Free Download Cybercrime Investigators Handbook Graeme Edwards Full Chapter PDF

Cybercrime Investigators Handbook
Graeme Edwards
Visit to download the full and correct content document:
https://ebookmass.com/product/cybercrime-investigators-handbook-graeme-edwards/
Cybercrime
Investigators
Handbook
Cybercrime
Investigators
Handbook
GRAEME EDWARDS,PhD.
Copyright © 2020 by John Wiley & Sons, Inc. All rights reserved.
Published by John Wiley & Sons, Inc., Hoboken, New Jersey.
Published simultaneously in Canada.
No part of this publication may be reproduced, stored in a retrieval system, or
transmitted in any form or by any means, electronic, mechanical, photocopying,
recording, scanning, or otherwise, except as permitted under Section 107 or 108 of the
1976 United States Copyright Act, without either the prior written permission of the
Publisher, or authorization through payment of the appropriate per-copy fee to the
Copyright Clearance Center, Inc., 222 Rosewood Drive, Danvers, MA 01923, (978)
750-8400, fax (978) 646-8600, or on the Web at www.copyright.com. Requests to
the Publisher for permission should be addressed to the Permissions Department, John
Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) 748-6011, fax (201)
748-6008, or online at www.wiley.com/go/permissions.
Limit of Liability/Disclaimer of Warranty: While the publisher and author have used
their best efforts in preparing this book, they make no representations or warranties
with respect to the accuracy or completeness of the contents of this book and
specifically disclaim any implied warranties of merchantability or fitness for a
particular purpose. No warranty may be created or extended by sales representatives
or written sales materials. The advice and strategies contained herein may not be
suitable for your situation. You should consult with a professional where appropriate.
Neither the publisher nor author shall be liable for any loss of profit or any other
commercial damages, including but not limited to special, incidental, consequential, or
other damages.
For general information on our other products and services or for technical support,
please contact our Customer Care Department within the United States at (800)
762-2974, outside the United States at (317) 572-3993, or fax (317) 572-4002.
Wiley publishes in a variety of print and electronic formats and by print-on-demand.
Some material included with standard print versions of this book may not be included
in e-books or in print-on-demand. If this book refers to media such as a CD or DVD that
is not included in the version you purchased, you may download this material at
http://booksupport.wiley.com. For more information about Wiley products, visit www
.wiley.com.
Library of Congress Cataloging-in-Publication Data
Names: Edwards, Graeme (Financial and cybercrime investigator), author.
Title: Cybercrime investigators handbook / Graeme Edwards.
Description: Hoboken, New Jersey : John Wiley & Sons, Inc., [2020] |
Includes index.
Identifiers: LCCN 2019023231 (print) | LCCN 2019023232 (ebook) | ISBN
9781119596288 (cloth) | ISBN 9781119596325 (adobe pdf) | ISBN
9781119596301 (epub)
Subjects: LCSH: Computer crimes—Investigation.
Classification: LCC HV8079.C65 E39 2020 (print) | LCC HV8079.C65 (ebook)
| DDC 363.25/968—dc23
LC record available at https://lccn.loc.gov/2019023231
LC ebook record available at https://lccn.loc.gov/201902323
Cover Design: Wiley
Cover Image: © South_agency/iStock.com
Printed in the United States of America
10 9 8 7 6 5 4 3 2 1
To Marie and Bob. Long gone but not forgotten.
To Liz and the girls. Thank you for putting up with the numerous hours
I have spent on work, study, and research for this book and all the support
you have given.
Contents
List of Figures xi
About the Author xiii
Foreword xv
Acknowledgments xvii
Chapter 1: Introduction 1
Chapter 2: Cybercrime Offenses 9

Potential Cybercrime Offenses 11
Cybercrime Case Study 26
Notes 26
Chapter 3: Motivations of the Attacker 29

Common Motivators 30
Cybercrime Case Study I 33
Cybercrime Case Study II 34
Note 35
Chapter 4: Determining That a Cybercrime Is Being

Committed 37
Cyber Incident Alerts 38
Attack Methodologies 41
Notes 45
Chapter 5: Commencing a Cybercrime Investigation 47

Why Investigate a Cybercrime? 47
The Cyber Investigator 48
vii
viii ◾ Contents
Management Support 48
Is There a Responsibility to Try to Get the Data Back? 50
Notes 52
Chapter 6: Legal Considerations When Planning

an Investigation 53
Role of the Law in a Digital Crimes Investigation 54
Protecting Digital Evidence 55
Preservation of the Chain of Custody 56
Protection of Evidence 59
Legal Implications of Digital Evidence Collection 60
Note 63
Chapter 7: Initial Meeting with the Complainant 65

Initial Discussion 65
Complainant Details 68
Event Details 68
Cyber Security History 69
Scene Details 70
Identifying Offenses 71
Identifying Witnesses 71
Identifying Suspects 71
Identifying the Modus Operandi of Attack 72
Evidence: Technical 73
Evidence: Other 74
Chapter 8: Containing and Remediating the Cyber

Security Incident 77
Containing the Cyber Security Incident 77
Eradicating the Cyber Security Incident 80
Note 82
Chapter 9: Challenges in Cyber Security Incident

Investigations 83
Unique Challenges 84
Contents ◾ ix
Chapter 10: Investigating the Cybercrime Scene 93

The Investigation Team 96
Resources Required 101
Availability and Management of Evidence 104
Technical Items 105
Scene Investigation 123
What Could Possibly Go Wrong? 152
Notes 158
Chapter 11: Log File Identiﬁcation, Preservation,

Collection, and Acquisition 159
Log Challenges 160
Logs as Evidence 161
Types of Logs 162
Notes 165
Chapter 12: Identifying, Seizing, and Preserving Evidence

from Cloud-Computing Platforms 167
What Is Cloud Computing? 167
What Is the Relevance to the Investigator? 172
The Attraction of Cloud Computing for the Cybercriminal 173
Where Is Your Digital Evidence Located? 174
Lawful Seizure of Cloud Digital Evidence 175
Preservation of Cloud Digital Evidence 177
Forensic Investigations of Cloud-Computing Servers 178
Remote Forensic Examinations 182
Cloud Barriers to a Successful Investigation 196
Suggested Tips to Assist Your Cloud-Based Investigation 203
Cloud-Computing Investigation Framework 206
Notes 221
Chapter 13: Identifying, Seizing, and Preserving Evidence

from Internet of Things Devices 225
What Is the Internet of Things? 225
What Is the Relevance to Your Investigation? 226
x ◾ Contents
Where Is Your Internet of Things Digital Evidence Located? 228

Lawful Seizure of Internet of Things Evidence 228
Notes 229
Chapter 14: Open Source Evidence 231

The Value of Open Source Evidence 231
Examples of Open Source Evidence 233
Note 236
Chapter 15: The Dark Web 237

