashing |
|
|
45 | (1) |
|
3.8.2 Stored Data (Persistent Storage) in Devices: Forensically Obtaining Evidence through Imaging and Analysis |
|
|
46 | (1) |
|
|
|
46 | (1) |
|
|
|
46 | (1) |
|
|
|
47 | (1) |
|
3.8.3 Volatile Memory: Conducting Memory Forensics |
|
|
48 | (1) |
|
3.8.4 Website Evidence: Viewing and Preserving |
|
|
48 | (1) |
|
3.8.5 Emails and Email Headers |
|
|
48 | (1) |
|
3.8.6 Forensic Examination Tools |
|
|
49 | (1) |
|
|
|
49 | (1) |
|
Chapter 4 Introduction to Information Security and Cybersecurity |
|
|
50 | (13) |
|
|
|
50 | (1) |
|
4.2 Basic Information Security and Cybersecurity Principles |
|
|
50 | (6) |
|
4.2.1 CIA: The Three Information Security Objectives |
|
|
51 | (1) |
|
4.2.2 Controls to Protect Information Systems |
|
|
52 | (1) |
|
4.2.3 Authentication to Guard Access |
|
|
52 | (2) |
|
4.2.4 Principle of Least Privilege |
|
|
54 | (1) |
|
|
|
55 | (1) |
|
4.3 Information Security Frameworks |
|
|
56 | (6) |
|
4.3.1 The Four Pillars: Knowledge, Devices, Data, and Networks |
|
|
57 | (1) |
|
4.3.2 CIS Critical Security Controls |
|
|
57 | (2) |
|
4.3.3 NIST Cybersecurity Framework (CSF) |
|
|
59 | (1) |
|
|
|
59 | (1) |
|
4.3.5 ISO/IEC 27000 Series |
|
|
60 | (1) |
|
|
|
61 | (1) |
|
4.3.7 Other Information Security Frameworks |
|
|
61 | (1) |
|
|
|
62 | (1) |
|
PART II Law for the Cybercrime Investigator |
|
|
63 | (110) |
|
Chapter 5 Fundamental Principles of Criminal and Civil Law |
|
|
65 | (25) |
|
|
|
65 | (1) |
|
5.2 Criminal Law and Procedure |
|
|
65 | (7) |
|
|
|
66 | (1) |
|
5.2.2 The Criminal Justice Process |
|
|
66 | (2) |
|
5.2.3 Criminal Justice Protections |
|
|
68 | (1) |
|
5.2.4 How Investigations and Prosecutions are Started |
|
|
69 | (1) |
|
5.2.5 Categories of Criminal Charges |
|
|
70 | (1) |
|
5.2.6 Charging the Defendant and Judicial Review: Complaints, Indictments, Grand Jury, Preliminary Hearings |
|
|
71 | (1) |
|
5.2.7 The Investigative Role of the Grand Jury |
|
|
72 | (1) |
|
5.3 Who Investigates and Prosecutes Crimes? |
|
|
72 | (2) |
|
5.3.1 State/Local Enforcement and Federal Enforcement |
|
|
72 | (1) |
|
5.3.2 Jurisdiction and Venue |
|
|
73 | (1) |
|
5.3.3 Resources, Expertise, and Collaboration |
|
|
74 | (1) |
|
5.4 What Constitutes a Crime and Its Elements |
|
|
74 | (3) |
|
5.4.1 Act or Omission (actus reus) |
|
|
75 | (1) |
|
5.4.2 Culpable Mental States (mens red) |
|
|
75 | (1) |
|
5.4.3 Anticipatory Offenses (Such as Attempt and Conspiracy) |
|
|
76 | (1) |
|
5.5 Defenses (Such as Self-defense and Entrapment) |
|
|
77 | (1) |
|
5.6 The Fourth Amendment: Constitutional Rules for Search and Seizure |
|
|
77 | (5) |
|
5.6.1 Expectation of Privacy |
|
|
78 | (1) |
|
|
|
79 | (1) |
|
5.6.3 The Search Warrant Requirement |
