investigation (alphaspirit/

Cybercrime investigation: Where geek meet gumshoe

Agencies that have fallen victim to cybercrimes should take care with their evidence collection. According to a new publication from the Cybercrime Investigation Body of Knowledge, investigations must follow certain standards and procedures if they are to be effective.

CIBOK is designed to give law enforcement organizations and enterprises the knowledge, skills and behaviors required to solve or prevent today’s complex and sophisticated cybercrimes.

Investigations should have several phases, starting with broad-based “triage-based evidence collection.” Artifacts uncovered from one phase should be used to inform the next. 

“It can be helpful to think of this process in terms of a funnel where the top of the funnel represents the easiest data to collect,” the report said. “As the funnel narrows, more effort is required to both collect and analyze the data.”

Automated collection tools can be programed to watch for indications of network intrusion and send alerts when they are found, and alerts-based logging of metadata could prove useful when investigating an attack.

After a cybercrime, investigators must look through anti-virus logs, monitoring logs, the operating system, file system listings and other locations within the network and end points. Enterprise applications, such as EnCase, Access Data and F-Response can be used for this process, CIBOK said.

Once a sweep has identified artifacts that warrant further analysis, investigators should consider using metadata or a content-oriented acquisition method to collect them. Native operating system or third-party tools can facilitate this. Windows and Linux, for example, allow users to search network configurations and connections. And tools like PowerShell gather data in a central location to be analyzed. Third-party tools like nmap, tcpview and WireShark can provide added insight into a user’s network.

Besides describing cybercrime and investigative tools, CIBOK also covers the scope of investigations, sources of evidence, methods of evidence collection and analysis, information sharing and management frameworks.

The 300+ page report “provides legal, judicial, technical and practical organizational development guidance,” for cybercrime investigations, a spokesperson told GCN in an email.  CIBOK describes the needs, background and requirements for security researchers to assist law enforcement, and for corporate risk managers to investigate cybercrimes.

More information is available here.

About the Author

Matt Leonard is a reporter/producer at GCN.

Before joining GCN, Leonard worked as a local reporter for The Smithfield Times in southeastern Virginia. In his time there he wrote about town council meetings, local crime and what to do if a beaver dam floods your back yard. Over the last few years, he has spent time at The Commonwealth Times, The Denver Post and WTVR-CBS 6. He is a graduate of Virginia Commonwealth University, where he received the faculty award for print and online journalism.

Leonard can be contacted at or follow him on Twitter @Matt_Lnrd.

Click here for previous articles by Leonard.

Stay Connected

Sign up for our newsletter.

I agree to this site's Privacy Policy.