 So this week we're talking about the basics of cybercrime investigation, specifically what investigators actually do whenever they're trying to figure out how a cybercrime was committed. So the first thing I want to stress when we talk about cybercrime investigation is that traditional methods of investigation are really the most important part of a cybercrime investigation. Many people think that cybercrime is completely happens online and that's not necessarily true. There's a lot of aspects of cybercrime that also happen offline and a lot of skills that investigators need that relate to traditional investigations or criminal investigations that we have to use for cybercrime investigations as well. So computer crime investigation is very much the same as traditional investigations and a lot of people don't really think that because we're dealing with a computer system and a computer system, they think is very different from, for example, a crime scene which is a house where you might have different pieces of evidence laying around the house. They don't really understand that a house that is a crime scene is very much the same as a computer that's a crime scene. They both contain potential pieces of evidence. We have to go in and look at those pieces of evidence and make sense of them in the context of our investigation or in the context of what happened. So what I really want to stress is that to be a good cybercrime investigator you have to have traditional police investigation knowledge or understand how traditional investigations are actually take place and apply those methods and techniques to cybercrime investigations both online and in computer or phone systems whenever we're analyzing. In week seven we'll talk a little bit more about the processes that investigators actually go through whenever they're looking at computer systems. This week we're focusing more about cybercrime online. How do we investigate online traces and trace back to criminals or trace back to events that have happened online that may not even necessarily be in our country. So traditional crime and cybercrime whenever we're investigating them we're using the same investigation procedures and techniques. We're using the same methods and in the next lecture we'll talk about what those methods actually are. How can we present evidence in a very easy to understand way not only to ourselves but for court. And I also want you to realize that computer crime rarely happens only online. There are some types of crimes that only happen online. We don't really have a lot of offline or physical traces that we can investigate. But most types of cybercrime that we come across have some sort of traditional component or offline component. Even whenever we're dealing with for example bank accounts. Bank accounts we can do bank transfers but normally criminals want to take the money out of the bank eventually. So in that case they're taking what may have been a completely online crime and converting it into the physical world let's say. And at that stage we can start to do a traditional or physical investigation. So traditional investigation methods are really important to also cybercrime investigation. They're not separate things. Although most people think that you have to kind of separate them out a little bit really you need traditional investigation skills and technical knowledge and that's what we'll talk about today. So computer crime is rarely only online. For example bank accounts that's probably the most one of the most important sources that we normally come across because so much online fraud is done all over the world. A lot of the online fraud that takes place involves online bank transfers. Well the criminals or the suspects want to eventually get access to that money and really the only way that they can get access to it is by withdrawing it somehow. And once they withdraw that money then it becomes an offline crime. So we don't just have only online although most of our traces may be. Witnesses and victim statements. You can't really even I guess start a case until you have some sort of victim that says that something has happened or a witness that says that something has happened. And this is normally a person coming into the police station saying my money was stolen online. In that case their statement is kind of a physical statement. It's not online. You can't research it. You can't investigate it online. It has to be done through traditional investigation methods and knowing how to actually interrogate witnesses, interrogate suspects to get the information that you need to do better online investigations. So I mean without witnesses and victims it's very difficult to even really start a case in some cases unless we're doing some sort of operation. Having cash from an ATM I talked about that's one of the most obvious ways that criminals go from kind of an online crime to an offline crime. There has to be some connection to criminals in the physical world, these people who are doing this crime, versus the crime that they've committed online potentially all over the world. And we're looking for what that connection is to actually find out who they are and how they work. So beginning cyber crime investigators I would say really it requires some basic computer knowledge and skills that puts you ahead of the average computer user. Now think about what the average computer user is in your country. Most people have knowledge of how to use a computer. They can surf the internet. They can do basic things. But the average computer user doesn't really know much beyond internet surfing really. So even if you know a little bit more, for example, how are files stored in a computer then that will already give you a bit of an edge on potential criminals that are committing fraud or whatever online. You'll be able to investigate them at least a little bit. So most investigators whenever you're starting out, even if you don't really have a strong background in technology, as long as you can study enough to get a little bit ahead of the average, then you'll be at a very good starting point. And that's what I hope this course teaches you again in the second half we'll get much more into the technology of