This module is a resource for lecturers

Who conducts cybercrime investigations?

First responders in cybercrime investigations are responsible for "securing" digital evidence at the "scene" (the location) of a cybercrime (e.g., this could be the target or targets of the cybercrime and/or the information and communication technology used to commit cyber-dependent and/or cyber-enabled crime). A first responder can be a law enforcement agent, digital forensics expert, military police officer, private investigator, an information technology specialist, or other person (e.g., an employee in the workforce) who is tasked with responding to incidents of cybercrime. This illustrates that the public and private sector, as well as national security agencies, conduct cybercrime investigations (to varying degrees). Irrespective of who the first responder is, search and seizure practices for information and communications technologies (ICT) must be in accordance with national law, and the methods used to obtain digital evidence from ICT must be valid and reliable to ensure its admissibility in a court of law (Maras, 2014; see Cybercrime Module 4 on Introduction to Digital Forensics for further information about the validity and reliability of digital evidence).

Criminal Justice Agencies

Criminal justice agents, such as law enforcement officers, prosecutors, and judges, are responsible for the prevention, mitigation, detection, investigation, prosecution, and adjudication of cybercrime. The specific agencies responsible for cybercrime cases vary by country. In the United Kingdom, for example, more than one agency investigates cybercrime, including regional law enforcement agencies and the National Cyber Crime Unit, which is part of the National Crime Agency (Global Cyber Security Capacity Centre, 2016c). In contrast, only one agency investigates cybercrime in Sierra Leone, the Police Cyber Crime Prevention Unit (Global Cyber Security Capacity Centre, 2016d), in Ecuador, the "Technological Crimes Investigations Unit of the National Directorate of the Judicial and Investigative Police is responsible for investigating cybercrime" (Inter-American Development Bank, 2016, p. 72), and in Iceland, the digital forensics unit in the Reykjavik Metropolitan Police (Global Cyber Security Capacity Centre, 2017c).

What is more, in certain countries, multiple agencies can be involved in the investigation of same cybercrime. The agencies involved depend on the type of cybercrime being investigated. For example, in Cyprus, online financial fraud is investigated by the Criminal Investigative Department, as well as the Financial Crime Unit at the Cyprus Police Headquarters (Global Cyber Security Capacity Centre, 2017b). Many countries designate official points of contact as a result of the variation that exists in regard to agency responsibility and involvement in cybercrime cases. In Cyprus, for example, the 24/7 point of contact is the Office for Combating Cybercrime (Global Cyber Security Capacity Centre, 2017b).

Criminal justice agents require specialized knowledge (i.e., information relating to a subject matter area needed to perform a task), skills (i.e., expertise in a subject matter area), and abilities (i.e., use of knowledge and skills to perform a task) (collectively known as KSAs; see the "Example of KSAs of Cybercrime Investigator" box below) beyond those required to investigate, prosecute, and/or adjudicate (offline) criminal cases. For example, law enforcement officers should be able to investigate cybercrimes and/or other crimes incidentally involving information and communication technology (e.g., smartphone used to store evidence of the crime) and properly handle ICT during the investigation (i.e., identify, obtain, preserve, and analyse digital evidence in a manner that ensures it admissibility in court) (National Initiative for Cybersecurity Careers and Studies, n.d.). The abilities of law enforcement to investigate cybercrime depends on the country and varies between agencies within the country. For example, in the Kyrgyz Republic, law enforcement agencies have limited abilities to investigate cybercrime due to a lack of specialized KSAs, training, and human and financial resources (Global Cyber Security Capacity Centre, 2017a). In Madagascar, a 2017 report revealed that while there was "no specialised cybercrime unit in the law enforcement structure… some dedicated staff members of the National Police and Gendarmerie work[ed] on cybercrime" (Global Cyber Security Capacity Centre, 2017a, p. 33). In contrast, in France, there are several units specially trained to carry out cybercrime investigations (e.g., Les investigateurs en Cybercriminalité ( ICC) and N-TECH, part of the NationalGendarmerie) (for reports about other countries, see the cybersecurity capacity portal of the Global Cyber Security Capacity Centre).