|
|
80 | (1) |
|
5.6.4 Exceptions to the Search Warrant Requirement |
|
|
80 | (1) |
|
5.6.5 Workplace Searches and Monitoring |
|
|
81 | (1) |
|
5.6.6 Private Searches versus Public Searches |
|
|
81 | (1) |
|
5.7 The Exclusionary Rule: Protections and Consequences for Improper Investigative Action |
|
|
82 | (2) |
|
|
|
82 | (1) |
|
5.7.2 Other Forms of Evidence: Unlawful Arrests, Statements, and Witness Identifications |
|
|
82 | (1) |
|
5.7.3 Fruit of the Poisonous Tree Doctrine |
|
|
83 | (1) |
|
5.8 Civil Law and Procedure |
|
|
84 | (4) |
|
5.8.1 The Civil Litigation Process |
|
|
84 | (1) |
|
|
|
85 | (1) |
|
5.8.2.1 Intentional Torts |
|
|
85 | (1) |
|
|
|
86 | (1) |
|
5.8.2.3 Breach of Contract |
|
|
87 | (1) |
|
5.8.2.4 Cybercrime-Specific Causes of Action |
|
|
87 | (1) |
|
5.8.2.5 Regulatory Actions |
|
|
88 | (1) |
|
5.9 Licensing and Regulatory Law |
|
|
88 | (1) |
|
|
|
89 | (1) |
|
Chapter 6 Cybercrime Defined: The Criminal Statutes Outlawing Criminal Conduct Online |
|
|
90 | (20) |
|
|
|
90 | (1) |
|
6.2 Federal and State Law |
|
|
90 | (1) |
|
6.3 Federal Cybercrime Law |
|
|
91 | (4) |
|
6.3.1 The Computer Fraud and Abuse Act (CFAA) |
|
|
91 | (1) |
|
|
|
92 | (2) |
|
6.3.3 Unlawful Access to Stored Communications |
|
|
94 | (1) |
|
6.3.4 The Controlling the Assault of Non-Solicited Pornography and Marketing Act (CAN-SPAM Act) |
|
|
94 | (1) |
|
6.3.5 Communication Interference |
|
|
95 | (1) |
|
|
|
95 | (1) |
|
6.5 "Traditional" Federal and State Laws that Apply to Cybercrime |
|
|
96 | (12) |
|
|
|
97 | (1) |
|
6.5.2 Possession/Receiving of Stolen Property |
|
|
98 | (1) |
|
6.5.2.1 Property: A Changing Concept in the Cyber Age |
|
|
98 | (1) |
|
|
|
99 | (1) |
|
|
|
100 | (1) |
|
6.5.5 Credit/Debit Card Fraud |
|
|
101 | (1) |
|
|
|
102 | (1) |
|
|
|
102 | (1) |
|
|
|
102 | (1) |
|
|
|
103 | (2) |
|
6.5.10 Harassment, Stalking, and Sextortion |
|
|
105 | (1) |
|
6.5.10.1 First Amendment Considerations |
|
|
105 | (1) |
|
6.5.11 Child Exploitation and Pornography |
|
|
106 | (1) |
|
|
|
106 | (1) |
|
|
|
107 | (1) |
|
6.5.14 Attempt and Conspiracy |
|
|
107 | (1) |
|
|
|
108 | (2) |
|
Chapter 7 The Law Enforcement Legal Toolkit for Investigating Cybercrime: Laws for Gathering Criminal Cyber Evidence |
|
|
110 | (26) |
|
|
|
110 | (1) |
|
7.2 Privacy and Consent: Applying These Principles to Communications |
|
|
111 | (2) |
|
7.2.1 Communications and Privacy |
|
|
111 | (1) |
|
7.2.2 Communications and Consent |
|
|
112 | (1) |
|
7.2.3 Reasonable Expectation of Privacy in the Workplace |
|
|
113 | (1) |
|
7.3 The Nine Tools for Gathering Evidence |
|
|
113 | (1) |
|
7.3.1 Open-Source Investigation |
|
|
114 | (5) |
|
|
|
114 | (1) |
|
7.3.3 Subpoena Duces Tecum |
|
|