Crime and the Dark Web 238
Notes 242
Chapter 16: Interviewing Witnesses and Suspects 243

Suspect Interviews 245
Witness Interviews 246
Preparing for an Interview 247
The Interview Process 250
Closing the Interview 254
Review of the Interview 254
Preparation of Brief for Referral to Police 255
Chapter 17: Review of Evidence 257
Chapter 18: Producing Evidence for Court 265

Digital Evidence and Its Admissibility 267
Preparing for Court 268
Chapter 19: Conclusion 273
Glossary 277
Index 283
List of Figures
Figure 10.1 Hard drive showing serial number as a unique

identifier. 98
Figure 10.2 Computer printer showing serial number as a unique
identifier. 99
Figure 10.3 Example of a scene property schedule. 103
Figure 10.4 External storage devices. 113
Figure 10.5 Printer. 114
Figure 10.6 Rubbish bags containing potential evidence. 115
Figure 10.7 Identifier of hallway office. 135
Figure 10.8 Image of damaged iPhone. 136
Figure 10.9 Network cabling. 142
Figure 10.10 Ethernet cabling. 143
Figure 10.11 Tracing Ethernet cabling 1. 144
Figure 10.12 Tracing Ethernet cabling 2. 145
Figure 11.1 System logs in the Event Viewer. 163
Figure 11.2 Application logs in the Event Viewer. 164
Figure 12.1 Cloud-computing investigation framework. 207
Figure 15.1 Image of Tor browser connections. 238
Figure 15.2 Image of counterfeit currency for sale. 240
Figure 15.3 Image of hacking service. 240
Figure 15.4 Image of a vendor’s user profile with review ratings
and comments from purchasers. 241
Figure 15.5 Image of a criminal market being shut down by law
enforcement. 242
xi
About the Author
Dr. Graeme Edwards is a financial and cybercrime investigator located in

Brisbane, Australia. He has 26 years’ experience in policing, with 17 years as a
detective specializing in the investigation of financial crimes and cybercrimes.
He has successfully completed a doctorate in information technology with
his thesis, “Investigating Cybercrime in a Cloud-Computing Environment.”
He has also successfully completed a master of information technology
(security).
Dr. Edwards is a regular conference presenter, speaking on a wide range
of topics related to financial crimes and cybercrimes; he also conducts train-
ing events for organizations and senior management as well as undertaking
post investigation analysis of cyber events. He was the president of the Brisbane
chapter of the Association of Certified Fraud Examiners from 2016 to 2018.
xiii
Foreword
C
YBERCRIME INVESTIGATION is a discipline relevant to an increasingly
diverse audience. It’s a profession that has evolved with technology
and that is constantly being presented with challenges in determining
the truth behind alleged events. As part of the broader cyber security profession,
investigators in large part are valued for their practical experience, vendor cer-
tifications, and trustworthiness in delivering investigative outcomes—whether
that be to prove or disprove alleged offending.
Graeme Edwards embodies these qualities. He forged a career as one of
Australia’s first true cybercrime detectives with the Queensland Police Service.
Like many in our profession he took it upon himself to continue to self-develop,
through learning about and adapting to new technology environments, and
through advancing his own education. His doctorate furthered his expertise
in cloud investigations and forensics, anticipating the growing need for this
subspecialization.
Cybercrime Investigators Handbook is a life work for Graeme. It provides an
opportunity for readers to directly benefit from his unique expertise and lifelong
learning experiences. Its content steps readers through the investigative process
from a cybercrime perspective, capturing key practical and observational gems
readers can readily apply to their own challenges.
Thanks to authors like Graeme, our profession can continue to evolve and
benefit from the passing on of key lessons and knowledge for the betterment
of practitioners and those looking to move into the exciting field of cybercrime
investigations. It’s a very timely contribution. I trust you’ll benefit from its con-
tent as much as I have. Thank you, Graeme, for advancing our profession in
this very meaningful way.
Professor David Lacey

Managing Director, IDCARE
Director, Institute for Cyber Investigations and Forensics, USC
xv
Acknowledgments
I T IS APPROPRIATE to thank those who have supported the writing of

this book.
First, thank you to my family for putting up with the numerous hours
I have spent studying, researching, and working the very antisocial hours a
police officer on shift work dedicates to their profession. Without your support,
this book and years of study and research would not have been achieved.
I also wish to thank Dennis Desmond, a former agent for the FBI National
Computer Crime Squad in Washington, DC, and Professor Lacey, both now
members of the Institute for Cyber Investigations and Forensics in Queensland,
for their peer review of the contents of this book. I would also like to thank
Professor Lacey for his foreword.
xvii
Cybercrime
Investigators
Handbook
1
CHAPTER ONE
Introduction
C
YBER-ATTACKS AGAINST businesses and individuals have been
occurring for decades. Many have been so successful they were never
discovered by the victims and only identified while the data was
being exploited or being sold on criminal markets. Cyber-attacks damage the
finances and reputation of a business and cause significant damage to those
whose data has been stolen and exploited.
From the criminal’s perspective, the current cyber environment effectively
gives them a free pass when it comes to attacking their target. They can do
whatever they like to an individual or business online, cause immense dam-
age of a professional or personal nature, and make large sums of money safe in
the knowledge the complainant will rarely report the matter to police. In fact,
this is a strange anomaly about cybercrime: a company has millions of dollars
of intellectual property (IP) stolen from them, has all the personally identify-
ing information (PII) of the staff and clients stolen, and the action of reporting
it to police or investigating who is behind the attack is rarely considered or
undertaken unless forced by local legislation. Consequently, from the criminal’s
perspective, there is little to no downside to being a cybercriminal. They operate
on a high-financial-return, low-risk model.
Due to the high volume and complexity of cyber-attacks, should a victim
decide to refer a complaint to police they cannot always rely upon them to be
1
Cybercrime Investigators Handbook, First Edition. Graeme Edwards,PhD.
© 2020 John Wiley & Sons, Inc. Published 2020 by John Wiley & Sons, Inc.
2 ◾ Introduction
available to undertake an investigation and locate the offender. Police resources

