How Cybercrime Has Changed Criminal Investigations

Written by

Since Ian Murphy became the first person to be convicted of a cybercrime after hacking into AT&T in 1981, cybercriminal activity has mushroomed into a major and ever-evolving global threat, forecast to cost the world $6tn annually by 2021.

The number of victims and total reported losses from this relatively new criminal activity have risen significantly every year since 2015, according to the Federal Bureau of Investigation’s Internet Crime Complaint Center (IC3). So what effect has cybercrime had upon criminal investigations?

The definition of cybercrime is blurred and country-specific. Generally, it covers cyber-dependent crimes like network intrusion, but it can also encompass cyber-enabled crimes or crimes that yield digital evidence. With technology now interwoven into the fabric of our lives, cybercrime is becoming simply ‘crime.’

Besides birthing cybercrime, new technologies allow pre-existing crimes like fraud to be committed in new ways, making criminal investigations more complex across four areas: how crimes are committed, how evidence is gathered and presented, and how offences should be prosecuted.

Tech-Enabled Wrongdoing

Where a criminal could traditionally be identified via forensic evidence, witness accounts and later, DNA evidence, cybercrimes can be perpetrated anonymously, making it harder for criminal investigators to identify those responsible.

“It is difficult to place a suspect behind the keyboard,” Jacob Ruiz, administrative bureau major at Osceola County Sheriff’s Office, Florida, tells Infosecurity.

Alex Guirakhoo, strategy and research analyst at Digital Shadows, adds: “The Tor network allows many cyber-criminals to operate with a base level of anonymity, which can be further enhanced by taking specific behavioral steps online to not expose their identity.”

Pinning cybercrimes to suspects is made even harder by criminals who impersonate the modus operandi of another criminal, threat group or country to provoke misattribution.

The speed at which cybercrimes and cyber-enabled crimes are committed makes it hard to catch criminals red-handed. Thieves can steal $45m from an ATM in a few hours in a cyber-bank heist, while it takes on average just three seconds for executed ransomware to start encrypting files.

However, a bigger headache for investigators of cybercrime is the lack of geographical and geopolitical boundaries.

An INTERPOL spokesperson tells Infosecurity: “National borders do not constrain cybercrime or cyber-criminals, yet police still have to work within these borders.”

When attempting to pursue criminal investigations across state or national borders, law enforcement agencies (LEAs) soon run into legal complications.

“Criminals benefit massively from being able to commit crime across nation states, hiding behind privacy laws of other countries,” the UK’s South Yorkshire Police explains.

Along with disparate laws on privacy and what constitutes a cybercrime, countries can have different policing priorities.

“Some countries do not place a priority on fighting cybercrime, instead choosing to focus on other more traditional crime threats,” says INTERPOL.

“National borders do not constrain cybercrime or cyber-criminals, yet police still have to work within these borders”

A Joint Effort

As geographical boundaries become increasingly irrelevant in the commission of crime, criminal investigations have become more cooperative. Contemporary crime is rarely investigated by a single investigator or even a single force.

Famously, the takedown of dark web marketplace AlphaBay was coordinated between the FBI, Europol and LEAs in Thailand, the Netherlands, Lithuania, Canada, the UK and France.

Such cooperation is not always easy. Simon Newman, head of cyber and business services for Police Crime Prevention Initiatives, says: “Even though we have the Budapest Convention on Cybercrime in place to foster international cooperation for investigations and help harmonize legislations between nations, we still have some way to go to effectively investigate cybercrimes across borders.”

Cybercrimes and cyber-enabled crimes further complicate criminal investigations by occurring in such large numbers that other investigations, and indeed the entire judicial system, can be impacted.

Newman adds: “The biggest threat [posed by cybercrime] in the short-term relates to the volume of cases and their complexity, potentially clogging up the criminal justice system. This includes taking already limited police resources away from focusing on other areas of crime.”

Gathering Evidence

Though technology is neutral, it can appear to favor opportunistic criminals over primarily reactive LEAs.

“When a new technology comes along, some of the first to adopt that technology are those who subvert it to their criminal purposes,” Charles Cohen, vice-president of the National White Collar Crime Center (NW3C), tells Infosecurity.

However, while tech benefits criminals, it also helps LEAs, providing them with investigative tools and digital forensic evidence, vital to convict or exculpate.

“Law enforcement does benefit from new, efficient and faster methods of working, analyzing data and assessing large amounts of digital evidence,” says a spokesperson for South Yorkshire Police.

Since US households today own 11 connected devices on average, processing digital evidence can slow an investigation down, and just a single investigation into one child pornographer can involve millions of files.

