With the widespread adoption of the internet globally, we have seen increasing threats in the cyber sphere to public safety, economic and national security. In the United States, the Department of Justice plays a key role in detecting, deterring and disrupting cyber threats. This involves a number of different methods of gathering evidence, making use of key prosecution tools available, as well as other means of disrupting cyber threats.
How does the Department of Justice gather evidence about cyber threats?
Evidence Collection During Incident Response
Once a victim has alerted law enforcement to a cyber incident, evidence is collected as part of the response. To gain insight into the criminal’s activities, investigators may obtain digital copies of affected devices, firewalls and log servers. If the incident has occurred in a business context, investigators may also interview employees and management.
Online Data Review
After reviewing evidence collected during the incident response, investigators will often then review online data, which may be open source, to determine their next steps. One common resource often utilised is the WHOIS database, which is a directory of all the IP addresses and domains on the internet.
Searching Records from Online Providers
Successful online data reviews often result in the identification of e-mail providers, social media companies, registrars, and web hosting and computer hosting companies that may control additional evidence about a suspect. Investigators may obtain a search warrant allowing them to obtain evidence from these providers.
Online Undercover Operations
Investigators may establish covert online personas or assume the accounts and identities of victims or co-operators, to communicate online with the targets of the investigation and gather evidence.
This type of activity includes ‘tapping’ phones, and intercepting email or social media communications.
Cyber actors will often use The Onion Router (Tor) to hide their true IP address. Investigators can use Network Investigative Techniques (NITs), whereby computer code is sent covertly to a device that is hidden behind proxies. Once installed, a NIT can send law enforcement particular information, often including the device’s true IP address, which can help to identify the user of the device.
Tracing Financial Transactions
In targeting proceeds of crime, the Department works with the relevant authorities to confiscate assets and seize bank accounts linked to criminals. Criminals increasingly use virtual currencies such as bitcoin to facilitate their activities, which have inherent anonymising characteristics. Seizing virtual currency linked to criminal activity presents further challenges for law enforcement.
Traditional and Forensic Searches Involving Storage Media
Once a criminal is identified and arrested, investigators will seek electronic evidence from personal storage media, such as laptops and phones.
Cooperation with Foreign Governments
Cyber crimes are typically transnational by nature, and cooperation between governments is essential for a successful investigation.
International extradition treaties and mutual legal assistance treaties (MLATs) support U.S. investigations and prosecutions of cybercriminals by returning fugitives to the United States to face trial, and by obtaining the evidence located overseas that is needed to build a case against them.
These instruments also facilitate the extradition of fugitives located in the United States to their home country, and the transfer of evidence to foreign partners to support criminal investigations.
Joint or Parallel Investigations
Law enforcement agencies from separate countries may choose to work together in the investigation of crimes that are relevant to both countries, through joint or parallel investigations. These investigations may be especially useful in the absence of a treaty.
Key Prosecution Tools
Once investigators have gathered evidence of cyber threat activity, the Department’s prosecuting attorneys then determine whether that evidence is sufficient to bring charges under U.S. federal law. Cyber threat activity is a U.S. federal crime if it violates one or more of the following statutes, amongst others:
- Computer Fraud and Abuse Act: 18 U.S.C. § 1030
- Wire Fraud: 18 U.S.C. § 1343
- Identity Theft: 18 U.S.C. §§ 1028(a)(7) and 1028A
- Economic Espionage and Theft of Trade Secrets: 18 U.S.C. §§ 1831-32
- Criminal Copyright: 17 U.S.C. § 506
- Access Device Fraud: 18 U.S.C. § 1029
- Racketeer Influenced and Corrupt Organizations (RICO) Act: 18 U.S.C. §§ 1961–1968
- Wiretap Act: 18 U.S.C. § 2511
- Money Laundering: 18 U.S.C. §§ 1956, 1957
- Controlling the Assault of Non-Solicited Pornography and Marketing Act: 18 U.S.C. § 1037
- National Security Statutes (various)
Other Means of Combatting Cyber Threats
In addition to investigating and prosecuting cyber offences, the Department of Justice works to prevent cyber incidents from occurring in the first place. This involves working together with international partners and members of the private sector to disrupt key infrastructure and tools used by cyber actors, preventing them from accessing victims and criminal proceeds.
Disrupting and Disabling International Botnets
An example of such activity is the seizure of domains the botnet is using to communicate with command-and-control servers, shutting down the botnet’s capacity to commit fraud crimes.
Dark Web Disruptions
Criminal operations in the dark web can be disrupted through effective cybercrime investigations whereby users engaging in illegal activity are identified, their websites, domains, servers and proceeds of crime are seized, and they are criminally prosecuted.
Sanctions and Designations
The Department of Justice works together with other government agencies and regulatory bodies to identify and impose sanctions on malicious cyber actors.
The United States Department of Justice plays a key role in protecting the U.S. against cyber threats. This involves investigating and prosecuting cyber offences and criminals, as well as working with international partners to shut down cyber crime operations and prevent cyber offences from being committed.