Friday, May 07, 2010


Last week we looked at what attributes and skills are required to become a computer forensic investigator. Today I want to outline the similarities between the virtual and real-world detective. It is important to appreciate that a digital detective operates within the same principles that are used by a homicide police detective.

Criminal investigation, be it digital or real-world, has the end product of bringing someone to justice; that is, arresting, prosecuting, and convicting perpetrators of crimes.

An investigator that hunts a cyber-criminal in the netherworld of the internet borrows the fundamental working philosophy from the well tested norms of the homicide detective.

The first one is that no two crimes are alike. Every instance of identity theft, for example, has its own unique characteristics and these can be found in the way an identity was stolen and what it was used for. The second working philosophy that computer investigators borrow from their real-world colleagues is that most crimes are solved within 48 hours. Though this might not apply strictly in cybercrime, it is vitally important to initiate an immediate response otherwise tracing becomes difficult.

Another common area is that modus operandi (method of attack) provides clues as to who did it. The methodology of a cyber-criminal usually provides important details that point to the perpetrator and make profiling possible.

Thinking like a “native”, not a criminal is another crucial working philosophy. It takes a thief to catch a thief. This also applies in cyber-crime because an investigator has to be familiar with the mindset, hacking tools and techniques of the cyber-criminal. It is however important to have some familiarity but not too much intimate familiarity with the criminal underworld.

Another common working philosophy is that you can never receive too much training. Any kind of detective needs as much training as he/she can possibly obtain. This is especially true for a computer investigator that demands you keep abreast of new technology all the time.

Another very critical philosophy shared by both kinds of detective work is that evidence is always present. In whichever context, be it a real murder or a cyber crime like phishing, the perpetrator will always leave traces of his/her presence. This premise is based on Locard’s Principle of Exchange which states that any person who enters a scene of crime leaves something behind and takes something from the scene with them. A computer forensic investigator is therefore grounded by the same working philosophies that are found in real-world detective work.

No comments: