 So in this lesson, we'll talk about investigation methods, cybercrime investigation methods specifically. But what you'll see is most investigation methods for traditional investigation also apply to cybercrime investigation. There's just usually a little bit more of a technical component, obviously, to cybercrime investigation. So first off, cybercrime investigation is very much like traditional investigations. The same skills, the same knowledge are necessary for both types. Same methods apply. Normal investigation methods for both cybercrime and traditional investigations would be things like interview and interrogation. Knowing how to do proper interviews and interrogations of both witnesses, suspects, victims, basically anyone involved is extremely necessary whenever you're doing investigations. Having some people skills or the ability to get people to tell you what you need to know and understand whether they're lying or not, at least to some extent, is extremely important for basically any type of investigation, but especially for cybercrime investigation. Basically we can't trust all different types of interviewees, so how can we find the best quality information? Next is surveillance and intelligence gathering. Doing surveillance on suspects or victims or organizations or whatever it may be or finding information, intelligence helps us to be able to do the investigation because we know more context. What about this person makes them likely to be a suspect? Do they go to work every day and they have to do all their crime at night? But we find out that all the crimes were done during the day. It kind of gives us some more information whenever we do either surveillance or intelligence gathering on suspects or victims or organizations or whatever it may be before we actually do the investigation. Forensics. This is reconstruction. We'll talk more about forensics in the second half of the course, but I'll cover it a little bit today. And of course undercover investigation is commonly used offline and is starting to be used more in online investigations as well. So interview and interrogation, like I've already talked about a little bit, is the ability to ask questions in a way that maximizes the amount of true information the investigator knows. So whenever you're doing an interrogation or an interview with even a victim, they might not always be able to tell you the complete truth. They may exaggerate some of the details of the investigation. So we need to be able to ask questions in a way that leads us to the truth, even if the people that we're talking to don't necessarily know what they're talking about or don't want to tell us or don't know how to explain what they know, basically. This is not easy. Whenever we're dealing with people, anytime we're dealing with people in investigations, it is not easy to work with them. So I said that actually committing cybercrime, the people are the easiest access point to get access to networks and things like that. But whenever we're dealing with investigations, dealing with people is always difficult. And there's a number of reasons for that we can't really go into. But just think about whenever we involve people, the investigation becomes much more complicated usually. We might have a willing witness and willing witnesses are somewhat easier to work with. Obviously if the person is willing to help us, things become easier. But witnesses even, people who are willing to work with us, may not remember things correctly. They may lie or exaggerate things. They may not know exactly what they saw. They might make things up. They may not want to seem stupid or whatever, so they just start to say things that they don't actually know. And they might not understand that those kind of things actually hurt the investigation, but they do mean well. So we can't, even whenever people are willing to help us, we can't necessarily take them at their word. We still have to have good interrogation techniques to be able to find kind of the truth or to figure out in this case if they're lying. Unwilling witnesses, of course, are going to be very, very difficult. They're very likely to lie. They're very likely to not cooperate. Yeah, so especially if somebody is a suspect, they will be very defensive and it's very difficult to work with them and get true information out of them. Different investigation methods, so surveillance, intelligence gathering, is a necessary part of most investigations. If it's done well, it greatly improves the investigation process because we have a lot more context. We know why things have been done. We know different people in places that may be involved, which could be witnesses. They could be suspects, so now we know where our investigation can go. The process of collecting more information or context, normally we just have witness statements before intelligence gathering. Most cases, at least for law enforcement, start whenever a victim or some witness comes in and reports the case. We've interrogated the witness, or we've interviewed the witness or victim, and they've told us a story. That story may be completely true. It may be partially true. We don't know yet, so we actually have to do the investigation to investigate that story. In the intelligence gathering phase, we find out more information about all of the people or organizations that may be involved and find the context. Where does this story fit in the context of this whole thing? Available methods depend on the charge and what is already known about the case. So intelligence gathering, especially something like surveillance, is in most countries very difficult for law enforcement to do. They have to get permission, usually from a judge or prosecutor, to do any type of invasive surveillance. So if the charge is something like terrorism, they're more likely, if they can show any type of evidence, that it looks like terrorism has actually the case, they're more likely to get permission to be able to do some type of surveillance. So the greater the charge, if evidence is likely, the greater the invasiveness of surveillance is possible, usually. That doesn't mean that people always do surveillance or law enforcement always do surveillance if they can. It just means that if there's some proof that seems like it's likely that extreme charges are possible, then it's more likely for them to do some sort of surveillance. Open source and closed source intelligence. Whenever we're doing intelligence, we're looking for more information about users, about places, about activities that might have taken place. And there's two different sources, basically. Open sources, which are available to the public, and closed sources, which are available only on a restricted basis, either only available to an organization or to the police or military intelligence, whatever. Open source intelligence is publicly available and there's no special authority required. So anything that you publish on Facebook, for example, if you do not restrict it and anyone can access that information, then it's considered publicly available and law enforcement or anyone else can access it and use that information, basically however they want. Closed source intelligence comes from non-public sources, like I said, like past case data from law enforcement, police operations, military and intelligence sources, private organizations, and a lot of other places that have information that's not necessarily available only to the public, basically. So the difference between publicly available, not publicly available. Usually closed sources are higher quality and more trustworthy. Open sources are usually lower quality and we don't necessarily know if we can trust them. Next, forensics or reconstruction. We use traditional digital forensic science, traditional and digital forensic science in our investigations. For example, fingerprint analysis on a keyboard and the data on the computer. We'll talk more about that later. We attempt to reconstruct events. So whenever we're doing a forensic, we're trying to look