are stretched and skilled cyber investigators in law enforcement are few and
overworked. This means organizations subject to a cyber-attack that wish to
find information about who is behind the attack will need to hire an experi-
enced cyber investigator (scarce and very expensive) or investigate the matter
themselves. Alternatively, they will not conduct an investigation and instead
focus on increasing security.
The decision by victims to not investigate a cybercrime is made for many
reasons, including the time and money to be expended on an investigation, the
focus of the business being directed on the investigation, the internal disrup-
tion it causes, and the reputational harm caused when the community finds
the company security has been breached and all the data entrusted to them
stolen. Also, directors would not look forward to the day that they stand before
a public annual general meeting and explain to the shareholders that all the
company data was stolen on their watch and that they have made no effort to
recover it or identify who took it.
To the members of an incident response (IR) team or the cyber investigator,
responding to an attack is often an inexact science as the attackers’ motives and
skill levels vary. Whereas an attack against a single desktop computer may be
easily contained and investigated, an attack against a complete distributed cor-
porate network will require significant resources and an experienced response
team to protect the company, their data, and clients. As the attack methodolo-
gies vary, the investigation strategy will not necessarily follow the exact same
path each time.
Investigating a cyber-attack may be a critical part of the continuation of
the business. When the attack is discovered, a mixture of panic, stress, anxiety,
and fear is seen among staff, and those tasked to mitigate and eradicate
the attack may feel the future of the company rests upon their shoulders.
Many employees will be concerned as to their personal future, as they will
be familiar with the many stories of businesses hit by a cyber-attack that
no longer exist six months later. Staff members of the organization being
interviewed as a part of the incident response may also feel that they are
being held responsible and that the interview is a method of laying blame at
their feet.
So why conduct an investigation and gather evidence? Why should a com-
pany start investigating the cybercrime and try to track down the offender?
With the proliferation in the instances of cybercrime, there is an expectation
among the community that those who are entrusted with their PII take their
responsibilities seriously and ensure their data is secure.
Introduction ◾ 3
Shareholders of companies who find that the value of their shares and/or
dividends is affected by a breach may demand efforts by the company to identify
and prosecute the attacker. In the initial aftermath of the attack, there may be
the possibility of locating the suspect and the digital property taken and recov-
ering it before it is exploited. It may be argued that the duties and responsibili-
ties of a director include trying to recover the stolen corporate data before it is
exploited.
Outside of law enforcement and several large businesses, such as the major
accounting companies, there are few options for those who want to have an
investigation into a cyber-attack conducted. The IR team may find evidence
pointing to a suspect, but it is generally not their job to prepare a case for refer-
ral to police or lawyers. A cyber investigator is a very specialized position and
is roughly the equivalent of a police detective conducting a criminal investiga-
tion, as the rules of evidence the court demands are the same whether you are
an experienced detective or a civilian investigator.
The cyber investigator is viewed as the person who is tasked with finding
evidence of the person behind the attack, and in some cases preparing a refer-
ral to police or commencing a civil prosecution. While many attacks originate
from overseas and are hidden behind multiple legal jurisdictions, anonymiz-
ers, bots, or other technology, people have their own motivations to commit
crimes—and these people may include current or former employees residing
within your local jurisdiction.
The role of the cyber investigator is an extension of the digital investigator.
For the benefit of this book, the digital investigator is the person who conducts
a forensic examination of a device or network and produces a report on the
evidence seized and identified.
This book is intended for the person assigned the task of investigating the
cyber event with a view to gaining a full understanding of the event and where
possible recovering the IP/PII before it is exploited. They may also be tasked with
finding evidence to support an action in a tribunal (e.g., employment court) or
a potential prosecution in a civil or criminal court should the attacker be iden-
tified. It will also be of benefit to the manager/executive/lawyer who is tasked to
review an investigation to understand the actions of the investigation team and
why certain decisions were made and to gain an understanding of the evidence
available from a cybercrime scene and the follow-up investigation. This is not a
book that describes how to technically respond to and mitigate a cyber-attack,
as there are many books covering this topic in great detail. There are also many
courses offered by organizations that teach the many aspects of responding to
a cyber-attack from the technical perspective.
4 ◾ Introduction
Although this book makes some references to material from third parties,
it is not intended to be an academic book. This is because much of the mate-
rial is not from academic literature or web sources, but from the experience of
the author as a cybercrime investigator. The major exception to this is Chapter
12, which relies on evidence from the author’s doctoral thesis on cybercrime
investigation in a cloud-computing environment and where academic refer-
ences from a literature review are noted. Where explanations are provided, as
in the glossary, they are largely kept at a low-level technical definition to allow
those new to this field of work to understand the material and its relevance
without having to learn a whole new language called technology.
Due to the dynamic nature of evidence, advances in technology, and the
evolution of legislation/court decisions, this book is not intended to be an exclu-
sive guide in every legal jurisdiction or to cover every potential cyber event.
Where material in this book conflicts in any way with the laws of your juris-
diction, the legal environment(s) you operate in will always take precedence.
The book intends, however, to provoke critical thinking among management,
IR team managers, and investigators facing a complex legal and technical envi-
ronment should a suspect be identified and subsequent evidence need to be
presented to a tribunal or court.
This book contains many of the steps a cybercrime investigator will under-
take, from the initial identification of a cyber event through to considering a
prosecution in court. There are many lists of things the investigator may con-
sider. These are not exhaustive lists and are provided to expand the thinking as
to what to do, where evidence may reside, and how to legally obtain and man-
age it. Use this book as a prompt and not as a definitive step-by-step template,
as each cyber investigation is different and each jurisdiction has its own legal
requirements.
The lists in this book provide a handy point of direction in each stage of the
investigation. As you will discover, at each stage there are many things to be
done and no one can remember them all every time. So, the lists are provided
as a memory prompt of things to consider and apply as the circumstances, legis-
lation in your jurisdiction, and your experience dictate. Not all items in the lists
will be relevant in all instances. The explanations are in plain language and
technical terms are kept to a minimum to assist your understanding of new
concepts.
In Chapter 2 we provide an introduction to the cybercriminal and a series
of offenses an investigator may be called upon to investigate. These will vary
according to the laws of the jurisdiction(s) you are operating in and terms for
the offenses will vary. By gaining an understanding of the cybercriminal and
Introduction ◾ 5
their chosen cybercrimes, we gain an understanding of how the crime was