114 | (1) |
|
7.3.4 Section 2703(d) Order |
|
|
115 | (1) |
|
|
|
116 | (1) |
|
7.3.6 Pen Register and Trap-and-Trace Device |
|
|
117 | (1) |
|
|
|
118 | (1) |
|
7.3.8 Letter of Preservation |
|
|
118 | (1) |
|
7.3.9 Non-Disclosure Request and Order |
|
|
119 | (1) |
|
7.4 The Electronic Communications Privacy Act (ECRA): Applying the Tools to Online Communications |
|
|
119 | (9) |
|
7.4.1 The Stored Communications Act: Records of Past Communications |
|
|
120 | (1) |
|
7.4.1.1 The Role of Third-Party Providers |
|
|
121 | (1) |
|
7.4.1.2 Services Covered by the SCA (ECS and RCS) |
|
|
121 | (2) |
|
7.4.1.3 "Content" vs. "Non-Content" Information |
|
|
123 | (1) |
|
7.4.1.4 Subscriber and Session Information |
|
|
123 | (1) |
|
7.4.1.5 Sensitive Non-Content Information |
|
|
123 | (1) |
|
7.4.1.6 Location Information |
|
|
124 | (1) |
|
7.4.1.7 Content Information |
|
|
124 | (2) |
|
7.4.1.8 SCA Rules for Letters of Preservation, Non-Disclosure, and Delayed Disclosure Orders |
|
|
126 | (1) |
|
7.4.2 The Pen/Trap Statute: Live Monitoring of Non-Content Information |
|
|
127 | (1) |
|
7.4.3 The Wiretap Act: Live Monitoring of Content Information |
|
|
127 | (1) |
|
7.5 Obtaining Evidence Located in Another State |
|
|
128 | (3) |
|
7.5.1 Federal Investigations |
|
|
129 | (1) |
|
7.5.2 State and Local Investigations |
|
|
129 | (1) |
|
7.5.3 Search Warrant Considerations for Out-of-State Devices and Physical Premises |
|
|
130 | (1) |
|
7.6 Obtaining Evidence Stored Overseas by U.S. Entities: The CLOUD Act |
|
|
131 | (1) |
|
7.7 Obtaining Evidence Located in Another Country |
|
|
132 | (3) |
|
7.7.1 Presence of Evidence or Its Custodian Corporation in the United States |
|
|
133 | (1) |
|
7.7.2 Mutual Legal Assistance Treaties (MLATs) |
|
|
133 | (1) |
|
|
|
133 | (1) |
|
7.7.4 Informal Assistance |
|
|
134 | (1) |
|
|
|
134 | (1) |
|
7.7.6 Suspects Located in Other States and Foreign Countries (Preview) |
|
|
134 | (1) |
|
|
|
135 | (1) |
|
Chapter 8 Cyber Investigations Linked to Nation-States or Terrorists |
|
|
136 | (17) |
|
|
|
136 | (1) |
|
8.2 Laws and Measures Relating to Nation-State and Terrorist Activity |
|
|
137 | (6) |
|
|
|
138 | (1) |
|
8.2.2 Civil Laws and the Foreign Sovereign Immunities Act (FSIA) |
|
|
138 | (1) |
|
8.2.3 International Treaties, Agreements, and Judicial Processes |
|
|
139 | (1) |
|
8.2.4 Laws and Principles of Sovereignty and Waging War |
|
|
140 | (1) |
|
8.2.5 Terrorism-Related Measures |
|
|
141 | (1) |
|
8.2.6 Espionage, Clandestine and Covert Operations, and Propaganda |
|
|
142 | (1) |
|
8.3 The Motives and Actions of Nation-States |
|
|
143 | (7) |
|
|
|
143 | (2) |
|
8.3.2 Nation-State Commercial Espionage |
|
|
145 | (1) |
|
8.3.3 Attacks on Infrastructure |
