1 INTRODUCTION 11.1 INTRODUCTION 11.2 CYBERCRIME AND CYBERSECURITY 21.2.1 Cybercrime 21.2.2 Cybercriminals and Threat Actors 21.2.3 Cybersecurity 31.2.4 Threat Modeling - Cyber Kill Chain and MITRE ATT&CK 41.3 CYBER INVESTIGATIONS 51.3.1 Digital Forensics 51.3.2 Digital Evidence 51.3.3 Attribution 61.3.4 Cyber Threat Intelligence 61.3.5 Open-Source Intelligence (OSINT) 71.3.6 Operational Avalanche - A Real-World Example 71.4 CHALLENGES IN CYBER INVESTIGATIONS 81.5 FURTHER READING 101.6 CHAPTER OVERVIEW 101.7 COMMENTS ON CITATION AND NOTATION 111.8 EXERCISES 112 CYBER INVESTIGATION PROCESS 132.1 INTRODUCTION 132.2 INVESTIGATION AS INFORMATION WORK 142.3 DEVELOPING AN INTEGRATED FRAMEWORK FOR CYBER INVESTIGATIONS 152.4 PRINCIPLES FOR THE INTEGRATED CYBER INVESTIGATION PROCESS (ICIP) 182.4.1 Procedure and policy 182.4.2 Planning and documentation 192.4.3 Forming and testing of hypotheses 192.4.4 The dynamics of ICIP 202.4.5 Principles for handling digital evidence 212.4.6 Limitations 212.5 ICIP'S PROCEDURAL STAGES 222.5.1 Investigation initiation 222.5.2 Modeling 262.5.3 Planning and prioritization 292.5.4 Impact and risk assessment 332.5.5 Action and collection 352.5.6 Analysis and Integration 382.5.7 Documentation and presentation 432.5.8 Evaluation 502.6 COGNITIVE AND HUMAN ERROR IN CYBER INVESTIGATIONS 512.6.1 Cognitive factors 522.6.2 Cognitive biases 522.6.3 Countermeasures 542.7 SUMMARY 562.8 EXERCISES 563 CYBER INVESTIGATION LAW 583.1 CYBER INVESTIGATION IN CONTEXT 583.2 THE MISSIONS AND SOME IMPLICATIONS TO PRIVACY RIGHTS 593.2.1 The police, law enforcement agencies, and national security service 593.2.2 Reasonable ground to open a criminal (cyber) investigation 593.2.3 The legal framework(s) 603.2.4 General conditions for privacy-invasive cyber investigation methods 603.2.5 The private sector cyber investigator 623.3 THE DIFFERENT MANDATES OF THE LEA, NIS, AND THE POLICE 633.3.1 Law enforcing agencies and the police 633.3.2 The national intelligence service (NIS) 653.4 JURISDICTION AND INTERNATIONAL COOPERATION 663.4.1 The eNIS and the principle of sovereignty 663.4.2 The iNIS and the LEA - international cooperation 673.5 HUMAN RIGHTS IN THE CONTEXT OF CYBER INVESTIGATIONS 683.5.1 The right to fair trial 693.5.2 Covert cyber investigation 693.5.3 Technical investigation methods (technical hacking) 703.5.4 Methods based on social skills (social hacking) 733.5.5 Open-source intelligence / investigation 763.6 THE PRIVATE CYBER INVESTIGATOR 773.6.1 Cyber reconnaissance targeting a third party 773.6.2 Data protection and privacy rights 783.7 THE WAY AHEAD 783.8 SUMMARY 793.9 EXERCISES 794 PERSPECTIVES OF INTERNET AND CRYPTOCURRENCY INVESTIGATIONS 814.1 INTRODUCTION 814.2 CASE EXAMPLES 814.2.1 The proxy seller 814.2.2 The scammer 854.2.3 The disgruntled employee 874.3 NETWORKING ESSENTIALS 884.4 NETWORKS AND APPLICATIONS 894.4.1 Operational security 904.4.2 Open sources 904.4.3 Closed sources 904.4.4 Networks 914.4.5 Peer-to-peer 914.4.6 Applications 924.5 OPEN-SOURCE INTELLIGENCE (OSINT) 924.5.1 Methodology 924.5.2 