Example of KSAs of Cybercrime Investigator

The US National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework (discussed in Cybercrime Module 8 Cybersecurity and Cybercrime Prevention: Strategies, Policies, and Programmes) includes the KSAs for cybersecurity and cybercrime-related jobs. For instance, NICE's Cybersecurity Workforce Framework lists the following KSAs for a cybercrime investigator (US National Initiative for Cybersecurity Careers and Studies, n.d.):


  • K0001: Knowledge of computer networking concepts and protocols, and network security methodologies.
  • K0002: Knowledge of risk management processes (e.g., methods for assessing and mitigating risk).
  • K0003: Knowledge of laws, regulations, policies, and ethics as they relate to cybersecurity and privacy.
  • K0004: Knowledge of cybersecurity and privacy principles.
  • K0005: Knowledge of cyber threats and vulnerabilities.
  • K0006: Knowledge of specific operational impacts of cybersecurity lapses.
  • K0046: Knowledge of intrusion detection methodologies and techniques for detecting host and network-based intrusions.
  • K0070: Knowledge of system and application security threats and vulnerabilities (e.g., buffer overflow, mobile code, cross-site scripting, Procedural Language/Structured Query Language [PL/SQL] and injections, race conditions, covert channel, replay, return-oriented attacks, malicious code).
  • K0107: Knowledge of Insider Threat investigations, reporting, investigative tools and laws/regulations.
  • K0110: Knowledge of adversarial tactics, techniques, and procedures.
  • K0114: Knowledge of electronic devices (e.g., computer systems/components, access control devices, digital cameras, digital scanners, electronic organizers, hard drives, memory cards, modems, network components, networked appliances, networked home control devices, printers, removable storage devices, telephones, copiers, facsimile machines, etc.).
  • K0118: Knowledge of processes for seizing and preserving digital evidence.
  • K0123: Knowledge of legal governance related to admissibility (e.g. Rules of Evidence).
  • K0125: Knowledge of processes for collecting, packaging, transporting, and storing electronic evidence while maintaining chain of custody.
  • K0128: Knowledge of types and collection of persistent data.
  • K0144: Knowledge of social dynamics of computer attackers in a global context.
  • K0155: Knowledge of electronic evidence law.
  • K0156: Knowledge of legal rules of evidence and court procedure.
  • K0168: Knowledge of applicable laws, statutes (e.g., in Titles 10, 18, 32, 50 in U.S. Code), Presidential Directives, executive branch guidelines, and/or administrative/criminal legal guidelines and procedures.
  • K0209: Knowledge of covert communication techniques.
  • K0231: Knowledge of crisis management protocols, processes, and techniques.
  • K0244: Knowledge of physical and physiological behaviors that may indicate suspicious or abnormal activity.
  • K0251: Knowledge of the judicial process, including the presentation of facts and evidence.
  • K0351: Knowledge of applicable statutes, laws, regulations and policies governing cyber targeting and exploitation.
  • K0624 : Knowledge of Application Security Risks (e.g. Open Web Application Security Project Top 10 list)


  • S0047: Skill in preserving evidence integrity according to standard operating procedures or national standards.
  • S0068: Skill in collecting, processing, packaging, transporting, and storing electronic evidence to avoid alteration, loss, physical damage, or destruction of data.
  • S0072: Skill in using scientific rules and methods to solve problems.
  • S0086: Skill in evaluating the trustworthiness of the supplier and/or product.


  • A0174: Ability to find and navigate the dark web using the TOR network to locate markets and forums.
  • A0175: Ability to examine digital media on multiple operating system platforms.

Other criminal justice agents, such as prosecutors and judges, also require specialized knowledge of cybercrime and digital forensics (e.g., a "branch of forensic science that focuses on criminal procedure law and evidence as applied to computers and related devices;" Maras, 2014, p. 29; discussed in Cybercrime Module 4 on Introduction to Digital Forensics and Cybercrime as well as Module 6 on Practical Aspects of Cybercrime Investigations and Digital Forensics). Like law enforcement agencies, the sufficiency of training of prosecutors and judges varies between and even within countries. For example, the Crown Prosecution Service in the United Kingdom is well equipped to prosecute cybercrimes, whereas, as of 2016, prosecutors at the local level did not have the same training and resources to prosecute cybercrime (Global Cyber Security Capacity Centre, 2016c). In 2017, Sierra Leone revealed that prosecutors and judges did not have the necessary KSAs and resources to prosecute and adjudicate cybercrime (Global Cyber Security Capacity Centre, 2016d). Likewise, in Iceland, prosecutors and judges received only ad hoc training on cybercrime matters on a voluntary basis (Global Cyber Security Capacity Centre, 2017c). Judiciary training is needed on basic cybercrime and digital forensics information, expert testimony on cybercrime matters, and digital evidence admittance in court. As of 2017, Senegal reported that judges do not receive this type of training (Global Cyber Security Capacity Centre, 2016b).