|
|
146 | (1) |
|
8.3.4 Attacks to Advance Strategic Interests |
|
|
147 | (3) |
|
8.4 Terrorist Funding, Recruiting, Vandalism, and Attacks |
|
|
150 | (2) |
|
|
|
150 | (1) |
|
|
|
151 | (1) |
|
8.4.3 Cyber Vandalism and Hacktivism |
|
|
151 | (1) |
|
8.4.4 Inciting Local Attacks |
|
|
151 | (1) |
|
8.5 What to Do if the Investigation Leads to a Nation-State or Terrorist |
|
|
152 | (1) |
|
|
|
152 | (1) |
|
Chapter 9 Civil and Regulatory Implications of Cybercrime: Cyberlaw in the Civil and Regulatory Sectors |
|
|
153 | (20) |
|
|
|
153 | (1) |
|
9.2 Attorney-Client Privilege |
|
|
153 | (1) |
|
9.3 Civil Lawsuits against Cybercriminals: Actions for Intentional Torts |
|
|
154 | (1) |
|
9.4 "Hacking Back": Intentional Acts by Cybercrime Victims that Could Incur Liability |
|
|
155 | (1) |
|
9.5 Cybercrime Statutory Causes of Action |
|
|
156 | (1) |
|
9.6 Negligent Cyber Torts: The Reasonable Person and the Standard of Care |
|
|
157 | (3) |
|
9.6.1 Negligence that Directly Causes the Harm |
|
|
157 | (1) |
|
9.6.2 Negligence that Allows the Commission of a Crime by a Third Party |
|
|
158 | (1) |
|
9.6.2.1 Theft of Automobile |
|
|
159 | (1) |
|
9.6.2.2 Premises Liability |
|
|
159 | (1) |
|
9.6.2.3 Cybercrime Liability |
|
|
159 | (1) |
|
9.7 Actions under Contract Law |
|
|
160 | (2) |
|
9.7.1 Cyber Insurance Policies |
|
|
162 | (1) |
|
9.8 Civil Actions for Asset Forfeiture by the Government |
|
|
162 | (2) |
|
9.8.1 Federal and State Laws |
|
|
162 | (1) |
|
9.8.2 Temporary Restraining Orders (TROs) |
|
|
163 | (1) |
|
|
|
163 | (1) |
|
9.9 General Civil Laws and Regulations Regarding Cybersecurity and Privacy |
|
|
164 | (4) |
|
9.9.1 Data Disposal Laws and Rules |
|
|
165 | (1) |
|
9.9.2 Information Security Laws |
|
|
165 | (1) |
|
9.9.3 Data Breach Notification Laws |
|
|
166 | (1) |
|
9.9.4 Privacy Laws and Who Enforces Them |
|
|
166 | (1) |
|
9.9.4.1 FTC and State Attorneys General |
|
|
167 | (1) |
|
|
|
167 | (1) |
|
9.9.4.3 California Consumer Privacy Act |
|
|
168 | (1) |
|
9.9.4.4 Colorado Protections for Consumer Data Privacy Act (PCDPA) |
|
|
168 | (1) |
|
9.10 Civil Laws and Regulations for Specific Sectors |
|
|
168 | (2) |
|
|
|
169 | (1) |
|
9.10.1.1 GLBA: Gramm-Leach-Bliley Act |
|
|
169 | (1) |
|
9.10.1.2 FFIEC and SEC Requirements |
|
|
169 | (1) |
|
9.10.1.3 New York Information Security Requirements for the Financial Sector |
|
|
170 | (1) |
|
9.10.2 Health Sector Regulations: HIPAA and HITECH |
|
|
170 | (1) |
|
|
|
170 | (3) |
|
PART III The Cybercrime Investigation ill |
|
|
|
Chapter 10 Embarking on a Cybercrime Investigation: The Three Perspectives and Key Areas of Focus |
|
|
173 | (6) |
|
|
|
173 | (1) |
|
