2. Introduction
An investigation is a patient, step by step inquiry or observation.
A careful examination, recording of evidence or a legal enquiry.
The word investigate is derived from the latin word vestigare meaning a
track or trace.
This is easily related to police investigation.
3. Criminal investigation
Criminal investigation therefore is a reconstructive process that uses
deductive reasoning to determine how a crime was committed.
OR
It is a multi-layered effort that involves the study of facts presented by a
criminal act or pattern of criminal conduct.
OR
A logical process in which a conclusion follows from specific facts.
These facts are then used to identify, locate, and prove the guilt or innocence
of a person or persons.
Criminal investigation is usually carried out by a law enforcement agency
using all the resources available to the government, local, state, or federal,
to discover, locate, or establish evidence proving and verifying the relevant
facts for presentation to a court or other judicial authority
4. Criminal investigation
The facts discovered can become evidence and may involve statements from
witnesses; documentary or photographic evidence; physical evidence, which are fruits
of a crime; instrumentalities of a crime; incidental evidence; and logs, data, and
details of analysis that show access to crime scenes.
It is the characteristic of any criminal investigation that aspects of the crime may
manifest in a variety of ways.
Therefore, many criminal investigations rely heavily on a logical, organized process,
but there are also aspects of crimes that derive from chaos and sheer luck of
happenstance.
This unexpected development requires that criminal investigators be both flexible and
purposeful in their approach.
For example, finding the suspects watch at the scene of a burglary is one piece of
evidence that supports the premise that the suspect was at the scene.
Investigators need to anticipate what issues might arise and what evidence is needed
to support the prosecutors case.
5. Criminal investigation
The first determination in a criminal investigation is whether a crime has in
fact been committed.
Does the evidence support a specific crime?
A legal arrest cannot be made for an act that is not defined by statute or
ordinance as a crime.
6. What is a crime?
A crime is an act in violation of penal law and an offense against the state
A crime is a violation of public law or right
It is an act or omission forbidden by law and punishable by a fine,
imprisonment or even death.
7. Elements of a crime
i. First, the human act or conduct (take something from someone, injure
someone, create an atmosphere of danger, or actually cause significant
harm to a person or persons and the society in general)
ii. The individual’s mental state at the time of the act
iii. The connection between the act and the effect
8. Goals of criminal investigation
The goals of Criminal investigation are:
Determine whether a crime has been committed
Legally obtain information and evidence to identify the responsible
person/discover who committed the crime
Arrest the suspect
Recover stolen property
Present the best possible case to the prosecutor
9. Goals of criminal investigation
While committing crimes, people may leave some type of evidence
For example they may leave trace evidence or less visible evidence such as
fingerprints, small particles of glass or dirt, body hairs or clothing fibers.
However a burglary committed by a person wearing gloves and whose foot
prints are washed away by a hard rain before police arrive will be more
difficult to solve
Hence many times cases have insufficient evidence, no witnesses and no
informants to provide leads
10. Cybercrime Investigation
There are a multitude of stakeholders (i.e., agencies, organizations,
businesses, and individuals) that are involved in the investigation of
cybercrime. The nature and extent of their involvement depends on the type
of cybercrime committed. Stakeholder involvement is also determined by the
geographic location of stakeholders and countries' cybercrime laws
11. TYPES OF CRIMINAL INVESTIGATIONS
In very general terms criminal investigations focused on crimes against persons or
violent crimes are broken down into two categories:
i. Reactive investigations: are police or law enforcement’s response to a criminal
incident. Examples of reactive cases are homicides, robberies, rapes, burglaries,
thefts, assaults. These crimes are reported directly to the police or other
appropriate jurisdiction by a citizen, a victim, another police officer or other
interested parties as an event that requires immediate investigation
ii. Proactive Investigations: Instead of a particular act of criminal conduct the law
enforcement agency may conduct an investigation of a person or group of persons whom
the agency has reason to believe are involved in an ongoing criminal pattern.
E.G targeting of career criminals who are serial offenders, targeting of a violent street
gang, targeting of an armed robbery gang whose offenses are characterized by extreme
violence, or very high financial losses.
The essential distinction is the fact that the perpetrators are targeted before the
offense is actually committed or the targets’ lives and daily routine are scrutinized in
an attempt to discover facts and evidence proving their involvement in past crimes.
12. TYPES OF CRIMINAL INVESTIGATIONS
In many ways, proactive investigations are attempts by law enforcement to
detect patterns of criminal activity, anticipate behavior and develop evidence
leading to the successful prosecution of a community’s most proficient
criminals.
They rely heavily on intelligence and covert investigative steps, such as
surveillance and undercover operations or the use of deception to trick the
targets into revealing their methods and practices.
E.g. organized criminal enterprises, drug enterprises, terrorist cells and any
significant major conspiracies.