Beyond national criminal justice agencies, regional agencies, such as theEuropean Union Agency for Law Enforcement Cooperation ( Europol ) (promoting law enforcement cooperation in the European Union) and Eurojust (promoting judicial cooperation in the European Union), and international agencies, such as INTERPOL (i.e., International Criminal Police Organization; promoting international law enforcement cooperation), assist and/or facilitate cross-border cybercrime investigations. For example, Europol's sharing of intelligence and resources with European Union Member States led to the arrest of a criminal, who was known for selling counterfeit EUR 50 banknotes online on illicit dark markets (Europol, 2018c).

National Security Agencies

National security agencies may be involved in cybercrime investigations (e.g., in some countries the military might be involved in cybercrime investigations, whereas in other countries these investigations might be run by intelligence agencies or national cyber directorates). However, national security agencies' involvement in cybercrime investigations depends on the cybercrime under investigation, the target(s) of the cybercrime, and/or the perpetrators of the cybercrime. For example, the military could investigate cybercrimes that have some connection to the military - that is, cybercrimes committed against its people, property, and/or information, and/or committed by its people. A case in point is the United States, which has its own military law enforcement personnel who investigate violations of the Uniform Code of Military Justice. In addition to investigating these cybercrimes (or at the very least being involved in some way in the investigations of the cybercrimes), the military and other national security agencies could be responsible for identifying, mitigating, preventing, and responding to cybercrimes targeting the systems, networks, and data of these agencies, and systems containing classified information (see Cybercrime Module 14 on Hacktivism, Terrorism, Espionage, Disinformation Campaigns, and Warfare in Cyberspace for more information).

National security agencies around the world have developed and/or are currently developing their cyberdefensive capabilities (i.e., measures that are designed to detect and prevent cybercrimes, and mitigate the impact of these cybercrimes should they occur; Maras, 2016) and cyberoffensive capabilities (i.e., measures that are "designed to penetrate enemy systems and cause harm or damage" and/or respond to a cyberattack; Maras, 2016, p. 391). It is the recognition of cyberspace as another domain of warfare (the fifth domain, following land, sea, air, and space; a.k.a., domain of operations, see "Did you know?" box below) that led to national security agencies' increased involvement in cyberspace (Smeets, 2018; Kremer, 2014; Kallender and Hughes, 2017). For example, in the United States, this identification of a fifth domain of warfare led to the creation of the United States Cyber Command (USCYBERCOM). Like the United States, other countries, such as the Netherlands, Germany, Spain, the Republic of Korea, and Japan, similarly created equivalent cyber commands and/or centres or units (Smeets, 2018; Kremer, 2014; Kallender and Hughes, 2017; Ingeniería de Sistemas para la Defensa de España, n.d.). The North Atlantic Treaty Organization (NATO) has also recognized cyberspace as the fifth domain of warfare (NATO CCDCE, 2016).

Did you know?

In the Philippines, the preferred term is "domain of operations." According to Section 2 of their Constitution, "The Philippines renounces war as an instrument of national policy, adopts the generally accepted principles of international law as part of the law of the land and adheres to the policy of peace, equality, justice, freedom, cooperation, and amity with all nations."

Private Sector

The private sector plays an essential role in the detection, prevention, mitigation, and investigation of cybercrime because it predominantly owns and manages the critical infrastructure (i.e., considered essential to the functioning of society) in countries and is one of the primary targets of many cyber-dependent (i.e., those cybercrimes that seek to compromise the confidentiality, integrity, and availability of systems, networks, services, and data, such as hacking, malware distribution, and distributed denial of service or DDoS attacks) and cyber-enabled crimes (e.g., online financial fraud, identity-related crime, and theft of data and trade secrets, to name a few) (for further information about these cybercrimes, and other forms of cyber-dependent and cyber-enabled crimes, see Cybercrime Module 2 on General Types of Cybercrime).

According to the United Nations Security Council Resolution 2341 (2017), "each [s]tate determines what constitutes…critical infrastructure" within its own territory. Because this designation is dictated by the state, variation exists between countries with regards to their designation of critical infrastructure. For example, Australia has designated eight sectors as critical infrastructure (i.e., health; energy; transportation; water; communications; food and grocery; banking and finance; and Commonwealth government) (Australian Government, Department of Home Affairs, n.d.), whereas the United States has designated 16 (chemical; commercial facilities; communications; critical manufacturing; dams; defence industrial base; emergency services; energy; financial services; food and agriculture; government facilities; healthcare and public health; information technology; nuclear reactors, materials, and waste; transportation systems; and water and wastewater systems) (US Department of Homeland Security, n.d.).