10.2 Cybercrime Investigation from Three Perspectives: Private Sector, Law Enforcement, and Regulatory |
|
|
173 | (3) |
|
|
|
174 | (1) |
|
|
|
175 | (1) |
|
|
|
175 | (1) |
|
10.3 Key Investigative Topics |
|
|
176 | (1) |
|
10.4 Ending the Investigation: Success or Exhaustion of Leads or Resources |
|
|
176 | (2) |
|
10.4.1 The End of Law Enforcement's Investigation |
|
|
176 | (1) |
|
10.4.2 The End of the Private Sector Investigation |
|
|
177 | (1) |
|
10.4.3 The End of the Regulatory Investigation |
|
|
177 | (1) |
|
|
|
178 | (1) |
|
Chapter 11 General Investigation Methods: Organization, Open Source, Records, and Email |
|
|
179 | (22) |
|
|
|
179 | (1) |
|
11.2 Cybercrime Investigation: The Cyclical Process of Building Evidence |
|
|
179 | (2) |
|
11.3 Managing Cybercrime Evidence: Readily Available vs. Proprietary Investigation Tools |
|
|
181 | (3) |
|
|
|
181 | (1) |
|
11.3.2 Readily Available Tools |
|
|
182 | (2) |
|
11.4 Evidence Admissibility in Litigation |
|
|
184 | (1) |
|
11.5 Writing for Cybercrime Investigations |
|
|
184 | (3) |
|
11.5.1 The Dangers of Automatic Hyperlinking |
|
|
185 | (2) |
|
11.6 Open Source Investigation |
|
|
187 | (4) |
|
11.6.1 Open Source Investigation Resources |
|
|
187 | (1) |
|
11.6.2 Viewing and Preserving Open Source Clues |
|
|
188 | (2) |
|
11.6.3 Practical Tips to Maximize the Admissibility of Open Source Data |
|
|
190 | (1) |
|
|
|
191 | (5) |
|
11.7.1 The Workflow for Records Evidence |
|
|
192 | (1) |
|
11.7.2 Tracking Records Requests |
|
|
193 | (1) |
|
11.7.3 Organizing the Records |
|
|
194 | (1) |
|
11.7.4 Analyzing the Information in Records |
|
|
194 | (1) |
|
11.7.5 Admissibility of Records Evidence in Litigation |
|
|
195 | (1) |
|
|
|
196 | (2) |
|
11.8.1 Reading Email Headers |
|
|
196 | (1) |
|
11.8.2 Analyzing Large Sets of Emails |
|
|
197 | (1) |
|
11.9 The Importance of Cybercrime Intelligence |
|
|
198 | (1) |
|
|
|
199 | (2) |
|
Chapter 12 Private Entity's Cybercrime Investigation |
|
|
201 | (19) |
|
|
|
201 | (1) |
|
12.2 Incident Response (and Prevention) |
|
|
201 | (1) |
|
12.3 Discovery of Cybercrime Incidents by Private Parties |
|
|
202 | (3) |
|
12.3.1 Is This a Crime the Private Entity Can and Should Investigate? |
|
|
203 | (2) |
|
12.4 Determining Investigation Goals and Scope |
|
|
205 | (2) |
|
12.5 Activating Necessary Personnel: In-House and External |
|
|
207 | (2) |
|
12.5.1 External Services to Consider A |
|
|
208 | (1) |
|
12.6 Reporting and Notifications to Law Enforcement, Regulatory Agencies, and Other Parties |
|
|
209 | (3) |
|
12.6.1 Reporting to Law Enforcement |
|
|
209 | (2) |
|
12.6.2 Reporting to Regulators and Agencies Enforcing Similar Laws |
|
|
211 | (1) |
|
12.7 Identifying Potential Witnesses and Evidence: Internal and External |