13. Proactive Investigation Steps
a. Understanding how particular crimes and their elements are proven
b. Constitutional considerations
c. Crime scene analysis
d. Forensic science support for an investigation
e. Establishing an investigative plan
f. Interviews and interrogations
g. The use of confidential sources
h. Tactical considerations
i. Intelligence support and digital data mining
j. Covert investigative operations
These steps are the same as those followed for reactive crime investigations, but there is a
requirement to sort out the information from multiple crimes and find out if there are direct
connections or uniformity in the method of operations or other factors that provide another layer of
proof that the crimes were all associated with the targets.
14. Successful criminal investigation
A successful investigation is one in which:
A logical sequence is followed
All physical evidence is legally obtained
All witnesses are effectively interviewed
All suspects are legally and effectively interrogated
All leads are thoroughly developed
All details of the case are accurately and completely recorded and reported
15. Reporting cybercrime
Before an investigation begins, a cybercrime must be observed and reported.
While this seems like a straightforward first step in a cybercrime
investigation, the reality is that cybercrime is largely underreported
worldwide (UNODC, 2013).
The underreporting of crime can be explained by economist Gary Becker's
(1968) expected utility theory, which holds that people engage in actions
when the expected utility (i.e., gains) from these actions are higher than the
expected utility of engaging in other actions
Applying this theory to cybercrime, victims of cybercrime will not report
cybercrimes if the expected utility from this reporting is low
16. Why cybercrimes are under reported
Existing research identifies several reasons why cybercrime is underreported,
including :
the shame and embarrassment associated with being a victim of certain cybercrimes
(e.g., romance scams);
reputational risks associated with publicizing cybercrime (e.g., if the victim of the
cybercrime is a business, loss of consumer confidence);
being unaware that victimization occurred;
low confidence or expectations that law enforcement can assist them; too much time
and effort to report cybercrime;
and lack of awareness on where to report cybercrime
17. Who conducts cybercrime investigations?
First responders in cybercrime investigations are responsible for "securing" digital
evidence at the "scene" (the location) of a cybercrime (e.g., this could be the
target or targets of the cybercrime and/or the information and communication
technology used to commit cyber-dependent and/or cyber-enabled crime).
A first responder can be a law enforcement agent, digital forensics expert,
military police officer, private investigator, an information technology specialist,
or other person (e.g., an employee in the workforce) who is tasked with
responding to incidents of cybercrime.
This illustrates that the public and private sector, as well as national security
agencies, conduct cybercrime investigations (to varying degrees). Irrespective of
who the first responder is, search and seizure practices for information and
communications technologies (ICT) must be in accordance with national law, and
the methods used to obtain digital evidence from ICT must be valid and reliable
to ensure its admissibility in a court of law
18. Criminal Justice Agencies
Criminal justice agents, such as law enforcement officers, prosecutors, and
judges, are responsible for the prevention, mitigation, detection, investigation,
prosecution, and adjudication of cybercrime.
The specific agencies responsible for cybercrime cases vary by country. In the
United Kingdom, for example, more than one agency investigates cybercrime,
including regional law enforcement agencies and the National Cyber Crime Unit,
which is part of the National Crime Agency (Global Cyber Security Capacity
Centre, 2016c). In contrast, only one agency investigates cybercrime in Sierra
Leone, the Police Cyber Crime Prevention Unit (Global Cyber Security Capacity
Centre, 2016d), in Ecuador, the "Technological Crimes Investigations Unit of the
National Directorate of the Judicial and Investigative Police is responsible for
investigating cybercrime" (Inter-American Development Bank, 2016, p. 72), and
in Iceland, the digital forensics unit in the Reykjavik Metropolitan Police (Global
Cyber Security Capacity Centre, 2017c). Find out about Kenya.
19. Criminal Justice Agencies
Beyond national criminal justice agencies, regional agencies, such as the
European Union Agency for Law Enforcement Cooperation ( Europol )
(promoting law enforcement cooperation in the European Union)
and Eurojust (promoting judicial cooperation in the European Union), and
international agencies, such as INTERPOL (i.e., International Criminal Police
Organization; promoting international law enforcement cooperation), assist
and/or facilitate cross-border cybercrime investigations.
For example, Europol's sharing of intelligence and resources with European
Union Member States led to the arrest of a criminal, who was known for
selling counterfeit EUR 50 banknotes online on illicit dark markets (Europol,
2018c).
20. Private Sector
The private sector plays an essential role in the detection, prevention,
mitigation, and investigation of cybercrime because it predominantly owns and
manages the critical infrastructure (i.e., considered essential to the functioning
of society) in countries and is one of the primary targets of many cyber-
dependent (i.e., those cybercrimes that seek to compromise the confidentiality,
integrity, and availability of systems, networks, services, and data, such as
hacking, malware distribution, and distributed denial of service or DDoS attacks)
and cyber-enabled crimes (e.g., online financial fraud, identity-related crime,
and theft of data and trade secrets, to name a few)
21. Basic functions of criminal investigators
Investigators perform the following functions
Provide emergency assistance
Secure the crime scene
Photograph and sketch
Take notes and write reports
Search for, obtain and process physical evidence
Obtain information from witnesses
Identify suspects
Testify in court
22. Obstacles to cybercrime investigations
There are several obstacles that may be encountered during cybercrime
investigations. One such obstacle is created by the anonymity that information and
communication technology affords to users.