things. And we must be able to apply traditional policing skills and procedures to the case. Now this one's very important. There's basically two people who come into cyber crime investigations or digital forensic investigations. Either people who were trained as investigators, traditional investigators, they know how to interrogate suspects. They know how to do criminal investigation processes. And that's what their training is in. But they may have little or no experience with computers. They can still do computer investigations because they know the investigation process. It might take them much longer because they don't know the technology behind it. But they still know how to, let's say, associate information with their case and potentially extract evidence. Now the other type of people that normally do investigations are the technological people, the people who really know technology. But what we normally see is that people who maybe are excellent programmers or they know everything about an operating system don't necessarily know how to do investigations. Any question you give these people, they may be able to answer you but they might not be able to actually make a whole case or be able to support the case with evidence because they don't know how to do proper investigations. So there needs to be kind of a mix of learning investigation procedures, how to actually make investigations and learn the technology. How does the technology work? Where can I find potential sources of evidence? And you need both of those and it really needs to be balanced. If you have too much of one, it doesn't really help you to solve cases or put together a strong case. If you have too much technology, let's say, you might be able to find things but not make a strong case for the court so you might lose cases. That's not good. If you don't know the technology, you might not know where to look for the evidence. So then you might also be missing evidence and somebody who's actually guilty may get off because you couldn't make a strong case against them. So cyber crime investigations really take both areas of this knowledge. And if you're good at technology, I really strongly recommend that you look into investigation procedures, how police actually do things, how to be an expert witness, how to do interrogations. Some of those things are a little bit beyond the scope of this course but we will talk to you a little bit about the investigation process and the technology behind that. And if you're already trained in how to do investigations, you already know how to put a case together, you know how to ask, let's say, people about the case and get the information you need to make a strong case, you need to also be studying the technology because every type of case now, almost every type of case, is going to be involved in some sort of technology. So for example, even murder, murder cases, basically ever since everyone has started carrying cell phones or there's been CCTV cameras around, murder investigations rely quite heavily on technology now. They're not an online crime at all but we still have to know how to access the data on a cell phone, for example, to find evidence about how the murderer planned their operation or how they're working, basically. So really it takes a balance. You need to study both legal processes, investigation processes, interviews, things like that and also the technology side of things. So I know some people prefer one or the other but if you don't have a balance, it's very, very difficult to get in depth into cyber crime investigation. So that's really what you need to be an investigator and we'll talk more about each of those areas or some of those areas in this course, specifically on how to do the investigations or investigation process this week. But what I wanna talk about now is how do we actually find people online? If somebody commits a crime or we suspect somebody have committed a crime, how do we track them down? How do we find out who they are and what they were doing? And this comes back down to how do computers or how do devices online communicate with each other? So to communicate, two computers need to be connected in some way. We have a physical network that could be, for example, wireless, it could be a cable and that cable basically connects back to your service provider, your internet service provider. The internet itself, everyone that's connected across all of these different countries uses a protocol called TCPIP to make connections between. It's kind of like a language that all devices on the internet can speak that lets them talk to each other. If they don't speak a common language, they can't talk to each other, so they can't exchange information. So the language we currently use is TCPIP and each computer must have its own unique IP address. So any computer that's speaking online has to have its own unique IP address. Think of this like you and your friend's cell phone number. If you wanna call your friend, your friend has a specific cell phone number and no one else can have that number. If somebody else had that cell phone number and you try to call it, then the phone company wouldn't know which phone you're actually trying to contact. So in this case, one cell phone number for one person means that I can contact them directly. IP addresses are basically the same. We have one IP address for a computer online and whenever I look for that IP address, then the service provider knows where I want to contact. So then those two computers can talk to each other. Now, using that, we have essentially an identifier. So a unique identifier online that traces or tracks back to a specific computer. IP addresses, if you look at the notes, I talk about what IP addresses look like. We're currently using IP version four addresses and basically they have kind of four numbers with periods in between, that's how you normally see them. We'll talk more about IP addresses and what they can do actually in the assignment. Each number or each octet in an IP version four address can have a number up to 255 and we'll talk about why that's important. But the very important thing about IP version four addresses is that it's a quite old standard. It was created a long time