|
|
212 | (1) |
|
12.8 Collecting Evidence Available Internally |
|
|
212 | (3) |
|
12.8.1 Interviewing Internal Personnel |
|
|
213 | (1) |
|
12.8.2 Internal Records and Data |
|
|
213 | (1) |
|
12.8.3 Forensics on Internal Devices and Networks |
|
|
214 | (1) |
|
12.9 Collecting Evidence from External Sources |
|
|
215 | (4) |
|
12.9.1 Open-Source Research Revisited |
|
|
215 | (1) |
|
12.9.2 Requesting Data and Information from Third Parties |
|
|
215 | (1) |
|
12.9.3 Civil Legal Process to Compel External Parties to Produce Evidence: John Doe Lawsuits and Subpoenas |
|
|
216 | (2) |
|
12.9.4 Respecting the Rights of Third Parties |
|
|
218 | (1) |
|
|
|
219 | (1) |
|
Chapter 13 Law Enforcement's Cybercrime Investigation |
|
|
220 | (25) |
|
|
|
220 | (1) |
|
13.2 How Cybercrime Comes to Law Enforcement's Attention |
|
|
220 | (1) |
|
|
|
221 | (1) |
|
13.4 Is This a Crime that Law Enforcement Can and Should Investigate? |
|
|
222 | (3) |
|
13.4.1 Nature and Extent of the Harm |
|
|
222 | (1) |
|
13.4.2 Nature of Initially Available Evidence |
|
|
222 | (1) |
|
13.4.3 Jurisdictional Analysis |
|
|
223 | (1) |
|
13.4.4 Resources and Personnel Needed |
|
|
223 | (1) |
|
13.4.5 Likelihood of Apprehending Suspects |
|
|
223 | (1) |
|
13.4.6 Related Civil Implications |
|
|
224 | (1) |
|
13.4.7 Impact on Society and Deterrence |
|
|
224 | (1) |
|
13.4.8 Advising the Victim |
|
|
224 | (1) |
|
|
|
225 | (1) |
|
13.6 Assessment of Initial Evidence: What Do We Have, What Do We Need? |
|
|
226 | (1) |
|
13.7 Getting Ready to Investigate: A Recap of the Tools |
|
|
226 | (6) |
|
13.7.1 Open-Source Investigation |
|
|
227 | (1) |
|
|
|
227 | (1) |
|
13.7.3 Letter of Preservation (If Additional Process Is Contemplated) |
|
|
228 | (1) |
|
13.7.4 Non-Disclosure Order and Request |
|
|
228 | (1) |
|
|
|
228 | (1) |
|
|
|
229 | (1) |
|
|
|
230 | (1) |
|
13.7.8 Pen Register and Trap/Trace Device (Including with Location Data) |
|
|
230 | (1) |
|
|
|
231 | (1) |
|
13.8 SIMPLE: The Six-Step Initial Mini-Plan for Law Enforcement |
|
|
232 | (1) |
|
13.9 The Records Phase: Digging for Clues and Connections |
|
|
233 | (2) |
|
13.10 The Data Search Phase: Zeroing in on Internet Accounts and the Criminals Using Them |
|
|
235 | (2) |
|
13.11 The Physical World Phase: Searching Spaces and Devices |
|
|
237 | (3) |
|
13.12 The Wiretap Phase: Special Cases Using Live Monitoring of Targets' Communications |
|
|
240 | (1) |
|
13.13 Traditional Shoe Leather Techniques |
|
|
241 | (1) |
|
13.14 Writing for Law Enforcement Investigations |
|
|
241 | (1) |
|
13.15 Working with the Private Sector |
|
|
242 | (1) |
|
13.16 Cybercrime Intelligence and Law Enforcement Investigations |
|
|
243 | (1) |
|
|
|
243 | (2) |
|