committed and why it was committed in the manner it was, as well as gaining
some understanding of the type of identity we are seeking.
Once we understand typical offenses, in Chapter 3 we look at the motiva-
tions of the attacker. In some instances, understanding the attacker’s motives
will provide a strong pointer as to who the offender is, especially in cases of inter-
nal offenses. Motivations will vary across the many forms of cyber-attack you
will investigate. It is worth understanding the reasons why a criminal attacks
a specific target, as this will make great sense to them, even if the motivation
seems unusual to the investigator.
In Chapter 4 we will look at examples of the alerts that may be the first indi-
cators of the cyber event, as well as the offender’s methodologies. These alerts
and methodologies may be evidence in their own right and provide indicators
as to the identity of the offender. While an alert will be generated before the
investigator is brought in, the evidence from the alert will provide direction for
the investigator to use as a platform for their investigation.
In Chapter 5 we will learn the process of commencing a cybercrime inves-
tigation. We will discuss the many reasons why an investigation is commenced
and introduce who a cyber investigator is. While the common response to a
cyber event is to fix the system and prevent an attack from happening again, we
also will ask whether there is a responsibility on the part of the data owner to
identify the attacker and attempt to get the stolen data back before it is exploited.
Once we have an understanding of offenses, offenders’ motivations, initial
alerts, and attack methodology, in Chapter 6 we will learn about the role of the
law in your investigation. Should an attacker be identified and presented before
the court, every aspect of your investigation is subject to critical examination
in court by the defendant’s lawyers, and your actions and their legality may be
as much on trial as the activity of the defendant.
Whether you are conducting a civil or criminal investigation, the com-
plainant will provide direction to the investigation they want from you. They
will have information on which to base your investigation as well as the
authority to provide the resources you require. In Chapter 7 we will cover
the many aspects of your initial meeting with the complainant, including
numerous questions you may find relevant to ask them at this meeting.
Chapter 8 provides a general introduction to the role of the digital investiga-
tor for the cyber investigator. Although the cyber investigator will not necessar-
ily be involved in the technical aspect of the incident response while the attack
is underway, it will be of benefit to them to understand what the IR examiners
are doing and the consequences of their actions involving the digital evidence.
6 ◾ Introduction
The cyber investigator will be involved in preserving evidence and in discussion

with the digital investigator and IR teams as to the seizure of evidence, includ-
ing placing a priority on preserving digital evidence, especially that which is
most volatile.
The cyber environment provides many unique challenges to the investiga-
tor, and a variety of these challenges are introduced in Chapter 9. As you are
operating in a dynamic environment, the challenges you face will vary accord-
ing to the circumstances of your case and the evidence you are seeking.
In Chapter 10 we move into the cybercrime scene investigation and
cover many of the areas of a search you need to be aware of and understand.
Cybercrime investigations involve unique challenges to the investigator and
these are identified and discussed. As you are operating in a physical and
digital environment the challenges faced will differ among investigations,
and the investigator will need to expand their thinking to understand their
changing environment.
Log files are critical to cybercrime investigations: when activated and
secured, they will tell you a lot about the attacker, their methodologies, and
the data they accessed. In Chapter 11 we will introduce many log types, where
they can be found, and what they mean to you as an investigator.
Log files are like video cameras at a crime scene. They can be effective—or,
like a camera, if they are turned off or output not preserved, can be totally unus-
able. Log record activity on a device and network may provide very valuable
evidence as to what happened, how it happened, when the breach occurred,
and in some instances, who was behind it. The investigator may need to work
with the digital investigator to understand what the logs are saying; however,
this form of technical evidence may be crucial to your investigation—to the
point where you may be criticized in court if you did not follow this potential
evidence trail.
Chapter 12 addresses legal and technical issues involved in locating and
lawfully seizing evidence from a cloud-computing platform. As data is now
stored on multiple computer servers in multiple legal jurisdictions, evidence
identification and preservation has become a far more complex procedure
than when the examiner could physically seize a device that was suspected of
being breached. Chapter 12 covers many of the legal and technical issues to
be considered by the investigator, with suggested pathways to advancing your
investigation in the cloud.
Chapter 13 provides a very brief introduction to the Internet of Things
(IoT), which includes the multitude of devices now connected online. Evidence
Introduction ◾ 7
may now be gathered from anywhere there is a device connected to the

Internet, and the digital investigator may use this technology to support their
investigation.
Open source material is material that can be captured from online sources.
There are numerous forms of open source information available online
and many cyber investigators are finding valuable information to support
their investigations by conducting online searches. Chapter 14 introduces a
sample of the many forms of open source information available and how this
information can assist your inquiries.
As cybercrime has become more professional over the past decade, the
criminal community has created specialized markets where they can trade
goods and services with customers. Criminal markets such as Silk Road
and AlphaBay obtained a great deal of publicity through identifying the
manner in which members of the criminal community operate and the level
of support provided to each other in training and other support mechanisms.
In Chapter 15 we will introduce the dark web and discuss its relevance to the
investigator, with a warning not to venture into the criminal markets unless
you as an investigator are well trained and understand the environment in
which you will be operating. In some jurisdictions, it is an offense to access the
dark web.
Interviewing witnesses and suspects is an art that many police officers and
investigators take years to master. It is not a simple process, as each interview is
unique and may be evidence in its own right. Chapter 16 will discuss many of
the considerations to be undertaken when conducting an interview and safe-
guards that may be applied depending on the jurisdiction you are operating
within.
Chapter 17 discusses how to review evidence collected and provide direc-
tion as to how to proceed. Sometimes you will have strong leads to the suspect,
sometimes you may have enough evidence to commence or refer an investiga-
tion, and sometimes you will be facing a dead end with a recommendation to
complete your investigation.
Should you have enough evidence to refer to a tribunal, civil court,
or police, Chapter 18 discusses ideas for how to prepare your evidence for
court. Each jurisdiction has its own rules, and your priority will be to obtain
experienced legal advice to ensure the requirements of the law and court are
met. How you present your evidence is sometimes as valuable as the strength
of your prosecution.
Finally, in Chapter 19 we provide a summary of the contents of the book.
8 ◾ Introduction
A glossary is also provided. It is prepared using nontechnical language, as

readers will come from many backgrounds, many of which are not technical.
Its aim is to provide a very general understanding of the new terminology men-
tioned, so you may continue reading with an understanding of the concept
and the circumstances in which it is referenced. Should you require a more
technical understanding of these concepts, there are many online resources
available to you.
As a prime reason cyber security exists is the cybercriminal, we commence
this book with an examination of the potential criminal offenses that may be
committed in a digital and cyber environment.
Cybercrime Offenses
2
CHAPTER TWO
T
HE POTENTIAL offenses a criminal may commit against an entity
or individual is limited only by the imagination of the attacker. The
cybercriminal may be a long-term trusted employee within the organi-
zation or a person located on the other side of the world. They could also be a
contractor who takes advantage of operating within the corporate network to
install malicious software or access information by installing a server on the
network to intercept and record all traffic without the authority of the system’s
administrator.
This chapter seeks to present to the investigator an understanding of the
many forms of cybercrime they may be required to investigate. While the inves-
tigation techniques presented in this book may be similar across each crime
type, an understanding of the crime goes a long way toward understanding
the criminal. This then provides direction as to where to locate digital evidence
within the physical and digital crime scene as well as to understanding the
criminal’s motivation.
As technology evolves, so do the opportunities for the criminal community
to evolve with it. As new technological products are released into the market-
place, criminals view the product or service with a view as to how it may be
exploited to progress their criminal ventures. For example, when gaming con-
soles provided an internal hard drive to store the games as well as to provide
9
Cybercrime Investigators Handbook, First Edition. Graeme Edwards,PhD.
© 2020 John Wiley & Sons, Inc. Published 2020 by John Wiley & Sons, Inc.
10 ◾ Cybercrime Offenses
Internet connectivity, criminals started storing evidence of their crimes—such

