Investigating Computer-Related Crime: 2nd Edition (Hardback) book cover

Investigating Computer-Related Crime

2nd Edition

By Peter Stephenson, Keith Gilbert

CRC Press

404 pages | 7 B/W Illus.

Purchasing Options:$ = USD
Hardback: 9780849319730
pub: 2013-04-19
SAVE ~$22.00
eBook (VitalSource) : 9780429245121
pub: 2013-04-19
from $55.00

FREE Standard Shipping!


Since the last edition of this book was written more than a decade ago, cybercrime has evolved. Motives have not changed, but new means and opportunities have arisen with the advancement of the digital age. Investigating Computer-Related Crime: Second Edition incorporates the results of research and practice in a variety of venues, growth in the field, and new technology to offer a fresh look at the topic of digital investigation.

Following an introduction to cybercrime and its impact on society, this book examines:

  • Malware and the important differences between targeted attacks and general attacks
  • The framework for conducting a digital investigation, how it is conducted, and some of the key issues that arise over the course of an investigation
  • How the computer forensic process fits into an investigation
  • The concept of system glitches vs. cybercrime and the importance of weeding out incidents that don’t need investigating
  • Investigative politics that occur during the course of an investigation, whether to involve law enforcement, and when an investigation should be stopped
  • How to prepare for cybercrime before it happens
  • End-to-end digital investigation
  • Evidence collection, preservation, management, and effective use
  • How to critique your investigation and maximize lessons learned

This edition reflects a heightened focus on cyber stalking and cybercrime scene assessment, updates the tools used by digital forensic examiners, and places increased emphases on following the cyber trail and the concept of end-to-end digital investigation. Discussion questions at the end of each chapter are designed to stimulate further debate into this fascinating field.


Table of Contents


Cybercrime as We Enter the Twenty-First Century

Background and Some Definitions

What Is Digital Crime?

How Does Today’s Cybercrime Differ from the Hacker Exploits of Yesterday?

Reality of Information Warfare in the Corporate Environment

Industrial Espionage: Hackers for Hire

Public Law Enforcement’s Role in Cybercrime Investigations

The Role of Private Cybercrime Investigators and Security Consultants in Investigations

The Potential Impacts of Cybercrime

Data Thieves

How Data Thieves Avoid Detection during an Attack

How Data Thieves "Clean Up" after an Attack

Techniques for Detecting File Reads and Uploads


Denial of Service

Malware Attacks

A Little Background to Get Us Started

Viruses, Trojan Horses, and Worms

Logic Bombs

Spyware, Adware, and Scareware


Responding to Rogue Code Attacks

Protection of Extended Mission-Critical Computer Systems

Postattack Inspection for Rogue Code

Surgical Strikes and Shotgun Blasts

Denial of Service Attacks

Symptoms of a Surgical Strike


Case Study: The Case of the Cyber Surgeon

Symptoms of Shotgun Blasts

"Up Yours:" Mail Bombs

Flooding Attacks


A Framework for Conducting an Investigation of a Computer Security Incident

Managing Intrusions

Why We Need an Investigative Framework

What Should an Investigative Framework Provide?

One Approach to Investigating Intrusions

Drawbacks for the Corporate Investigator

A Generalized Investigative Framework for Corporate Investigators

Look for the Hidden Flaw

The Human Aspects of Computer Crime and the FBI Adversarial Matrix

Motive, Means, and Opportunity

Evidence and Proof

Look for the Logical Error



Discussion Questions


Analyzing the Remnants of a Computer Security Incident

What We Mean by a Computer Security Incident

We Never Get the Call Soon Enough

Media Forensic Analysis: Computer Crimes at the Host

Processing Forensic Data Cyber Forensic Analysis: Computer Crimes Involving Networks Software Forensic Analysis: Who Wrote the Code? The Limitations of System Logs The Logs May Tell the Tale—But What If There Are No Logs? Multiple Log Analysis

