Cybercrime is often thought of as activities such as network intrusions, ransomware, and distributed denial of service attacks. However, it also encompasses any criminal activity that is enabled through the use of a computer or that yields digital evidence, such as child exploitation, human trafficking, fraud, identity theft, drug sales, and even terrorism. As the world becomes more interconnected and further tethered through the “Internet of Things,” crimes of this nature are rapidly expanding. Many jurisdictions are reporting that almost all crimes they investigate require some degree of cyber support.¹

An example of this phenomenon can be observed in gang-related homicide investigations. “Shot callers” from a distance, such as in prison or in another country, may authorize or order killings in a different area. To substantiate that the orders have been carried out, photos or videos of the crime are transmitted to gang leadership. Furthermore, to “move up” in the gang hierarchy, members must usually perform certain acts to gain status and credibility. For this reason, it is not uncommon to discover that video exists of a homicide with those involved deliberately ensuring that they appear in the video actively involved in the murder. Increasingly, gang-related homicide investigations involve extensive digital evidence, including the seizure and examination of numerous devices, video, social media accounts, and cloud-based storage. In addition to video seized from suspects, often video from the last known location where a victim was seen alive is collected from such places as convenience stores or fast food restaurants. The quality and timing of these files varies, so forensic enhancement or time stamping becomes critical to effectively prosecute cases.

While homicide cases are generally rare in most municipalities, other forms of technology-enabled crimes are skyrocketing, and surveys reflect the growing concerns of community members. Gallup has been surveying U.S. residents for nearly 20 years regarding their fears related to crime. The results of a poll published in November 2017, indicate that the U.S. public is most concerned about cybercrime, far more so than conventional criminal activity. Two-thirds of the respondents indicated that they are worried about having their identities stolen.²

Identity theft refers to a perpetrator stealing an individual’s personal identifying information, to open accounts in the victim’s name or assume control of their existing accounts. The FBI’s Internet Crime Complaint Center (IC3) recorded an average of 280,000 complaints per year, from 2000 through 2016. One in four U.S. residents report that they or a member of their household has had personal information stolen by hackers in the last year. Sixteen percent confirmed that they had been a victim of identity theft during the same time period. Individuals who are victims of identity theft may never recover financially and can be impacted in other ways, such as in obtaining employment. Many victims of cybercrime report suffering emotional trauma as a result of being victimized.³ Identity theft affects considerably more victims, and the numbers are increasing every year—but the most prolific financial losses stem from a cybercrime known as Business Email Compromise (BEC).

BEC is a type of fraud targeting businesses or organizations that regularly perform wire transfer payments. This sophisticated cybercrime is carried out by compromising email accounts through social engineering or computer intrusion techniques to prompt the unauthorized transfer of funds. BEC results in the most substantial monetary losses but affects fewer victims due to the specialized nature of the criminal activity. IC3 reported that from October 2013 through December 2016, there were 40,203 reported BEC incidents, resulting in a total monetary loss of 5.3 billion U.S. dollars.⁴

Cyber Investigative Capacity

Fairfax County is a Northern Virginia suburb of Washington, DC, and is home to more than 1 million people. The Washington National Capital Region is an enticing target for those seeking to steal information or cause disruption and physical harm to persons. In July 2017, the Fairfax County Police Department (FCPD) established a Cyber and Forensics Bureau. In an effort to determine the strategic plan for the new bureau, efforts were made to benchmark comparable units in other law enforcement agencies. Requests for information were solicited via a survey sent to the member agencies of the Major City Chiefs Association in October 2017. Responses were received from more than 30 agencies and offered several key insights.

Many agencies are effectively leveraging non-sworn staff to augment their sworn personnel. Duties and roles are primarily dependent on their training and experience as opposed to sworn status. Most agencies acknowledge that recurring expenses related to workforce training and the need to frequently upgrade equipment are key considerations. FCPD conducted an internal analysis of these factors and found that it takes approximately 18 months for a new digital forensic examiner to become completely proficient in the duties of the role and approximately $95,000 dollars to purchase all of the equipment, training, and licenses required for the position.

FCPD’s Cyber and Forensics Bureau was formed primarily from sections that had previously served in investigative support roles. Proactive criminal investigations focused on computer-enabled crimes such as child exploitation, financial fraud, and organized crime are primarily conducted by personnel assigned to the Major Crimes Bureau or the Organized Crime and Intelligence Bureau.

The New Jersey State Police (NJSP) has one of the more progressive models in the United States to address cybercrime. NJSP’s High-Tech Crime Bureau comprises a Cyber Crimes Unit, a Digital Technology Investigations Unit, an Electronic Surveillance Unit, and a Regional Computer Forensics Laboratory. This is one of the more comprehensive approaches to technology crime that can be found in the United States.

Task Force Participation Opportunities

The participation of their officers on multiagency task forces afford agencies valuable liaison relationships and access to resources and training that might otherwise be unavailable. There are numerous opportunities to participate on federal task forces in the United States, including the United States Secret Service’s Electronic Crimes Task Force; the Department of Homeland Security Investigations’ Cyber Division; the DOJ Internet Crimes Against Children; and the FBI’s Cyber Task Force. For smaller and mid-size agencies, the adoption of regional models or task force participation may offer the most practical and cost-effective means to enhance an agency’s cyber investigative capacity.

Digital Forensics

During the past 20 years, there has been an exponential increase in the prevalence of digital technology such as smartphones, tablets, laptops, wearable technology, cloud storage, interconnected household devices, external storage, video game consoles, and other devices that can hold evidence. As the amount of digital evidence available increases, the demand for forensic examinations of this evidence also grows. The time required to complete digital forensic examinations is dependent on electronic processes and the number of devices and volume of data to be analyzed. There is no way to “work faster” without sufficient personnel who have the training and tools to complete the analyses.