as Child Exploitation Material (CEM)—within the hard drive of the console, so
should police conduct a search warrant at their address, they were less likely to
seize a gaming console than a laptop or desktop computer. As criminals develop
these skills, law enforcement reacts to them and develops their evolving field of
investigative knowledge.
Cybercriminals share their knowledge on open source and closed criminal
forums, resulting in a higher standard of criminal who can seek experienced
assistance when their attempted crime meets a hurdle. Cybercriminals also
provide tutorials for those new to the industry, including step-by-step method-
ologies on how to commit cybercrime without leaving behind digital evidence
leading to their identity. Should it be required, some sites provide one-on-one
tutorials and peer review. In essence cybercrime is a profession, with many
resources available to the criminals. These same resources can also be useful
to the investigator in understanding developing methodologies and the ways
criminals conduct their activities.
An advantage of cybercrime to a criminal, when compared to other forms
of crime, is the lack of structural complexity. When compared to a crime such
as illegal drug trafficking, cybercrime lacks the structural managerial complex-
ities that are prevalent in crimes involving physical property. A drug trafficker
may be required to structure the business, distribution, processing, transport-
ing, competition, physical threats, sales network, and money laundering. In
cybercrime, there are fewer of these considerations involved. As opposed to
the illegal drug trade, where parties involved maybe personally known to each
other and build relationships, those involved in partnerships in cybercrime may
not ever physically meet each other, assisting each other based on their areas
of expertise. Also, a valuable consideration is there are no turf wars involved
in cybercrime, as there are in the illegal drugs trade.1
There are many other reasons why cybercrime is attractive to the criminal.
One of these is the financial reward available compared to other forms of crime.
Joseph Schafer and his colleagues found that on average the bank robber may
obtain $2,500, the bank fraudster $25,000, and the cybercriminal $250,000.
They also found that the cost of the theft of technology to an organization is
approximately $1.9 million.2
Alongside the financial rewards, a further attraction of cybercrime to the
criminal is that the actions required are easy to carry out and hard to detect.
The Internet provides anonymity for skilled cybercriminals, who use available
technological resources (such as free web-based email accounts). Schafer and
his colleagues found that the anonymity cybercriminals are operating under
Potential Cybercrime Offenses ◾ 11
online reduces their personal inhibitions, especially since the potential for being
identified and held accountable for their actions is low.2
Of further benefit to the cybercriminal is that the proceeds of their crime
(data) can be virtualized and geographically distributed, creating technical and
jurisdictional challenges for law enforcement and other investigating agencies.
Digital forensic investigations to obtain evidence may not be able to be obtained
in a timely manner, meaning valuable evidence may be not available to inves-
tigators.3
An additional benefit to the cybercriminal is that their crimes can be
committed anywhere. Data can be disseminated very quickly, and the cross-
jurisdictional manner of the crime results in the need for collaboration between
police services at the national and international level.2 To add a further layer
of complexity for an investigating agency, cybercriminals may operate in failed
or failing states that provide a safe haven.4
The specific civil or criminal offense in each instance depends upon the
legal jurisdiction and the wording of the specifics of the offense as defined in
legislation. While there are many forms of civil and criminal offenses involving
technology, this chapter lists examples of offenses where technology is a major
factor in the crime the cyber investigator is required to respond to. Also under-
stand that when you are dealing with a cyber event and the suspect lives in a
foreign legal jurisdiction, even though their action may be a very serious crim-
inal or civil offense in your jurisdiction, the act may not be an offense in their
country. In effect, in their jurisdiction they are doing nothing wrong.
As an investigator, be aware there may be more than one offense occurring
at the same time. While you are responding to a certain form of cybercrime, this
may be merely a distraction to divert the attention of the Incident Response (IR)
security team, as the attacker’s main goal may be elsewhere on the network. For
example, there may be an attack against the company web server, and while the
IR team is focused on mitigating this attack, the criminal can be stealing data
from the email server or corporate database.
The remainder of this chapter provides examples of different forms of cyber-
criminal offending followed by a brief explanation. These are not listed as spe-
cific offenses, as each jurisdiction will have different wording for these activities
and there may be multiple offenses you can identify from a single description.
POTENTIAL CYBERCRIME OFFENSES
Each of the following sections will provide some consideration the investigator
may think about to support their investigation. There will be replication across
the offenses; however, the comments are presented to provide a few thoughts
to advance your investigation.
Industrial Espionage
This offense is also sometimes called corporate espionage. This is a standard
form of cybercrime, with the criminal breaking through the defenses of a com-
pany to locate the Intellectual Property (IP) for sale or their own use. A com-
petitor may itself conduct the attack, or the attack may be random, with the
criminal breaking in to see what they can find and exploit. This offense has well
predated the Internet, with insiders being used to steal IP or documents being
stolen from trash bins after being discarded.
As companies develop new products, competitors may find a strategic
advantage in knowing where their competition is planning on being in
12 months. The theft of strategy and development plans allows the attacker to
develop their countermeasures, saving years of development and expense in
new product design.
Specific IP may be submitted for patent by the developer, ensuring a level
of industry protection against it being copied by competitors. However, should
the IP be stolen prior to the patent being issued and then submitted for patent
by the thief, complicated and expensive court cases or even overall loss of the
developed IP may result.
Along with corporate IP, tender documents, which are due to be
submitted in the following days, are a valuable target. With this infor-
mation the business competitor who initiated or contracted a hacker
to undertake the attack on their behalf may update their documents
to increase their chances of winning the tender against the victim
company.
Investigator Considerations
Industrial or economic espionage is a very serious criminal offense, as the future
of the victim company may be at stake. Companies put very serious money into
the development of IP, and having it stolen by competitors or put up for sale
to the highest bidder will cause very serious stress to the complainants. In the
instance of public companies, disclosure of IP being stolen may have a negative
effect on their share value.
As the investigator at the scene, always respect and understand the stress of
the company executives and owners. Identify who may benefit from the theft of
the IP, such as competitors or new companies seeking to establish themselves.
It may be of benefit to contract with a company that specializes in operating in

the criminal markets to identify whether it comes up for sale.
Do not discount the potential for an internal employee to be the party
taking the IP and seeking to establish them in a rival business in the near
future. If the IP is of significant financial value and not patented, recommend
to the complainant that they still go through this process, as they will have
the product development history to support their claim as to ownership
of the IP.
An investigation such as this may need to be conducted into the future in
a monitoring phase, as the complainant monitors who in the industry devel-
ops a product very similar to their IP or seeks to patent it. This now provides
you with a reverse starting point with a suspect. By this time you will have con-
ducted your initial investigations; when a suspect has been identified, you may
resurrect your investigation with a suspect in mind. This is equally applicable
if the suspect was involved in the initial theft of the IP or purchased it through
the criminal markets.
Theft of Information Such as Identities, Staff Files, and

