Irrespective of the legal form of powers, law enforcement respondents to the Study questionnaire indicated that
a range of investigative measures – from search and seizure, to expedited preservation of data – are widely used in practice. Almost all countries, for example, reported using search and seizure for the physical appropriation of computer equipment and the capture of computer data. Responses from law enforcement officers also suggested that more than
90 per cent of countries made use of orders for obtaining stored computer data. Around 80 per cent of respondents reported making use of expedited preservation of data.110 Corresponding with the
low proportion of countries reporting relevant legal powers, less than 40 per cent of countries reported making use of remote forensic tools or ‘trans-border’ access.111
While these responses fit broadly with the reported existence of legal powers, expedited preservation was reported to be used in practice somewhat more frequently than responses on the existence of
legal powers suggested.112 This
110 Study cybercrime questionnaire. Q87-96. 111 Study cybercrime questionnaire. Q87-96.
112 See above, Section 5.2 Investigative powers overview.
KEY RESULTS:
Irrespective of the legal form of investigative powers, all responding countries use search and seizure for the physical appropriation of computer equipment and the capture of computer data
The majority of countries also use orders for obtaining computer data from internet service providers, real-time collection of data, and expedited preservation of data
Law enforcement authorities encounter a range of challenges in practice, including perpetrator techniques for hiding or deletion of computer data related to an offence
35% 32% 23% 16% 6% 3% 3% Order for identity or subscriber information Seizure of computer hardware or data Search for computer hardware or data Order for stored content data Order for stored traffic data Real‐time collection of traffic data Use of remote forensic software Figure 5.15: Most commonly used investigative measures Source: Study cybercrime questionnaire. Q98. (n=31, r=37) 0% 20% 40% 60% 80% 100% Remote forensic tools or trans‐border access (n=56) Expedited preservation (n=58) Real‐time collection of data (n=58) Order for stored data (n=59) Search/seizure (n=56) Figure 5.14: Use of investigative measures by law enforcement Measure used Measure not used Source: Study cybercrime questionnaire. Q87‐97. (n= 56, 59, 58)
CHAPTER FIVE:LAW ENFORCEMENT AND INVESTIGATIONS
may be indicative of expedited preservation of data in practice through informal working relationships between law enforcement and service providers.
Country responses regarding the most commonly used investigative powers also highlighted the importance of search and seizure, as well as the use of orders to obtain subscriber data from service providers. As more and more devices become connected to the internet, computer data that may previously have been stored only on a local computer device is increasingly processed by private sector service providers, including in cloud services. The importance for law enforcement officers of obtaining electronic evidence from service providers is reflected in the fact that orders for subscriber information are reported to be the most commonly used investigative measure. The section below on investigations and the private sector examines law enforcement and service provider interactions in detail.
Investigative challenges and good practice
Responding countries identified a number of challenges and good practices related to the use of investigative measures and cybercrime investigations in general. Good practices reported by countries frequently highlighted the importance of careful organization and ordering of investigations. One country, for example, reported that ‘Preservation of data, and seizure of stored data and
computer data in a forensically sound manner is a baseline for successful cybercrime investigations.’113 Another
stated that ‘All actions should be recorded and leave an auditable trail. Each action, URL, e-mail address, etc.,
should be timed and dated, information sources and contacts recorded.’114 In addition, a number of countries
noted that the starting point for successful investigations is frequently information such as an IP address. As a result, it was considered good practice to focus on ensuring the capability for timely obtaining of subscriber information.115
With respect to investigative challenges encountered, many responding countries opened their remarks on law enforcement cybercrime investigations by highlighting an increasing level of criminal sophistication, and the need for law enforcement investigations to ‘keep up’ with cybercrime perpetrators. One country from Europe, for example, noted that ‘attacks are becoming more
and more advanced, more and more difficult to detect, and at the same time the techniques quickly find their way to a broader audience… we’ve also seen that digital components (as means, crime scene or target) become of more and more importance in basically every crime.’116 Another country emphasized that ‘increases in the incidence of cybercrime offences are being driven by the advancement of technical and programmatic tools available to attackers underpinned by an illicit market for the commercialization of tools for committing cybercrime.’117
Increasing levels of sophistication bring increased challenges in areas such as locating electronic evidence; use of obfuscation techniques by perpetrators; challenges with large volumes of data for analysis; and challenges with obtaining data from service providers. At a basic investigative level, for example, digital storage and connectivity are increasingly integrated into common household and personal items, such as pens, cameras, watches with flash storage and USB jewellery flash drives. In addition, wireless storage devices may be hidden in wall cavities, ceilings and floor spaces. As noted by one country, such physical (and electronic) ‘ease of concealment’ of computer data can present difficulties for investigations.118 Countries also highlighted problems of ‘deletion of data storage devices.’ Where perpetrators use online communication services, such as VOIP, computer data
113 Study cybercrime questionnaire. Q99. 114 Ibid.
115 Ibid.
116 Study cybercrime questionnaire. Q85. 117 Study cybercrime questionnaire. Q84. 118 Study cybercrime questionnaire. Q87-96.
144
may flow directly from user to user (and not through service provider servers),119 meaning that only
local copies of certain data are available – and vulnerable to subsequent deletion. In addition, perpetrators may make use of ‘dead-dropping’ of messages in draft folders of webmail accounts (allowing communication without a ‘sent’ email), combined with use of free public Wifi access points, or pre-paid mobile and credit cards. One country, for example, highlighted challenges in ‘pinpointing location’ due to ‘availability of numerous free access points.’120 Many countries also reported the
use of encryption and obfuscation techniques by perpetrators. This area is address in detail in Chapter Six (Electronic evidence and criminal justice).
Finally, many countries noted that significant challenges were faced in obtaining information from service providers. One country in the Americas, for example, reported that the supply of subscriber information by internet service providers on a voluntary basis led to inconsistent practice across the country.121 Other countries reported that service providers did not
store computer data for ‘long enough’, and that it ‘takes too much time for the subscriber to provide the data to
the police.’122 A country in Asia further reported the challenge of ‘inaccurate registration details’ stored by
service providers.123 The interactions – both formal and informal – between law enforcement and
service providers are examined in the next section of this Chapter.