This module is a resource for lecturers

Obstacles to cybercrime investigations

There are several obstacles that may be encountered during cybercrime investigations. One such obstacle is created by the anonymity that information and communication technology affords to users. Anonymity enables individuals to engage in activities without revealing themselves and/or their actions to others (Maras, 2016; see Cybercrime Module 10 on Privacy and Data Protection for more information about anonymity). There are several anonymization techniques that cybercriminals use (see "Note" box below). One such technique is the use of proxy servers. A proxy server is an intermediary server that is used to connect a client (i.e., a computer) with a server that the client is requesting resources from (Maras, 2014, p. 294). Anonymizers, or anonymous proxy servers, hide users' identity data by masking their IP address and substituting it with a different IP address (Chow, 2012).


Anonymization techniques are used for legal and illegal reasons. There are legitimate reasons for wanting to remain anonymous online and maintaining the protection of anonymity online (see Cybercrime Module 10 on Privacy and Data Protection). For example, anonymity facilitates the free flow of information and communications without fear of repercussions for expressing undesirable or unpopular thoughts (Maras, 2016) (as long as there are no overriding legal reasons to restrict this expression, see Cybercrime Module 3, Legal Frameworks and Human Rights, for legal and legitimate restrictions of the freedom of expression).

Cybercriminals can also use anonymity networks to encrypt (i.e. block access) traffic and hide Internet Protocol address (or IP address), "a unique identifier assigned to a computer [or other Internet-connected digital device] by the Internet service provider when it connects to the Internet" (Maras, 2014, p. 385), in an effort to conceal their Internet activities and locations. Well-known examples of anonymity networks are Tor , Freenet , and the Invisible Internet Project (known as I2P ).

Did you know?

The Onion Router (or Tor), which enables anonymous access, communication, and information sharing online, was originally developed by the United States Naval Research Laboratory to protect intelligence (Maras, 2014a; Maras, 2016; Finklea, 2017). Since the release of Tor to the public, it has been used by individuals to protect themselves against private and government surveillance of their online activities. Nonetheless, Tor and other anonymizing networks have also been utilized by cybercriminals to commit and/or share information and/or tools to commit cyber-dependent and cyber-enabled crimes (Europol, 2018).

These anonymity networks not only "mask users' identities, but also host their websites via…[their] 'hidden services' capabilities, which mean[s] [that these] sites can only be accessed by people on" these anonymizing networks (Dredge, 2013). These anonymity networks are thus used to access darknet (or Dark Web) sites (see box).

World Wide Web: The Basics

The most common visualization of the World Wide Web is as an iceberg in the ocean. The part of the iceberg above the surface is known as the Surface Web (or Visible Web or clearnet). This part of the Web includes indexed sites that are accessible and available to the public, and can be searched using traditional search engines, as Google or Bing (Maras, 2014b). The Deep Web is the part of the iceberg that is below the surface. It includes sites that are not indexed by search engines and are not easily accessible and/or available to the public, such as password-protected sites (Maras, 2016). These sites can be accessed directly if the Uniform Resource Locator (URL; i.e., website address) is known and/or user credentials (i.e., usernames, passwords, passphrases, etc.) are provided to gain access to password-protected websites and online forums. The Dark Web requires the use of specialized software to access its sites because of its use anonymity-enhancing tools to obscure access and hide sites (Finklea, 2017).

Attribution is another obstacle encountered during cybercrime investigations. Attribution is the determination of who and/or what is responsible for the cybercrime. This process seeks to attribute the cybercrime to a particular digital device, user of the device, and/or others responsible for the cybercrime (e.g., if the cybercrime is state-sponsored or directed) (Lin, 2016). The use of anonymity-enhancing tools can make the identification of the devices and/or persons responsible for the cybercrime difficult.

Did you know?

The Electronic Privacy Information Center includes information about and links to "anonymity-enhancing tools" on its website (Lin, 2016).

Attribution is further complicated through the use of malware-infected zombie computers (or botnets; discussed in Cybercrime Module 2 on General Types of Cybercrime) or digital devices controlled by remote access tools (i.e., malware that is used to create a backdoor on an infected device to enable the distributor of the malware to gain access to and control of systems). These devices can be used, unbeknownst to the user whose device is infected, to commit cybercrimes.

Did you know?

The establishment of an international organization for cyber attribution has been discussed in academic literature.

Want to learn more?

David II, John S., Benjamin Boudreaux, Jonathan William Welburn, Jair Aguirre, Cordaye Ogletree, Geoffrey McGovern, and Mihcael S. Chase. (2017). Stateless Attribution: Toward International Accountability in Cyberspace . RAND.

Back-tracing (or traceback) is the process of tracing illicit acts back to the source (i.e., perpetrator and/or digital device) of the cybercrime. Traceback occurs after a cybercrime has occurred or when it is detected (Pihelgas, 2013). A preliminary investigation is conducted to reveal information about the cybercrime through an examination of log files (i.e., event logs, which are files systems produce of activity), which can reveal information about the cybercrime (i.e., how it occurred). For instance, event logs "automatically record… events that occur within a computer to provide an audit trail that can be used to monitor, understand, and diagnose activities and problems within the system" (Maras, 2014, p. 382). Examples of these logs are application logs, which record "events that are logged by programs and applications," and security logs that "record all login attempts (both valid and invalid) and the creation, opening or deletion of files, programmes or other objects by a computer user" (Maras, 2014, p. 207). These event logs may reveal the IP address used in the cybercrime.