Accounts
Similar to industrial espionage, this may be a specifically targeted or random
attack. The identities may be sold online, held for later exploitation, or sold back
to the company as a ransom. These attacks may be internal or external to the
network.
Examples of Personally Identifiable Information (PII) stolen include
names, addresses, Social Security numbers, passwords, phone numbers, email
accounts, credit card numbers, next-of-kin details, mother’s maiden name,
and so on. The value of this information to the attacker is that it may be useful
in creating databases on persons of specific interest within the organization;
other data can then be located through open source investigation (such as
social media) to develop a more detailed profile of the individual. The profile
may be used to commit identify theft against the organization or a financial
institution, or sold on the criminal markets as a product.
Although this is a very common crime, with hundreds of millions of identities
and credit card details stolen every year, the consequences to victims are
not lessened. There is a saying in the law that you take your victims as you
find them, and while one victim of identity or credit card fraud may take the
news and move on without concern, another may suffer severe financial and
emotional stress.
As a very general although not exclusive rule, stolen identities are sold on
the criminal markets. Investigating in this environment is the task of a very
skilled and experienced investigator, and if you do not have these skills, seek
them elsewhere, as these cybercriminals employ countersurveillance, which
you need to avoid.
The evidence you will locate may come from the initial investigation of the
digital evidence. Did the cybercriminal proceed straight to this evidence or did
they navigate their pathway through the network before locating this evidence?
Look at the business of the victim company and whether it is a company whose
collection of such information is a byproduct of its core business or actually
the core business itself, such as being a payment gateway. This information will
assist in understanding the attacker’s motivations and the type of cybercrimi-
nal you are seeking.
Chapter 15 will provide more information as to conducting investigations
in this environment and evidence you may locate through criminal vendors.
Computer Hacking to Gain Access to System Resources

Corporations and educational and governmental organizations have access
to large and powerful computer systems with processors and bandwidth. An
attacker may break into a system to host a criminal site (such as a fraudulent
online pharmacy) or to use the bandwidth to launch a Denial of Service
(DoS) attack against another target. Alternatively, they may seek to use these
resources to mine Bitcoin.
This form of attack may be lost in the traffic of normal day-to-day activ-
ity where there is a high volume of activity on internal and external networks;
however, use of the bandwidth resources confers a cost to the victim company.
This is a unique form of investigation, as many victims of this form of cyber-
crime do not make complaints due to the potential for reputational damage. If
you are entrusted to investigate these crimes, look toward who is the benefi-
ciary of the offense, such as the online pharmacy or the Bitcoin miner. Details
about the compromise may also be of interest, as the obvious offense may be the
byproduct of an initial hack seeking IP and student/staff details.
Academic institutes are a haven for valuable IP being developed by
postgraduate and doctoral students, which is highly prized by nation states,
especially in fields such as robotics, artificial intelligence, and nanotechnology.

Look very closely at what else the cybercriminal was doing, especially before
the takeover of the infrastructure, and do not focus exclusively on the most
obvious offending you have been tasked to investigate.
Gaining or Exceeding Authorized Access Levels to Obtain

Highly Restricted Data
Users of a network may seek to increase their level of access to highly confiden-
tial data. Alternatively, a hacker may gain a user’s credentials within the orga-
nization and work on escalating their access to the confidential data through
compromising accounts associated to the user. For example, a hacker may gain
access to the personnel clerk’s internal account, then use this to gain access to
their supervisor’s account, then use this to gain access to the personnel man-
ager’s account, and so on.
This is a major concern for all organizations and government agencies and
their contractors who have been compromised in this manner.
Escalating privileges involves navigating a pathway through a series of users’
accounts from low to higher levels to find where users gain access to confiden-
tial data. You may have to work backwards from the point of identification of
the breach to find whose account was compromised in the first instance and
how this was achieved. This will provide evidence of the attacker entering the
organization and gaining the lowest levels of privilege. You may, for example,
find a link between the attacker’s Internet Protocol address found at the initial
compromise of the junior personnel clerk’s account and the Internet Protocol
address the stolen data was forwarded to.
Understanding pre-offense behaviors, including reconnaissance, testing of
vulnerabilities, and phishing attacks, may provide details about offender behav-
ior and attribution.
Exploiting Information Security Weaknesses through the

Supply Chain, Including Third-Party Contractors
Third-party contractors often fail to provide the level of security their client is
capable of providing. For example, independent contractors in Hollywood may
have been the ones hacked when movies are taken and held for extortion prior
to release to the public. The criminals have determined it is easier to hack into
the computer of a contractor rather than a major Hollywood studio, which has
more resources to defend itself.
Look closely at what was taken and who may benefit from the attack. In the
example given of a Hollywood contractor, look to see whether the offender went
directly to the IP or whether the IP was only located as a byproduct of examining
the system.
While we may think cybercriminals are very structured, motivated, and
skilled types of people, sometimes they are lucky and stumble across very valu-
able IP without initially understanding the target they are hacking. In effect,
they got lucky.
Stealing Credit Card Data for Selling Online,

or Card-Not-Present Fraud
These attacks deliberately target credit card information for exploitation or for
selling online through the criminal trading markets. This information includes
names, addresses, credit card numbers, dates of birth, next of kin, phone num-
bers, and so on.
The card numbers are used to purchase goods from online retailers
using Internet services, with the cybercriminal having the goods delivered
to a predetermined address. This may be an unknowing colleague’s address,
work address, rental property, or a pickup point that specializes in receiving
parcels for clients, as some postal services operate. This is known to retailers as
“card-not-present” fraud and carries a significant financial cost for the retailer,
as the credit card company reverses the charge to the retailer.
As an alternative, a cybercriminal may sell information from the cards to
clients as a bulk item, charging per unit or at a volume discount. Should the
information be from cards of particular value, such as an American Express
Platinum card, it may be sold individually at a negotiated price.
These tend to be large-volume crimes, with hundreds of millions of credit cards
available for sale online in the criminal markets. As mentioned previously, do
not even consider going onto the criminal markets unless you are very skilled
in online tradecraft, or even better, have brought in cyber investigator who is
experienced in this field.
Another random document with
no related content on Scribd:
Sec. 3. In the prosecution of slaves for crimes of higher grade than
petit larceny, the legislature shall have no power to deprive them of
an impartial trial by a petit jury.
Sec. 4. Any person who shall maliciously dismember, or deprive a
slave of life, shall suffer such punishment as would be inflicted in
case the like offence had been committed on a free white person, and
on the like proof, except in case of insurrection of such slave.
Free Negroes.
Bill of Rights, Sec. 23. Free negroes shall not be allowed to live in
this state under any circumstances.
Article VIII.—Elections and Rights of Suffrage.
Sec. 1. Every male citizen of the United States, above the age of
twenty-one years, having resided in this state one year, and in the
county, city, or town in which he may offer to vote, three months
next preceding any election, shall have the qualifications of an
elector, and be entitled to vote at all elections. And every male citizen
of the United States, above the age aforesaid, who may be a resident
of the state at the time this constitution shall be adopted, shall have
the right of voting as aforesaid; but no such citizen or inhabitant
shall be entitled to vote except in the county in which he shall
actually reside at the time of the election.
The Topeka Constitution.
The following are the political features of the Topeka constitution:
Slavery.
Bill of Rights, Sec. 6. There shall be no slavery in this state, nor