ago and we're actually running out of IP addresses. Remember, every computer that wants to talk on the internet has to have a unique IP address and we actually have only four billion IP addresses, IP version four IP addresses, but we have more than four billion devices in the world. So all of those devices want to talk online, but it's like they can't get a cell phone number because we don't have enough numbers. So we're coming up or came up with another standard called IP version six. And IP version six is the new standard that some countries have already switched to but other countries are really falling behind on. And IP version six basically first off lets us have a lot more number space so we can give a lot more devices IP addresses, but it also has some additional security features and other advanced features that IP version four doesn't have. So we're moving to IP version six in most countries and these IP addresses are just ways that we can contact other computers on this global network, right? So why is that interesting to us? Why are we interested in IP addresses? Well, the main reason that an investigator would be interested in an IP address is we can figure out where communication is coming from. So every computer has its own unique IP address and those IP addresses are regulated by a specific regulations body. They're called the Internet Assigned Numbers Authority or IANA. And IANA basically says what IP address blocks are assigned to which region or which countries, right? So we know this IP address block is assigned to a specific country and in those countries the IP addresses are assigned to organizations or usually internet service providers. So an internet service provider in a specific country gets a certain block of IP addresses. So already we can tell from the IP address basically the country and the internet service provider that it's been assigned to. The internet service provider then whenever I'm making a connection to my internet service provider they give me one of these IP addresses for a short period of time. They let me borrow it for a little bit. Then I can access the internet and do whatever I want with that IP address. Whenever I'm done I kind of give the IP address back. So if I borrow an IP address from a service provider and then I try to hack a bank in another country that bank or anyone watching that connection can already see which region the IP address is coming from, which ISP the IP address is coming from. And then if we ask the internet service provider who had this IP address at this specific time depending on the country they may be able to tell us depending on the legislation and how we work together. We'll talk a little bit more about international cooperation. I believe it's next week. And the kind of challenges that come up whenever we're trying to request information from other countries, but you can potentially get information about what subscriber had particular IP addresses at a certain time. So IP addresses immediately tell us basically the region and potentially the ISP that they're assigned to. Now there are a lot of tricks and I'll give you some links that provide some information about how suspects or how IP addresses can be kind of abused or look like they're coming from another country or another region. There's a lot of different tricks to try to fool the regions or anyone looking at the data which region they're coming from. So for example, if I'm hacking into a bank I don't want to let them know where I'm coming from, right? So we'll talk about some tricks that people use to try to get around being tracked. But the IP address is one of the best places for cyber crime investigators to start because they give us at least a connection. Once we have that connection we can start to investigate all of the different connections that have been made and usually trace it back through several different countries. And once we do that tracing or that investigation we can potentially find the source, the source of the traffic that was let's say hacking our bank. Once we have that then we can potentially locate where they were located. Once we know where somebody is located then we can potentially work with police in that country or in our country to find the people that are actually at that place. Now an IP address just gives us information about a computer or some device that's online. It doesn't necessarily tell us who is behind that device. So attaching for example somebody's name to an IP address doesn't necessarily tell us anything. Now sometimes it does but in most cases it's very difficult to associate an ID or a real person with some sort of ID that we see online. There are a couple different methods that countries are trying to implement to fix this problem but none of them have really worked very well so far because I mean it's a global network. Regional solutions don't really work in a global network. So it's difficult to associate IP addresses with a real person and that is where traditional investigations come in. So once I've located for example a place where I know a suspect is likely to be I still have to prove that the people at that place were the ones who did it. And that's where traditional investigation comes in. Cybercrime investigation will rarely tell you that kind of thing. We might get lucky for example and we track somebody's computer back to a certain location and then on their cell phone it has evidence that they were the one who actually did it but that doesn't necessarily tell us it was definitely them. And we'll talk more about trying to associate a user with actions later. How we do that with normally digital forensic investigations. Right, so for this week really what I wanna go through is how do cybercrime investigators start investigations? What do we normally look for? What types of information do we normally have whenever we're starting the investigation? Potentially from a victim, potentially from a witness. Maybe for example we only have an email, we only have a single IP address. How do we go from that single IP address to finding actual suspects behind whatever this crime is? So that'll be basically the topic of the next lecture as well as all the assignments this week. Thank you.