Protocol of a systematic approach " Data collection: This phase involves the collection of data through traditional investigative methods

, such as information relating to the suspect, any co-inhabitants, relevant co-workers or other associates and information compiled through conventional monitoring activities of channels of communication, including in relation to fixed-line and mobile telephone usage. " Research for additional information available via Internet-based services: This phase involves requests to obtain information collected and stored in the databases of webbased e-commerce, communications and networking services, such as eBay, PayPal, Google and Facebook, as well as using dedicated search engines such as www.123people. com. Data collected by these services through commonly used Internet “cookies” also provide key information regarding multiple users of a single computer or mobile device.

" The activities in phases (a) and (b) above provide information that may be combined and cross-referenced to build a profile of the individual or group under investigation and made available for analysis during later stages of the investigation. " VoIP server requests: In this phase, law enforcement authorities request information from VoIP service providers relating to the persons under investigation and any known affiliates or users of the same networking devices. The information collected in this phase may also be used as a form of “smart filter” for the purposes of verifying the information obtained in the two prior phases. " Analysis: The large volume of data obtained from VoIP servers and the providers of various Internet services are then analysed to identify information and trends useful for investigative purposes. This analysis may be facilitated by computer programs, which may filter information or provide graphic representations of the digital data collected to highlight, inter alia, trends, chronology, the existence of an organized group or hierarchy, the geolocation of members of such group, or factors common among multiple users, such as a common source of financing. " Identification of subjects of interest: In this phase, following smart analysis of the data, it is common to identify subjects of interest based, for example, on subscriber information linked to a financial, VoIP or e-mail account. " Interception activity: In this phase, law enforcement authorities employ interception tactics similar to those used for traditional communication channels, shifting them to a different platform: digital communication channels. Interception activity may be undertaken in connection with telecommunications services, such as fixed-line broadband, mobile broadband and wireless communications, as well as with regard to services provided by ISPs, such as e-mail, chat and forum communication services. In particular, in recent years experience has revealed vulnerabilities in new communications technologies which may be exploited for investigative or intelligence-gathering purposes. Due care should be taken with respect to ensuring the forensic integrity of the data being gathered and the corroboration, to the extent possible, of any intelligence gathered with objective identifiers such as GPS coordinates, time stamps or video surveillance. Where permitted by domestic law, some law enforcement authorities may also employ digital monitoring techniques facilitated by the installation of computer hardware or applications such as a virus, a “Trojan Horse” or a keystroke logger on the computer of the person under investigation. This may be achieved through direct or remote access to the relevant computer, taking into consideration the technical profile of the hardware to be compromised (such as the presence of antivirus protections or firewalls) and the personal profile of all users of the device, targeting the least sophisticated user profile.
Extracted from: The United Nations Office on Drugs and Crime (2012), The Use of the Internet for Terrorist Purposes, pages 60-61.