Did you know?

The term critical infrastructure is not universally used by countries to describe essential infrastructure (United Nations Security Council Counter-Terrorism Committee Executive Directorate and United Nations Office of Counter-Terrorism, 2018). For example, instead of critical infrastructure, New Zealand uses the term "lifelines" to refer to its vital infrastructure, which includes energy, communications, transportation, and water (New Zealand Lifelines Council, 2017).

The "command and control networks and systems that are designed to support industrial processes" of critical infrastructure are known as industrial control systems (ICS) (ENISA, n.d.). According to the European Union Agency for Network and Information Security,

ICS have passed through a significant transformation from proprietary, isolated systems to open architectures and standard technologies highly interconnected with other corporate networks and the Internet. Today ICS products are mostly based on standard embedded systems platforms, applied in various devices, such as routers or cable modems, and they often use commercial off-the shelf software. All this has resulted in reduction of costs, ease of use and enabled the remote control and monitoring from various locations. However, an important drawback derived from the connection to intranets and communication networks, is the increased vulnerability to computer network-based attacks (ENISA, n.d.).

It is these vulnerabilities, as well as those resulting from inadequate physical and personnel security measures (e.g., the ability of an individual to bring an infected flash drive into a critical infrastructure (CI) and physically connect it to CI systems; see Cybercrime Module 9 on Cybersecurity and Cybercrime Prevention: Practical Applications and Measures for more information about practical cybersecurity measures), that make cybercrime targeting CI possible.

Because the private sector predominantly owns and manages critical infrastructure and is one of the primary targets of cybercriminals, it is best placed to deploy security measures designed to proactively identify cybercrimes and cybercriminals in an effort to prevent or at the very least mitigate cybercrimes, as well as to respond to the cybercrimes that are occurring or have occurred (for further information about the measures implemented to prevent, mitigate and respond to cybercrime, see Cybercrime Module 9 on Cybersecurity and Cybercrime Prevention: Practical Applications and Measures). The degree to which the private sector deploys these measures depends on the organization, business or type of entity and its human, financial, and technical resources and capabilities.

The private sector also conducts private investigations of cybercrime. The private sector is vulnerable to both internal threats (e.g. cybercrimes committed by employees or executives of the business or organization) and external threats (e.g., cybercrimes committed by those with some connection to the business or organization - for example, a vendor or customer - or those with no association to the business or organization) (Maras, 2014, p. 253). When a cybercrime occurs, businesses and organizations often do not contact law enforcement authorities. This, however, depends on the cybercrime, the human, technical, and financial resources of the private sector entity, and the impact of the cybercrime on the entity vis-à-vis the impact of the reporting of the cybercrime on the entity (e.g., potential harm to reputation and/or loss of consumer confidence) (Maras, 2014; Maras, 2016).

Yahoo Inc.'s Failure to Report a Data Breach

Yahoo Inc. (now known as Altaba) reported one (of several) data breaches they experienced two years after the breach. As a result of this disclosure, "Yahoo's stock price fell by 3 percent, amounting to a loss of nearly $1.3 billion in market capitalization. Moreover, the company, which [at the time] was in negotiations to sell its operating businesses to Verizon, was forced to accept a 7.25 percent discount on the purchase price, amounting to a decrease of $350 million" (Dicke and Caloza, 2018). Because of Yahoo's failure to report the data breach in a timely manner, the company was also fined $35 million by the US Securities and Exchange Commission (US Securities and Exchange Commission, 2018).

Like law enforcement agencies, private companies, and organizations conduct investigations in response to a detected or reported cybercrime. The purpose of this investigation is to obtain information about the incident and build a case against the perpetrator (or perpetrators) of the cybercrime (or cybercrimes). Depending on the size and resources of the private companies and organizations, the investigation may be conducted by investigators on staff or investigators hired from external businesses (Maras, 2014). Individuals involved in cybercrime investigations include private companies, industry bodies, trade organizations, and companies providing security, investigative, and digital forensics services (Hunton, 2012). At times, information technology professionals and digital forensics experts who are all non-governmental sector stakeholders have been used by private companies and organizations to collect and preserve digital evidence. However, these professionals may not have the necessary KSAs to conduct cybercrime investigations and to appropriately handle digital evidence of a cybercrime to ensure its admissibility in courts of law (Maras, 2014).