Launching the Investigation

Launching the Investigation

Analyzing the Incident

Analyzing the Evidence and Preparing Your Presentation

Securing the Virtual Crime Scene

Collecting and Preserving Evidence

Interrogating Suspects and Interviewing Witnesses

Investigating Alternative Explanations

You May Never Catch the Culprit

Damage Control and Containment

Determining If a Crime Has Taken Place

Statistically, You Probably Don’t Have a Crime

Believe Your Indications

Using Tools to Verify That a Crime Has Occurred

Investigating Noncrime Abuses of Corporate Policy Case Study: The Case of the CAD/CAM Cad Case Study: The Case of the Client/Server Tickle Cover-Ups Are Common

Case Study: The Case of the Innocent Intruder

The Importance of Well-Documented Evidence

Maintaining a Chain of Custody

Politically Incorrect: Understanding Why People Cover Up for a Cyber Crook

When Cover-Ups Appear Legitimate

Involving the Authorities

When to Involve Law Enforcement

Who Has Jurisdiction?

What Happens When You Involve Law Enforcement Agencies?

Making the Decision

When an Investigation Cannot Continue

When and Why Should You Stop an Investigation?

Legal Liability and Fiduciary Duty xiii Contents

Political Issues

Civil versus Criminal Actions

Privacy Issues

Salvaging Some Benefit


Building a Corporate Cyber "SWAT Team"

Why Do Organizations Need a Cyber SWAT Team?

What Does a Cyber SWAT Team Do?

Standard Practice Example

Who Belongs on a Cyber SWAT Team?

Stopping the Bleeding: IIRTs

Training Investigative Teams

Privacy and Computer Crime

The Importance of Formal Policies

Who Owns the E-Mail?

The Disk Belongs to the Organization, But What about the Data?

The "Privacy Act(s)"

Fourth Amendment to the U.S. Constitution

Introduction to End-to-End Digital Investigation

The Notion of End-to-End Digital Forensics

The Mechanics of an Attack

The End-to-End Concept The Need for Formalization Defining the Playing Field Defining a High Level Process

Collecting and Analyzing Evidence of a Computer Crime

What Do We Mean by Evidence?

Collecting Evidence

Managing Evidence

Evidence Analysis

The Analysis Process

Preliminary Correlation

Normalization and Deconfliction


The Normalization Process

Event Deconfliction

Data Analysis: First Steps

The Eventual Objective

Sorting the Evidence

Using Evidence Effectively

What We Have and What We Need

Developing a Timeline and Chain of Evidence

Issues in Backtracing Events

Tools and Techniques

Manual Link Analysis and Traceback

Discussion Questions

Conducting Incident Postmortems

Digital Forensics and the Digital Investigative Process

The Incident Postmortem Process

Postmortem Quality

Using a Formalized Approach to Digital Investigation

Why (and When) We Need a Formalized Approach to Process

Top-Level Mapping of the DFRWS Framework in DIPL

Using DIPL in Real Investigations

Applying DIPL to an Incident Postmortem





About the Authors

Peter Stephenson, PhD, is a cyber criminologist, digital investigator, and digital forensic scientist at Norwich University (Vermont). He is a writer, researcher, and lecturer on information assurance, digital investigation, and forensics on large-scale computer networks. He has lectured extensively on digital investigation and security, and has written, edited, or contributed to 16 books and several hundred articles in major national and international trade, technical, and scientific publications.

Dr. Stephenson is a Fellow of the Institute for Communications, Arbitration, and Forensics in the United Kingdom, an associate member of the American Academy of Forensic Sciences, a member of the Vidocq Society, and on the board of Vermont InfraGard. He holds the CISSP (Certified Information Systems Security Professional), CISM (Certified Information Security Manager), and FICAF (Fellow of the Institute for Communications Arbitration and Forensics) designations, and his research is focused on cybercrime assessment and profiling compromised networks.

Keith Gilbert is a senior information security specialist on the Verizon RISK Team. He obtained both his BS and MS in information assurance from Norwich University and is an experienced digital forensic analyst. Gilbert has worked in both the public and private sectors among organizations ranging from 50 to 200,000 employees. He holds the Global Information Assurance Certification (GIAC) Certified Forensic Analyst (GCFA) and GIAC Certified Incident Handler (GCIH) certifications and is an associate of the International Information Systems Security Certification Consortium ((ISC)2).

Subject Categories

BISAC Subject Codes/Headings:
LAW / Forensic Science
SOCIAL SCIENCE / Criminology