“It is already possible to ‘drown’ in digital data from a fairly straightforward investigation involving a couple of smart phones, laptop, tablet and vehicle,” South Yorkshire Police explains.

Cybercrime has complicated criminal investigations by creating data access issues that expose outdated legislation and test the relationship between LEAs and private companies.

South Yorkshire Police says: “Existing legislation has not kept pace with developments, and we are faced with trying to use an out-of-date legislative framework. Examples include the use of – and access to – cloud data, restrictions on using internet-capable devices and the use of virtual machines which may leave no trace/records.”

The US Communications Assistance for Law Enforcement Act (CALEA) requires electronic communication providers to allow properly authorized law enforcement to engage in lawful interception (wiretap). However, CALEA’s outdated definition of an electronic communication provider no longer applies to many of today’s companies.

Technology has now outpaced the law to the extent where the ability of LEAs to pursue criminal investigations is compromised.

“It is now possible for a search warrant to be issued by the Chief Justice of the United States Supreme Court with which no law enforcement officer can comply simply because there is no way to recover evidence from some encrypted cell phones,” Cohen points out.

LEAs understand the difficulties faced by companies tasked simultaneously with protecting user privacy and assisting criminal investigations.

“Sometimes we get more data from the forensic process than we do from the company,” Brendan Hooke, first lieutenant of Fairfax County Government’s Cyber and Forensics Bureau, tells Infosecurity. “Some people wonder ‘are they just not cooperating?’ but I get it. I can’t imagine how many warrants they get in a day – it’s got to be in the thousands.

“Companies have really improved; they have portals and they offer guidance. Where we do see challenges are with companies that are cloud providers, like Google and Facebook. I don’t think they want to become ‘a law enforcement company’ providing cloud data all day, rather than doing their business.”

“When a new technology comes along, some of the first to adopt that technology are those who subvert it to their criminal purposes”

Presenting Evidence

Cybercrime has made criminal investigations more complex by continuously generating sophisticated new forms of evidence that require specialist training, software and hardware to detect, decipher, interpret and present to LEAs, prosecutors and a jury. As a result, LEAs continuously require new training and resources, driving up the cost of criminal investigations.

Research conducted by the Fairfax County Police Department in 2017 found that it takes approximately 18 months and $95,000 to train a new digital forensic examiner to proficiency and supply them with the necessary equipment and licenses.

Finally, cybercrime has created prosecutorial and sentencing problems for criminal investigations that go beyond outdated legislation; offenders can be anywhere and any age. A 2017 report by the UK’s National Crime Agency found that 61% of hackers began hacking before the age of 16 and the average age of those arrested for malicious hacking was 17.

“There have been calls by experts in the field to revise and reform the current 1990 Computer Misuse Act, seeking to improve the way we investigate and prosecute cases of cybercrime. Specifically, around dealing with offenders who are minors and providing better guidance for prosecutors and sentencing courts,” says Newman.

On the Horizon

As cybercrimes grow in ubiquity, the stigma of reporting them will decrease, causing the number of reported cybercrimes to rise. Evidence of the growing threat will trigger legislative changes.

“Reporting cybercrime drives policy making at Governmental level, which will ultimately help law enforcement agencies and companies deal with the threat cybercrime poses,” argues Newman, who cites the EU’s recently passed Cyber Security Act as an example.

New laws equivalent to existing anti-money laundering legislation may require companies to keep electronic logs and to retain data for a specific time period. They could further require that data-sharing methods between companies and LEAs are standardized, that companies supply evidence to LEAs in non-proprietary formats and could ban companies from charging fees to produce evidence.

Future cybercrime investigations will likely feature more collaboration between different LEAs and between countries, organizations, private companies and members of the public in receipt of a growing number of cyber-attacks.

INTERPOL, which plans to establish a secure collaboration platform for law enforcement to share operational information, says: “Public-private partnerships are key to investigating cybercrime.”

LEAs will increasingly adopt new technology like AI, cloud analyzer tools, facial recognition technology, big data and machine learning, and cyber-training that was unheard of five years ago will probably be absorbed into regular training.

Further into the future, new technology could unlock hidden secrets in contemporary digital forensic evidence to solve tomorrow’s cold cases, providing that evidence is preserved.

“It’s like back in the day when they knew DNA was coming, so they’d collect things that might have it, but they couldn’t do anything with it right then and there,” explains lieutenant Hooke.

“The value of the data is not always readily apparent, but if we don’t have all this data in a way that is legacy-proof and easily accessible in 20 or 30 years, we are really doing a disservice to cold case investigators in the future. I think that both private industry and law enforcement are moving towards that.”

What’s hot on Infosecurity Magazine?