The most difficult challenge for law enforcement in many cybercrime cases is “putting a suspect at the keyboard”. Recent news stories have highlighted law enforcement’s frustration with the lack of focus on the human elements of cybercrime. Too often cybercrime is framed as a purely technical challenge. The fact that real human criminals are behind these schemes can be forgotten. A specific individual must be identified to make an arrest and charge a crime.
“Attribution” is the task of identifying a specific cybercriminal. This process begins often by utilizing digital forensics to examine the patterns and tools used in an attack. This is a scientific and complex process. During my time as a prosecutor, I worked with many digital forensic examiners on cases. The forensic examiner was always the most important witness at trial. The examiner is the witness who literally examines the “crime scene” and can provide the evidence that proves that the suspect was the person behind a cyber attack.
Some cybercriminals follow known patterns and this may be a way to identify them. In one case that I prosecuted, the forensic examiner reviewed evidence seized from a suspect but there was no way to directly connect the suspect to the crime. However, the examiner was able to identify non-criminal evidence on the computer that was clearly linked to the suspect. This circumstantial evidence provided a strong degree of proof that the suspect used the computer and was at the terminal close in time to the period during which the crimes occurred. This critical evidence, provided by the forensic examiner, resulted in the successful prosecution of the cybercriminal.
I teach a law school class on cybercrime and at the beginning of the first class I always remind students that cybercrimes are crimes committed by real persons abusing technology. It’s important to remember that technology is not bad. Unfortunately, sometimes people do bad things with technology.