Types of open-source data 934.5.3 Techniques for gathering open-source data 934.6 INTERNET BROWSERS 954.6.1 HTTP, HTML, JavaScript and cache 954.6.2 Uniform Resource Locators (URLs) 964.6.3 Cookies and local storage 964.6.4 Developer tools 974.6.5 Forensic tools 974.7 CRYPTOCURRENCIES 984.7.1 Addresses and transactions 984.7.2 Privacy 994.7.3 Heuristics 1004.7.4 Exploring transactions 1004.8 PREPARATION FOR ANALYSIS 1004.8.2 Visualization and analysis 1034.9 SUMMARY 1064.10 EXERCISES 1065 ANONYMITY AND FORENSICS 1075.1 INTRODUCTION 1075.1.1 Anonymity 1085.1.2 Anonymous communication technologies 1125.2 ANONYMITY INVESTIGATIONS 1295.2.1 Digital forensics and anonymous communication 1305.3 SUMMARY 1325.4 EXERCISES 1326 INTERNET OF THINGS INVESTIGATIONS 1356.1 INTRODUCTION 1356.2 WHAT IS IOT? 1366.2.1 A (very) short and incomplete history 1366.2.2 Application areas 1386.2.3 Models and concepts 1426.2.4 Protocols 1466.3 IOT INVESTIGATIONS 1546.3.1 Types of events leading to investigations 1566.3.2 Identifying an IoT investigation 1586.4 IOT FORENSICS 1606.4.1 IoT and existing forensic areas 1606.4.2 Models 1636.4.3 New forensic challenges 1686.5 SUMMARY 1756.6 EXERCISES 1757 MULTIMEDIA FORENSICS 1777.1 METADATA 1777.2 IMAGE FORENSICS 1797.2.1 Image trustworthiness 1807.2.2 Types of examinations 1807.2.3 Photography process flow 1827.2.4 Acquisition fingerprints 1847.2.5 Image coding fingerprints 1897.2.6 Editing fingerprints 1917.2.7 Deepfake creation and detection 1957.3 VIDEO FORENSICS 2027.3.1 Video process flow 2027.3.2 Reproduction detection 2037.3.3 Source device identification 2037.4 AUDIO FORENSICS 2087.4.1 Audio fundamentals 2087.4.2 Digital audio recording process 2117.4.3 Authenticity analysis 2127.4.4 Container analysis 2127.4.5 Content-based analysis 2127.4.6 Electric network frequency 2137.4.7 Audio enhancements 2147.4.8 Other audio forensic methods 2157.5 SUMMARY 2167.6 EXERCISES 2168 EDUCATIONAL GUIDE 2198.1 ACADEMIC RESOURCES 2198.2 PROFESSIONAL AND TRAINING ORGANIZATIONS 2208.3 NON-ACADEMIC ONLINE RESOURCES 2218.4 TOOLS 2228.4.1 Disk Analysis Tools 2228.4.2 Memory Analysis Tools 2238.4.3 Network Analysis Tools 2238.4.4 Open-Source Intelligence Tools 2238.4.5 Machine Learning 2248.5 CORPORA AND DATA SETS 2258.6 SUMMARY 2269 AUTHORS 22710 WORKS CITED 23111 INDEX 247

André Årnes is an experienced cyber security leader with extensive experience from industry, law enforcement, and academia. He joined White Label Consultancy, a lean and fast-growing international cyber security and data protection consultancy, as a Co-owner & Partner for Cyber Security in January 2022. He served as the Global Chief Security Officer of Telenor Group from 2015 to 2021, leading Telenor's global cyber security transformation. He also has extensive experience with cyber investigations and digital forensics from the Norwegian Criminal Investigation Service (Kripos). He is a part-time Professor at the Norwegian University of Science and Technology (NTNU) and the Editor of the successful text, Digital Forensics, published by Wiley in 2017.