In cybercrime investigations, finding the internet protocol (IP) address of the suspect is the first step.
An IP address comprises numerous numbers and letters that are attached to any data shifting on the internet.
To obtain an IP address from an Internet Service Provider (ISP), the cyber investigator has to either subpoena, warrant, or court order the company for details.
Retainment Of Subscribers’ Data
The majority of people, including cybercriminals and law enforcement officials, aren’t aware that Internet Service Providers possess records of all of the activities that their subscribers do online.
One disadvantage for a cyber investigator is the limited period of time that ISPs retain their subscribers’ data. How long ISPs retain the data of their subscribers depends on the company’s policies.
More prominent Internet Service Providers frequently retain their data for as long as 30 days. Nevertheless, that can’t be taken for granted. Keep in mind that storing data costs are significant for ISPs and some reduce their expenses by dumping the data extremely rapidly. Thus, it is a good idea for the cyber investigation to move swiftly.
As a cyber investigator, you are permitted to render a formal request in the form of a letter to the ISP requesting that the company preserve the data concerned just before a subpoena, warrant, or court order is acquired demanding the ISP to turn over its records.
Remember that many companies will cooperate with the preservation of data request. However, internet service providers are not legally obligated to preserve or hand over any data to cyber investigators of a law enforcement agency. Hence, a preservation letter has its limitations.
Once the investigators obtain the records from the ISP, they may be able to trace the IP address back to the suspect’s precise physical address.
The suspect evidently had to provide personal information like their physical address to the Internet Service Provider when they subscribed to their service. The adversary could have used false information to sign up, but such information may also prove to be useful.
Collaboration Is Key To Combating Cybercrime
When investigators have the suspect’s name and physical address, their investigation will probably also involve another agency from another province or state. The good news is that other agencies may perhaps cooperate accordingly. Nonetheless, the further away investigator is from their own jurisdiction, the rise of potential uncertainty pertaining to cooperation in cyber investigations with another agency located elsewhere.
Seizure Of Electronic Devices
When all the paperwork is done, the suspect’s electronic devices including their computers and hard drives are seized.
This is the part when specialized digital forensic examiners come in to examine the digital devices seized. Individuals specializing in digital forensics exist both within law enforcement agencies and in private companies.
The key to being an excellent digital forensics examiner is understanding what you are attempting to look for and understanding how to find it.
Once the computers are in the custody of law enforcement, a digital forensics professional will generate a valid forensic image.
Digital forensic specialists know that the source media should never be modified in any way.
The process of proper forensic imaging is necessary since digital evidence will be provided as evidence in legal proceedings.
Forensic imaging permits the creation of a precise bit-for-bit copy of the source hard drive, solid state drive, USB, or other types of media. Furthermore, forensic imaging produces a unique digital footprint employed to confirm its reliability.
Suppose that a digital forensics professional solely created a standard copy of the hard drive through the use of a backup program or by drag and drop in the drive. This copy alone would prove to be inadequate in a cyber investigation since it would fail to include essential information such as deleted files, temporary files, and other kinds of data that may be important to the investigation.
When forensic imaging is done, popular apparatuses can produce a digital fingerprint of the seized device. This is also called a hash value.
When a valid forensic image has been successfully generated, a forensic analysis will begin as the source media is considered to be preserved with assurance. Moreover, when the copy has been produced, the source media may be analyzed knowing that proper measures have taken place to ensure appropriate preservation.
Obviously, if the cybercriminals are incredibly clever and familiar with the numerous tactics deployed to avoid being identified, it becomes exceedingly strenuous and, in many cases, impossible to catch them.
Nevertheless, such cases where an adversary can easily remain unidentified is uncommon. There are not that many individuals who technically sophisticated enough to know how to conceal themselves properly.