Public-Private Partnerships and Task Forces

The private sector has the human, financial, and technical resources to conduct cybercrime investigations, and can assist national security agencies, law enforcement authorities, and other government agencies on cybercrime matters. In light of this, internationally, numerous public-private partnerships have been developed to enhance countries' capabilities to investigate cybercrime (Shore, Du, and Zeadally, 2011). A case in point is the INTERPOL's Cyber Fusion Centre, which includes both law enforcement and industry cyber experts, who work together to provide actionable intelligence and share this intelligence with relevant stakeholders (INTERPOL, n.d.). TrendMicro (a cybersecurity and defence company), Kaspersky (cybersecurity and anti-virus provider), and other private companies that either work on cybercrime or cybersecurity related matters, and/or are Internet service and content providers or other Internet companies, work closely with INTERPOL (INTERPOL, n.d.). The North Atlantic Treaty Organization (NATO) also cooperates with allies, in general, and the European Union and the private industry, in particular, through its Technical Arrangement on Cyber Defence and NATO Industry Cyber Partnership.

Nationally, public-private partnerships (PPPs) have also been developed. In the United States, the National Cyber Forensics and Training Alliance brings together cybercrime subject matter experts from government, academia and the private sector to detect, mitigate, and counter cybercrime (NCFTA, n.d.). In Japan, a similar PPP to NCFTA was created - the Cybercrime Control Center (JC3, 2014). In Europe, the 2Centre partnership includes law enforcement agencies, academia, and the private sector. This PPP began with national centres in Ireland and France and expanded to include national centres in other countries; as of 2017, Greece, Spain, Belgium, Estonia, Lithuania, Bulgaria, and England have centres (Cybercrime Centres of Excellence Network for Training, Research and Education, n.d.).

In addition to PPPs, national task forces have been created to assist in cybercrime investigations. These task forces enable law enforcement agencies of differing jurisdictions within countries (be it local, state, or federal/national) to work together on cybercrime cases. These task forces, depending on the country and/or region, can also include members of academia and private companies and organizations. A case in point is the US Federal Bureau of Investigation's National Cyber Investigative Joint Task Force (NCIJTF), which

is comprised of…partnering agencies from across law enforcement, the intelligence community, and the Department of Defense, with representatives who are co-located and work jointly to accomplish the organization's mission from a whole-of-government perspective. As a unique multi-agency cyber center, the NCIJTF has the primary responsibility to coordinate, integrate, and share information to support cyber threat investigations, supply and support intelligence analysis for community decision-makers, and provide value to other ongoing efforts in the fight against the cyber threat to the nation (FBI, n.d.).

Other task forces have been created that deal with specific cybercrimes. For example, the Electronic Crimes Task Force (ECTF), a US Secret Service task force, is responsible for the prevention, mitigation, detection, and investigation of cybercrimes, including those committed against financial payment systems and critical infrastructure (US Secret Service, n.d.). Pursuant to the Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act (USA PATRIOT Act) of 2001, the US Secret Service created a network of Electronic Crimes Task Forces (ECTFs) across the United States. These task forces work with local, state, and federal law enforcement agencies, as well as other criminal justice agents (i.e., prosecutors), academia, and the private sector (US Secret Service, n.d.). A European Electronic Crime Task Force (EECTF) was created in 2009. The EECTF collects, analyses, and disseminates information about best practices.

Although criminal justice agencies, national security agencies, the private sector, PPPs and task forces, are the major actors in conducting cybercrime investigations, independent investigations of cybercrime may also be conducted by civil society institutions, journalists, and the public. A case in point is Citizen Lab, whose published research includes "investigating digital espionage against civil society, documenting Internet filtering and other technologies and practices that impact freedom of expression online, analyzing privacy, security, and information controls of popular applications, and examining transparency and accountability mechanisms relevant to the relationship between corporations and state agencies regarding personal data and other surveillance activities" (Citizen Lab, n.d.). In addition, members of the public may offer unsolicited assistance to law enforcement by conducting their own independent investigations online; this was observed in the aftermath of the 2013 Boston bombings (Nhan, Huey, and Broll, 2017). Moreover, certain elements of a cybercrime investigation can be and have been outsourced (e.g., the identification of illicit material online) to the public through an open call (this process is known as crowdsourcing). For example, "Europol launched a crowdsourcing initiative to expand the search for the origin of child sexual abuse images to the general public. Since the start of the project, on 1 June 2017, more than 22 000 tips have been sent to Europol which has already resulted in eight children identified and one offender arrested thanks to the help from ordinary citizens" (Europol, 2018a).

Next: Obstacles to cybercrime investigations
Back to top