Anonymity enables individuals to engage in activities without revealing themselves
and/or their actions to others. There are several anonymization techniques that
cybercriminals use. One such technique is the use of proxy servers.
A proxy server is an intermediary server that is used to connect a client (i.e., a
computer) with a server that the client is requesting resources from. Anonymizers,
or anonymous proxy servers, hide users' identity data by masking their IP address and
substituting it with a different IP address (Chow, 2012).
Cybercriminals can also use anonymity networks to encrypt (i.e. block access) traffic
and hide Internet Protocol address (or IP address), "a unique identifier assigned to a
computer [or other Internet-connected digital device] by the Internet service
provider when it connects to the Internet", in an effort to conceal their Internet
activities and locations. Well-known examples of anonymity networks
are Tor , Freenet , and the Invisible Internet Project (known as I2P ).
23. Attribution
Attribution is another obstacle encountered during cybercrime investigations.
Attribution is the determination of who and/or what is responsible for the
cybercrime. This process seeks to attribute the cybercrime to a particular digital
device, user of the device, and/or others responsible for the cybercrime (e.g., if
the cybercrime is state-sponsored or directed) (Lin, 2016). The use of anonymity-
enhancing tools can make the identification of the devices and/or persons
responsible for the cybercrime difficult.
Attribution is further complicated through the use of malware-infected zombie
computers or digital devices controlled by remote access tools (i.e., malware that
is used to create a backdoor on an infected device to enable the distributor of the
malware to gain access to and control of systems). These devices can be used,
unbeknownst to the user whose device is infected, to commit cybercrimes.
24. Back-tracing (or traceback)
Back-tracing (or traceback) is the process of tracing illicit acts back to the source
(i.e., perpetrator and/or digital device) of the cybercrime. Traceback occurs
after a cybercrime has occurred or when it is detected (Pihelgas, 2013).
A preliminary investigation is conducted to reveal information about the
cybercrime through an examination of log files (i.e., event logs, which are files
systems produce of activity), which can reveal information about the cybercrime
(i.e., how it occurred). For instance, event logs "automatically record… events
that occur within a computer to provide an audit trail that can be used to
monitor, understand, and diagnose activities and problems within the system"
(Maras, 2014, p. 382).
Examples of these logs are application logs, which record "events that are logged
by programs and applications," and security logs that "record all login attempts
(both valid and invalid) and the creation, opening or deletion of files,
programmes or other objects by a computer user" (Maras, 2014, p. 207). These
event logs may reveal the IP address used in the cybercrime.
25. Lack of harmonized national cybercrime laws
The lack of harmonized national cybercrime laws, international standardization of
evidentiary requirements (both in terms of admissibility in a court of law, and in
terms of international state responsibility), mutual legal assistance on cybercrime
matters, and timely collection, preservation, and sharing of digital evidence
between countries, also serve as obstacles to cybercrime investigations
In regard to certain types of cybercrime, especially cybercrimes that are
politically motivated, a general lack of will of countries to cooperate in these
cases has been observed
26. Technical challenges
Cybercrime investigators also face technical challenges. For example,
numerous digital devices have proprietary operating systems and software
that require the use of specialized tools to identify, collect, and preserve
digital evidence. What is more, investigators may not have the necessary
equipment and digital forensics tools needed to adequately conduct
cybercrime investigations involving digital devices
Other obstacles to cybercrime investigations include the existing limited
abilities of law enforcement agencies to conduct these investigations. In
countries where national specialized units exist, they only investigate a
limited number of cybercrime cases. The prevalence of information and
communication technology in criminal investigations makes such a practice
ineffective
27. Cyber Crime Investigation Techniques
Activities that a computer crime investigator performs include recovering file systems
of hacked computers, acquiring data that can be used as evidence to prosecute
crimes, writing reports for use in legal proceedings, and testifying in court
hearings. Cyber crime investigation techniques include:
Performing background checks: Establishing the when, where, and who of a crime sets the
stage for an investigation. This technique uses public and private records and databases to
find out the backgrounds of individuals potentially involved in a crime.
Gathering information: This technique is one of the most critical in cyber crime
investigations. Here, investigators ask questions such as: What evidence can be found? What
level of access to sources do we have to gather the evidence? The answers to these and other
questions provide the foundation for a successful investigation.
Running digital forensics: Cyber crime investigators use their digital and technology skills to
conduct forensics, which involves the use of technology and scientific methods to collect,
preserve, and analyze evidence throughout an investigation. Forensic data can be used to
support evidence or confirm a suspect’s involvement in a crime.
Tracking the authors of a cyber crime: With information about a crime in hand, cyber crime
investigators work with internet service providers and telecommunications and network
companies to see which websites and protocols were used in the crime. This technique is also
useful for monitoring future activities through digital surveillance. Investigators must seek
permission to conduct these types of activities through court orders.
28. Questions
i. Which national security agencies are involved in cybercrime investigations
in Kenya?
ii. What role (or roles) does the agency (or do the agencies) have in
cybercrime investigations?
iii. List and discuss various cybercrime investigation and forensic tools