into the past and reconstruct what happened within complete information. We want to find out the who, what, when, where, and why of the situation. Can we answer all of those questions about this case or this computer or this device or knife or whatever it is? Traditional forensic analysis. We're looking at things like fingerprints, blood analysis, hair analysis, DNA, handwriting analysis, currency investigation. There's a huge list of forensic sciences that are looking at all sorts of different sources to analyze. And digital forensic analysis is reconstruction of digital events, reconstructing what happened on digital devices. And that's a whole area by itself, which we'll talk about in the second part of the course. Undercover investigations usually relates to a planned operation. Short-term and long-term kind of options are available. Somebody might go undercover for some sort of quick sting. Or they might have a long operation where they actually have an agent in with the criminals for an extended period of time. The same is true for cyber investigations. I do undercover investigations where I may go into a chat room for one day and try to find suspects that are sharing illegal information or illegal images or videos or whatever. Or I may attempt to build to this persona of a very extreme hacker on forums and work those forums for a very long period of time and collect intelligence from those forums while I become a respected member. I may have to do semi or post things that look like they're semi illegal. Usually law enforcement are doing this with some permission from judges or whatever. But trying to gain the trust, essentially, of the user group. Traditional and digital versions, traditional. The investigator pretends to be, for example, a money mule carrying money. The money was potentially stolen online, but we have to take that money that's online or in a bank account and actually turn it into cash. Otherwise, how do we get the money? A traditional form could be that I'm pretending to be a money mule working with the suspect to transfer the money to them. In this case, the suspect steals the money online. I take the money out of an ATM and physically give it to the suspect. In that case, I may be able to arrest the suspect in the real world. Digital, the investigator may pretend to be a hacker selling malicious code to try to gain notoriety in a community. That way they can gain more information or information about people or other people, basically other people or other services on that forum. Required skills for investigations. All investigations, not only cybercrime, but many investigations. First off, observation skills. The ability to be able to pick out details in a scene or in the way that people are acting or just be able to observe your surroundings, essentially. Investigators must be observant of small details and be able to use those details in their investigation. Critical thinking, after observation, investigators must be able to piece together what their observations most likely mean. If I see somebody who is supposed to be a witness and they are very nervous in their interrogation, why are they nervous? Maybe they're lying, maybe they're part of the crime or something like that. What can the observation of them being nervous tell me about the investigation or where I should look next? Critical thinking is really evidence-based reasoning. Not assuming anything, understanding that whatever you observe, there's certain probable causes to that thing. We need to find evidence that supports or denies whatever hypothesis we're making about what we've observed. Next is perseverance. To solve a case, you really have to have patience. Dealing with people, asking the right questions without getting emotional or upset is very difficult. Looking for people online, many leads that you try will not result in any useful information. So you keep failing, and then after you fail enough times, you're successful in one thing, and that leads you to the suspect. So you really have to persevere whenever you're doing investigations because it's very rare that you will just immediately solve the case. And you have to be good with people. Even for cyber crime investigations, you really need to be good with people because people have the information. Whether they can get the information or they can lead you to the information that you need. If you're not good with people, you won't be able to make requests to other investigators to interrogate other potential witnesses. You won't maybe be able to interact with the suspect very well, so they will be more defensive against you. You really need people skills even for cyber crime investigations. And then just very, very quickly, some investigation techniques, again that work for traditional crime and digital investigations. The first is relational analysis, and this is extremely, extremely useful technique for especially cyber crime investigations that involve a lot of different entities. So for example, you have many different servers in several countries. You have a lot of credit cards, you have a lot of cell phones, you have a lot of email addresses, and you have several people and you want to find all of the people. Relational analysis is a very powerful way to show the connections between all of these people. It's just attempting to relate objects, people, and events to each other in a very easy to understand way. And I will post an example of what that is. And we can use something called link analysis to find patterns in all of these links. We want to basically associate, for example, two suspects together. So we can make links through them, maybe between a cell phone or an email that they've had. That's the way that we link these people together. And again, I'll post an image of some relational analyses. Even for relatively small cases, doing a relational analysis for cyber crime investigation is very useful. So you don't forget all of the different links that a person has to accounts and devices or access to other people, things like that. Next is timeline analysis. So use the times of reconstructed events to find when events took place. We can also compare multiple timelines to reveal patterns of possible or impossible events. So you see this a lot whenever people are interrogating somebody. They say, where were you last night after 10 p.m.? And they say, oh, well, I was at the movies with my friend. But the police or whoever is doing the investigation already have a timeline that says that the murder was committed at 9.30 p.m. Something like that. So they're essentially doing timeline analysis. And they're putting all of these events on the timeline to say, OK, the murder happened 30 minutes before you went to the movie. So you could have done this. Now you just need to place the person there. With digital investigations or cyber crime investigations, we have a lot more log information. We have a lot more timestamps in digital devices. So we can make very specific timelines. Of course, times can be manipulated sometimes, but we can make relatively specific timelines of events that have happened in the digital devices. And it's a very powerful way to do investigations of digital devices and what activities took place at specific times. And then there's also functional analysis, basically analyzing how a particular thing works. And the best example of this is malware analysis, like we talked about. We want to analyze how a piece of malware is working. What is it doing to the system? What are its functions? Once we understand its functions, we can understand what it's actually trying to do. And that function can potentially lead us to other servers or other devices using potentially relational analysis. We can connect them and potentially lead us back to suspects just based on what are the functions of this particular piece of malware, software, whatever. Right. So that's pretty much it for investigation methods. Next I'll talk a little bit about more on cyber crime investigation and the processes that we use. Thank you.