involuntary servitude, unless for the punishment of crime.
Amendments to the Constitution.
Sec. 1. All propositions for amendments to the constitution shall

be made by the General Assembly.
Sec. 2. A concurrence of two-thirds of the members elected to each
house shall be necessary, after which such proposed amendments
shall be again referred to the legislature elected next succeeding said
publication. If passed by the second legislature by a majority of two-
thirds of the members elected to each house, such amendments shall
be republished as aforesaid, for at least six months prior to the next
general election, at which election such proposed amendments shall
be submitted to the people for their approval or rejection; and if a
majority of the electors voting at such election shall adopt such
amendments, the same shall become a part of the constitution.
Sec. 3. When more than one amendment is submitted at the same
time, they shall be so submitted as to enable the electors to vote upon
each amendment separately. No convention for the formation of a
new constitution shall be called, and no amendment to the
constitution shall be, by the general assembly, made before the year
1865, nor more than once in five years thereafter.
Submission of Constitution to the People.
Schedule, Sec. 2. That this constitution shall be submitted to the

people of Kansas for ratification on the 15th day of December next.
That each qualified elector shall express his assent or dissent to the
constitution by voting a written or printed ticket, labelled
“Constitution,” or “No Constitution;” which election shall be held by
the same judges, and conducted under the same regulations and
restrictions as is hereinafter provided for the election of members of
the general assembly.
The Douglas Amendment.
The following is the Douglas amendment, which really formed the

basis of the bill for admission:
“It being the true intent and meaning of this act not to legislate
slavery into any state or territory, nor to exclude it therefrom, but to
leave the people thereof perfectly free to form and regulate their
domestic institutions in their own way, subject only to the
Constitution of the United States.”
The bill which passed on the 4th of May was known as the English
bill, and it met the approval of Buchanan. To the measure was
attached “a fundamental condition precedent,” which arose from the
fact that the ordinance of the convention accompanying the
constitution claimed for the new State a cession of the public lands
six times greater than had been granted to other States, amounting
in all to 23,500,000 acres. In lieu of this Congress proposed to
submit to a vote of the people a proposition specifying the number of
acres and the purposes for which the money arising from their sale
were to be used, and the acceptance of this was to be followed by a
proclamation that “thereafter, and without further proceedings from
Congress the admission of the State of Kansas, into the Union, upon
an equal footing with the original States in all respects whatever,
shall be complete and absolute.” The condition was never fulfilled,
for the people at the election on the 2d of August, 1858, rejected it by
a majority of 9,513, and Kansas was not admitted under the
Lecompton constitution.
Finally, and after continued agitation, more peaceful, however,
than that which characterized the earlier stages of the struggle, the
territorial legislature of Kansas called an election for delegates to
meet and form a constitution. They assembled in convention at
Wyandot, in July, 1859, and reported a constitution prohibiting
slavery. This was adopted by a majority exceeding 4000, and under it
Kansas was admitted to the Union on the 29th of January, 1861.
The comparative quiet between the rejection of the English
proposition and the adoption of the Wyandot constitution, was at
one time violently disturbed by a raid made by John Brown at
Harper’s Ferry, with a view to excite the slaves to insurrection. This
failed, but not before Gov. Wise, of Virginia, had mustered his
militia, and called for the aid of United States troops. The more
radical anti-slavery men of the North were at first shocked by the
audacity of an offense which many looked upon as an act of treason,
but the anxiety oi Virginia to hang Brown and all his followers who
had been captured alive, changed a feeling of conservatism in the
North to one of sympathy for Brown and deeper hatred of slavery. It
is but fair to say that it engendered hostility to the Union in the
South. The right and wrong of slavery was thereafter more generally
discussed than ever. The talent of the South favored it; while, with at
least a large measure of truth it can be said that the talent of the
North opposed it. So bitter grew the feeling that soon the churches of
the sections began to divide, no other political question having ever
before disturbed the Union.
We have not pretended to give a complete history of the Kansas
trouble either in that State or in Congress, nor yet a full history of the
many issues raised on questions which were but subsidiary to the
main one of slavery. Our object is to show the relation of the political
parties throughout that struggle, for we are dealing with the history
of parties from a national view, and not with battles and the minor
questions or details of parliamentary struggles. The contest had
cemented the Democrats of the South as it had the Republicans of
the North; it divided both the Democrats of the North and the
Americans in all sections. John Bell, of Tennessee, and Sam Houston
of Texas, recognized leaders of the Americans, had shown their
sympathy with the new stand taken by Douglas, as early as 1854.
Bell, however, was less decided than Houston, and took his position
with many qualifications. Houston opposed even the repeal of the
Missouri Compromise, and made the last speech against it in the
Senate. He closed with these words:
“In the discharge of my duty I have acted fearlessly. The events of
the future are left in the hands of a wise Providence, and, in my
opinion, on the decision which we make upon this question must
depend union or disunion.”
These sentiments were shared by many Americans, and the great
majority of them drifted into the Republican party. The Abolitionists
from the beginning of the struggle, allied themselves with the
Republicans, a few of their leaders proclaiming, however, that this
party was not sufficiently advanced in its views.
The Charleston Convention.
Such was the condition of the parties when the Democratic