The issue of law enforcement agencies not processing digital evidence in a timely manner can result in negative publicity, an erosion of public confidence, and the further victimization of innocent people. For example, in July 2017, a Maryland public middle school instructional assistant was arrested for sexually assaulting multiple students and manufacturing child pornography (he had video recorded the graphic acts). Seven separate victims were identified through the videos. The investigation began when an inappropriate photo was discovered on the suspect’s cellphone. Tragically, during the period that police were waiting for the results from the digital forensic examination, the suspect sexually assaulted eight more children. In total, 42 children from the middle school were found to have been victimized. The case caused great community distress due to the heinous nature of the crimes. Considerable anger and frustration were also directed at law enforcement for the extended period of time that it took to process the digital evidence in the case.⁵

Emerging Technology Leads to Emerging Challenges

Cellphones often hold key information in many investigations such as photographic or video evidence and data establishing associations between victims and perpetrators, linking co-conspirators, or physically placing suspects at the scene of crimes. As technology evolves, so do the challenges facing those tasked with processing digital evidence. Security features related to Apple’s smartphones had historically been model-specific, but with the release of Apple IOS 11 software, all iPhones newer than model 5 that have the latest software upgrade are considerably more difficult to unlock. Several vendors offer solutions to this issue, but those third-party solutions can be costly and are not guaranteed to work.

Technical challenges are further exacerbated by court rulings like the 2014 case of Virginia v. Baust. The Virginia circuit court ruled that a suspect could not be compelled to provide the passcode to a cellphone as that would be a testimonial act and would violate the suspect’s Fifth Amendment rights.⁶ It can be anticipated that advances in technology will continue to spawn related legal precedents. Investigators may have to adopt tactics such as operational planning that prioritizes the retrieval of digital evidence in a state so that it can be preserved for forensic examination.

Establishing a Digital Forensics Lab

FCPD’s Digital Forensics Section works in a purpose-built space specifically designed for the section’s mission. Access to the location is controlled via electronic proxy readers and recorded via a video surveillance system. Design features were configured based on input from the digital forensic examiners. The flooring is composed of specialty tile to reduce the possibility of an electrostatic discharge. The fire control system has been modified to prevent damage to electronics in the event of an activation. The site has a dedicated space for cellphone chip-offs, a server room, an evidence storage room, and a Faraday room. The chip-off room allows detectives to work in a sterile space to deconstruct devices to access phones’ chips. This sophisticated process allows detectives to recover data from phones even if a suspect has deliberately destroyed the device. The Faraday room provides a secure location to store devices pending examination. The design features of the Faraday room block radio frequencies to prevent the remote erasure of data on devices stowed in the room. The space was designed with sufficient workspace to grow and eventually to accommodate more personnel to contend with the rising tide of digital evidence.

Increasing Need for Forensic Video Analytics

Video systems have become more affordable and, subsequently, more prevalent. New systems offering more technical features and data storage require additional time to examine. Furthermore, demands for police transparency and accountability have driven the adoption of systems such as body-worn cameras and in-car video by law enforcement. Simply stated, video is everywhere, but one cannot necessarily trust everything one sees. Increasingly, agencies must prepare, enhance, and redact video, not only for courtroom presentation, but also to respond to negative misinformation on social media and to clarify police actions taken during high-profile incidents.

Internet of Things and the Changing Nature of Crime

Law enforcement needs to prepare for the proliferation of the Internet of Things such as wearable technology, Internet-connected home assistants, and vehicle infotainment systems. The prevalence and complexity of digital evidence is significantly increasing. Investigators need to know what can be recovered from these devices and how to extract the relevant data. While these devices provide an opportunity to gather evidence, they can also present some risks. For example, in Fairfax County, a suspect in custody, who was secured in a locked interview room, used a smartwatch to signal co-conspirators to destroy evidence before police arrived to seize it.

Manufacturers of new devices being offered to consumers prioritize production price, speed of availability in the market, and convenience over security. Cases of suspects using Internet-connected devices to harass and stalk victims are reportedly increasing. “Smart” devices such as locks, speakers, thermostats, lights, and security cameras are increasingly being used by suspects as instruments of harassment, monitoring, revenge, and control. In July 2018, the New York Times reported on numerous cases of domestic abusers using Internet-connected home devices to remotely control items in a victim’s home, to spy on them, or to assert power over them from a distance. It is estimated that the number of home Internet-connected devices is growing by 31 percent each year.⁷ d

Notes:

¹ Joshua Philipp, “Nearly Every NYC Crime Involves Cyber, Says Manhattan DA,” The Epoch Times, March 2, 2013.

² RJ Reinhart, “Cybercrime Tops Americans’ Crime Worries,” Gallup, November 6, 2017.

³ Office for Victims of Crime, Expanding Service to Reach Victims of Identity Theft and Financial Fraud (Washington, DC: Department of Justice, 2010).

⁴ FBI Internet Crime Complain Center (IC3), “Business E-Mail Compromise: E-Mail Account Compromise Alert, The 5 Billion Dollar Scam,” public service announcement, May 4, 2017.

⁵ Amanda Iacone, “Md. Police and Lawmakers Target Digital Evidence in Child Abuse Cases,” WTOP News, February 5, 2018.

⁶ Virginia v. Baust, No. CR141439 (Va. Cir. Ct. 2014).

⁷ Nellie Bowles, “Thermostats, Locks and Lights: Digital Tools of Domestic Abuse,” New York Times, June 23, 2018.

Please cite as

Christian Quinn, “The Emerging Cyberthreat: Cybercrime Investigations & Digital Evidence,” Police Chief online, December 19, 2018.