Chapter 14 The Regulator's Investigation |
|
|
245 | (7) |
|
|
|
245 | (1) |
|
14.2 Regulatory Recap: Regulated Industries and Regulatory-Type Laws |
|
|
245 | (2) |
|
14.3 A Cybercrime Occurs: Reviewing the Report of the Affected Business |
|
|
247 | (1) |
|
14.4 Investigating the Cybercrime: Sufficiency of Cybersecurity Measures and Accuracy of the Report |
|
|
247 | (2) |
|
14.5 Balancing the Roles of Compliance and Enforcement |
|
|
249 | (1) |
|
14.6 Confidentiality and Information Sharing |
|
|
250 | (1) |
|
|
|
251 | (1) |
|
Chapter 15 Financial Investigation: Following the Cybercrime Money |
|
|
252 | (13) |
|
|
|
252 | (1) |
|
15.2 Money Laundering 101 |
|
|
252 | (3) |
|
15.3 Traditional Currency and Value |
|
|
255 | (1) |
|
15.4 Virtual Currency and Cryptocurrency |
|
|
255 | (4) |
|
15.4.1 History of Virtual Currency and Its Evolving Terminology |
|
|
256 | (3) |
|
15.5 Getting Started on the Money Trail: How Financial Details Can Prove Crimes and the Criminal's Identity |
|
|
259 | (1) |
|
15.6 Finding and Following the Money |
|
|
260 | (4) |
|
15.6.1 Where to Find Evidence of Financial Activity |
|
|
261 | (1) |
|
15.6.2 Investigating Virtual Currency Transactions: Specific Tools and Resources |
|
|
262 | (1) |
|
15.6.3 Cryptocurrency Transaction Records |
|
|
263 | (1) |
|
|
|
264 | (1) |
|
Chapter 16 Identification of the Suspect: Attributing Cyber Conduct to a Person |
|
|
265 | (20) |
|
|
|
265 | (1) |
|
16.2 Doing Illicit Business Online: Cyber Nicknames and Pseudonyms |
|
|
265 | (1) |
|
16.3 The Attribution Process and Developing a Suspect: Mapping Criminal Conduct to Cyber Pedigree and Physical Pedigree Information |
|
|
266 | (15) |
|
16.3.1 Two Kinds of Pedigree Information: Physical and Cyber |
|
|
267 | (1) |
|
16.3.2 The ID-PLUS Attribution Process: Six Steps to Link Criminal Conduct to Cyber Pedigree and Physical Pedigree |
|
|
268 | (7) |
|
16.3.3 Example: Using ID-PLUS to Build an Identification |
|
|
275 | (2) |
|
16.3.4 Example: A Sample Attribution Summary (Working from the Crime to a Suspect) |
|
|
277 | (2) |
|
16.3.5 The Attribution Process from Another Lens: Types of Evidence that Can Identify Cybercriminals |
|
|
279 | (2) |
|
16.4 Writing and Articulation Revisited: Clear and Effective Cyber Identification |
|
|
281 | (1) |
|
16.5 Examining Issues of Proof |
|
|
282 | (1) |
|
16.6 Apprehension: Confirming Pedigree through Statements and Forensics |
|
|
282 | (2) |
|
|
|
284 | (1) |
|
Chapter 17 Apprehending the Suspect and the Investigation that Follows |
|
|
285 | (8) |
|
|
|
285 | (1) |
|
|
|
285 | (2) |
|
17.2.1 Methods for Charging a Suspect |
|
|
286 | (1) |
|
17.2.2 "Sealing" Charges versus Publicizing Them |
|
|
287 | (1) |
|