Traceback can be time-consuming. The time it takes to complete this process depends on the knowledge, skills, and abilities of the preparators and the measures they have taken to conceal their identities and activities. Depending on the tactics used by cybercriminals to perpetrate the illicit acts, tracing may not lead to a single identifiable source (Pihelgas, 2013; Lin, 2016). For example, this can be observed in cases where malware-infected zombie computers are utilized to commit cybercrime or when multiple perpetrators simultaneously conduct a distributed denial of service attack (i.e., DDoS attack) against a system or website (for more information about these cybercrimes, see Cybercrime Module 2 on General Types of Cybercrime).

The Internet Corporation For Assigned Names and Numbers ' (ICANN) Internet Assigned Number Authority (IANA) manages the allocation of IP addresses, among other things, to Regional Internet Registries (RIRs), which are responsible for overseeing the registration of IP address in their regions (Maras, 2014, p. 288-289). Five RIRs exist: the African Network Information Centre (AFRINIC); Asia Pacific Network Information Centre (APNIC); American Registry for Internet Numbers (ARIN); Latin American and Caribbean Network Information Centre (LACNIC); and the Réseaux IP Européens Network Coordination Centre (RIPE NCC). RIRs provide information about IP addresses, organizations associated with the IP addresses, and contact information of these organizations (e.g., addresses, emails, and phones numbers).

To identify the Internet service provider (ISP) associated with the IP address, the cybercrime investigator can use ICANN's WHOIS query tool . RIRs provide access to WHOIS services via their websites. WHOIS data is the registration information that has been provided by individuals, corporations, organizations, and governments when registering domain names (e.g.,, which includes names and contact information (e.g., phone numbers, addresses, and emails) (ICANN WHOIS, n.d.). The WHOIS query tool can be used to identify the contact information and location of the organization associated with a domain name (Maras, 2014, p. 290). The WHOIS query tool can also be used to identify the contact information and location of the organization associated with an IP address (Maras, 2014, p. 289). However, the European Union (EU) General Data Protection Regulation (GDPR), a single data protection law that came into force on 25 May 2018, which governs data processing, storage, use, and exchange of data in EU Member States and other countries, agencies, and private organizations outside of the EU that provide goods and services to the EU and process data of EU residents (see Cybercrime Module 10 on Privacy and Data Protection for more information about the GDPR), impacted publicly available WHOIS data (particularly data that is considered personal data under the GDPR; for more information see TrendMicro, 2018; and ICANN, n.d.).

Once an ISP has been identified, cybercrime investigators may contact the ISP associated with the IP address to retrieve the information about the subscriber using that IP address (Lin, 2016); however, ISPs cannot always be compelled to provide personal information without appropriate legal documents, and in some cases pre-existing privacy laws/protections may prohibit these orders (Mayeda, 2015). The legal order (i.e., subpoena, search warrant or court order) used to retrieve this information varies by country (see Cybercrime Modules 6 and 7 for further information about legal orders in cybercrime investigations).

Did you know?

WHOIS is not an acronym; "it is a system that asks the question, who is responsible for a domain name or an IP address?" (ICANN WHOIS, n.d.).

Want to learn more?


The lack of harmonized national cybercrime laws, international standardization of evidentiary requirements (both in terms of admissibility in a court of law, and in terms of international state responsibility), mutual legal assistance on cybercrime matters, and timely collection, preservation, and sharing of digital evidence between countries, also serve as obstacles to cybercrime investigations (see Cybercrime Module 3 on Legal Frameworks and Human Rights, and Cybercrime Module 7 on International Cooperation against Cybercrime). In regard to certain types of cybercrime, especially cybercrimes that are politically motivated, a general lack of will of countries to cooperate in these cases has been observed (see Cybercrime Module 14 on Hacktivism, Terrorism, Espionage, Disinformation Campaigns, and Warfare in Cyberspace for more information about these cybercrimes).

Cybercrime investigators also face technical challenges. For example, numerous digital devices have proprietary operating systems and software that require the use of specialized tools to identify, collect, and preserve digital evidence (see Cybercrime Module 4 on Introduction to Digital Forensics for further information about digital evidence, digital devices, and digital forensics tools). What is more, investigators may not have the necessary equipment and digital forensics tools needed to adequately conduct cybercrime investigations involving digital devices (see Cybercrime Module 7 on International Cooperation against Cybercrime).

Other obstacles to cybercrime investigations include the existing limited abilities of law enforcement agencies to conduct these investigations (Leppanen and Kankaanranta, 2017). In countries where national specialized units exist, they only investigate a limited number of cybercrime cases. The prevalence of information and communication technology in criminal investigations makes such a practice ineffective (Hinduja, 2004; Köksal, 2009; UNODC, 2013; Leppanen and Kankaanranta, 2017). The training of national law enforcement officers in non-specialized areas of policing and non-technical specialized units (e.g., drug crime, organized crime, crimes against children) on cybercrime, ICT-related investigations, and digital forensics is one way to strengthen national capacity (UNODC, 2013; the importance of enhancing national capacity in cybercrime investigations, and the ways in which to deal with the current deficits in national capacity to investigate cybercrimes, are further explored in Cybercrime Module 7 on International Cooperation against Cybercrime). Moreover, these limited law enforcement abilities are further compounded by the short lifespan of the expertise of cybercrime investigators (Harkin, Whelan, and Chang, 2018, p. 530). Specifically, information and communication technology is continuously evolving. Because of this, cybercrime investigators must be "lifelong learners," continuously training to remain current on technologies, cybercriminals, and their motives, targets, tactics, and methods of operation (M.O.). Furthermore, government and national security agencies are experiencing what is known as a "brain drain," whereby highly trained and skilled cybercrime investigators are leaving these agencies to join the private sector, which provides better financial compensation for their knowledge, skills, and abilities (Harkin, Whelan, and Chang, 2018, p. 530). These capacity and staffing issues need to be considered by countries as they serve as significant obstacles to cybercrime investigations (Sucio, 2015; PBS, 2018).

Next: Knowledge Management
Back to top