17.3 Interstate Procedures for Arresting and Extraditing Defendants |
|
|
287 | (2) |
|
17.4 International Procedures for Arresting and Extraditing Defendants |
|
|
289 | (1) |
|
17.5 Arrest Strategies and the Hunt for Evidence |
|
|
290 | (1) |
|
17.6 A Successful Arrest Does Not Mean "Case Closed" |
|
|
291 | (1) |
|
|
|
292 | (1) |
|
|
|
293 | (33) |
|
Chapter 18 Criminal Litigation |
|
|
295 | (20) |
|
|
|
295 | (1) |
|
18.2 Goals of the Litigation |
|
|
295 | (1) |
|
18.3 Litigation Begins: Filing of an Accusatory Instrument |
|
|
296 | (1) |
|
18.4 The Defendant Enters the Litigation: Apprehension, Extradition, and Arraignment |
|
|
297 | (1) |
|
18.5 Guilty Pleas: Plea Position and Negotiation |
|
|
298 | (1) |
|
18.6 Discovery: Sharing the Investigation with the Defense |
|
|
299 | (2) |
|
18.7 Motion Practice, Hearings, and Pre-Trial Decisions: Testing the Investigation and Prosecution |
|
|
301 | (1) |
|
18.8 Trial: The Investigation Laid Bare |
|
|
302 | (12) |
|
|
|
303 | (1) |
|
18.8.2 Opening Statements |
|
|
303 | (1) |
|
18.8.3 Presenting the Evidence: Legal Admissibility and Jury Comprehension |
|
|
304 | (1) |
|
18.8.4 The "Baby Step Exhibit" Technique |
|
|
305 | (1) |
|
18.8.4.1 The "Baby Step" Technique and the Laptop Computer |
|
|
305 | (3) |
|
18.8.4.2 The "Baby Step" Technique and Financial Records |
|
|
308 | (2) |
|
18.8.5 The Defense: Cross-Examination and Counterattacking with Evidence |
|
|
310 | (2) |
|
|
|
312 | (1) |
|
|
|
312 | (1) |
|
18.8.8 Jury Deliberations and Verdict |
|
|
313 | (1) |
|
|
|
313 | (1) |
|
18.9 Appeals and Post-Conviction Litigation |
|
|
314 | (1) |
|
|
|
314 | (1) |
|
Chapter 19 Civil Litigation |
|
|
315 | (9) |
|
|
|
315 | (1) |
|
19.2 Potential Litigation Scenarios Following a Cybercrime Investigation |
|
|
315 | (3) |
|
19.2.1 Civil Action to Further the Investigation or Stop Cybercrime Activity |
|
|
316 | (1) |
|
19.2.2 Civil Action against Cybercriminal for Intentional Tort |
|
|
316 | (1) |
|
19.2.3 Civil Action against Cybercriminal under a Cybercrime Statutory Cause of Action |
|
|
316 | (1) |
|
19.2.4 Civil Action against Another Victim for Negligent Cybersecurity |
|
|
317 | (1) |
|
19.2.5 Civil Action for Breach of Contract |
|
|
317 | (1) |
|
19.2.6 Civil or Regulatory Action by Government for Inadequate Cybersecurity |
|
|
318 | (1) |
|
19.2.7 Civil Action by Criminal Prosecutor to Freeze and Seize Assets |
|
|
318 | (1) |
|
19.3 Goals and Expectations |
|
|
318 | (1) |
|
19.3.1 Government Agencies |
|
|
319 | (1) |
|
|
|
319 | (1) |
|
|
|
319 | (1) |
|
19.5 Settlement Negotiations |
|
|
320 | (1) |
|
19.6 The Civil Lawsuit and the Role of the Investigation |
|
|
320 | (2) |
|
|
|
322 | (1) |
|
|
|
323 | (1) |
|
|
|
324 | (2) |
| Index |
|
326 | |