national convention met at Charleston, S. C., on the 23d of April,
1860, it being then the custom of the Democratic party, as it is of all
majority parties, to call its convention first. It was composed of
delegates from all the thirty-three States of the Union, the whole
number of votes being 303. After the example of former Democratic
conventions it adopted the two-third rule, and 202 votes were
required to make nominations for President and Vice-President.
Caleb Cushing, of Mass., presided. From the first a radical difference
of opinion was exhibited among the members on the question of
slavery in the Territories. Almost the entire Southern and a minority
of the Northern portion believed in the Dred Scott decision, and held
that slave property was as valid under the constitution as any other
class of property. The Douglas delegates stood firmly by the theory of
popular sovereignty, and avowed their indifference to the fact
whether it would lead to the protection of slave property in the
territories or not. On the second day a committee on resolutions
consisting of one member from each State, selected by the State
delegates, was named, and then a resolution was resolved
unanimously “that this convention will not proceed to ballot for a
candidate for the Presidency until the platform shall have been
adopted.” On the fifth day the committee on resolutions presented
majority and minority reports.
After a long discussion on the respective merits of the two reports,
they were both, on motion of Mr. Bigler, of Pennsylvania,
recommitted to the Committee on Resolutions, with a view, if
possible, to promote harmony; but this proved to be impracticable.
On the sixth day of the Convention (Saturday, April 28th,) at an
evening session, Mr. Avery, of North Carolina, and Mr. Samuels, of
Iowa, from the majority and minority of the committee, again made
opposite and conflicting report on the question of slavery in the
Territories. On this question the committee had divided from the
beginning, the one portion embracing the fifteen members from the
slaveholding States, with those from California and Oregon, and the
other consisting of the members from all the free States east of the
Rocky Mountains. On all other questions both reports substantially
agreed.
The following is the report of the majority made on this subject by
Mr. Avery, of North Carolina, the chairman of the committee:
“Resolved, That the platform adopted by the Democratic party at
Cincinnati be affirmed with the following explanatory resolutions:
1st. That the Government of a Territory, organized by an act of
Congress, is provisional and temporary, and during its existence all
citizens of the United States have an equal right to settle with their
property in the Territory, without their rights, either of person or
property, being destroyed or impaired by Congressional or
Territorial legislation. 2d. That it is the duty of the Federal
Government, in all its departments, to protect, when necessary, the
rights of persons and property in the Territories, and wherever else
its constitutional authority extends. 3d. That when the settlers in a
Territory having an adequate population form a State Constitution,
the right of sovereignty commences, and being consummated by
admission into the Union, they stand on an equal footing with the
people of other States, and the State thus organized ought to be
admitted into the Federal Union whether its constitution prohibits or
recognizes the institution of slavery.”
The following is the report of the minority, made by Mr. Samuels,
of Iowa. After reaffirming the Cincinnati platform by the first
resolution, it proceeds: “Inasmuch as differences of opinion exist in
the Democratic party, as to the nature and extent of the powers of a
Territorial Legislature, and as to the powers and duties of Congress,
under the Constitution of the United States, over the institution of
slavery within the Territories, Resolved, That the Democratic party
will abide by the decisions of the Supreme Court of the United States
upon questions of constitutional law.”
After some preliminary remarks, Mr. Samuels moved the adoption
of the minority report as a substitute for that of the majority. This
gave rise to an earnest and excited debate. The difference between
the parties was radical and irreconcilable. The South insisted that the
Cincinnati platform, whose true construction in regard to slavery in
the Territories had always been denied by a portion of the
Democratic party, should be explained and settled by an express
recognition of the principles decided by the Supreme Court. The
North, on the other hand, refused to recognize this decision, and still
maintained the power to be inherent in the people of a Territory to
deal with the question of slavery according to their own discretion.
The vote was then taken, and the minority report was substituted for
that of the majority by a vote of one hundred and sixty-five to one
hundred and thirty-eight. The delegates from the six New England
States, as well as from New York, Ohio, Indiana, Illinois, Michigan,
Wisconsin, Iowa, and Minnesota, fourteen free States, cast their
entire vote in favor of the minority report. New Jersey and
Pennsylvania alone among the free States east of the Rocky
Mountains, refused to vote as States, but their delegates voted as
individuals.
The means employed to attain this end were skillfully devised by
the minority of the Pennsylvania delegation in favor of nominating
Mr. Douglas. The entire delegation had, strangely enough, placed
this power in their hands, by selecting two of their number, Messrs.
Cessna and Wright, to represent the whole on the two most
important committees of the Convention—that of organization and
that of resolutions. These gentlemen, by adroitness and
parliamentary tact, succeeded in abrogating the former practice of
casting the vote of the State as a unit. In this manner, whilst New
York indorsed with her entire thirty-five votes the peculiar views of
Mr. Douglas, notwithstanding there was in her delegation a majority
of only five votes in their favor on the question of Territorial
sovereignty, the effective strength of Pennsylvania recognizing the
judgment of the Supreme Court, was reduced to three votes, this
being the majority of fifteen on the one side over twelve on the other.
The question next in order before the Convention was upon the
adoption of the second resolution of the minority of the committee,
which had been substituted for the report of the majority. On this
question Georgia, Louisiana, Alabama, Arkansas, Texas, Florida, and
Mississippi refused to vote. Indeed, it soon appeared that on the
question of the final adoption of this second resolution, which in fact
amounted to nothing, it had scarcely any friends of either party in
the Convention. The Douglas party, without explanation or addition,
voted against it. On the other hand, the old Democracy could not
vote for it without admitting that the Supreme Court had not already
placed the right over slave property in the Territories on the same
footing with all other property, and therefore they also voted against
it. In consequence the resolution was negatived by a vote of only
twenty-one in its favor to two hundred and thirty-eight. Had the
seven Southern States just mentioned voted, the negatives would
have amounted to two hundred and eighty-two, or more than
thirteen to one. Thus both the majority and the minority resolutions
on the Territorial question were rejected, and nothing remained
before the Convention except the Cincinnati platform.
At this stage of the proceedings (April 30th), the States of
Louisiana, Alabama, South Carolina, Mississippi, Florida, Texas, and
Arkansas, having assigned their reasons for the act, withdrew in
succession from the Convention. After these seven States had retired,
the delegation from Virginia made an effort to restore harmony. Mr.
Russell, their chairman, addressed the Convention and portrayed the
alarming nature of the crisis. He expressed his fears that we were on
the eve of a revolution, and if this Convention should prove a failure
it would be the last National Convention of any party which would
ever assemble in the United States. “Virginia,” said he, “stands in the
midst of her sister States, in garments red with the blood of her
children slain in the first outbreak of the ‘irrepressible conflict.’ But,
sir, not when her children fell at midnight beneath the weapon of the
assassin, was her heart penetrated with so profound a grief as that
which will wring it when she is obliged to choose between a separate
destiny with the South, and her common destiny with the entire
Republic.”
Mr. Russell was not then prepared to answer, in behalf of his
delegation, whether the events of the day (the defeat of the majority
report, and the withdrawal of the seven States) were sufficient to
justify her in taking the irrevocable step in question. In order,
therefore, that they might have time to deliberate, and if they
thought proper make an effort to restore harmony in the Convention,
he expressed a desire that it might adjourn and afford them an
opportunity for consultation. The Convention accordingly adjourned
until the next day, Tuesday, May 1st; and immediately after its
reassembling the delegation from Georgia, making the eighth State,
also withdrew.
In the mean time the Virginia delegation had consulted among
themselves, and had conferred with the delegation of the other
Southern States which still remained in the Convention, as to the
best mode of restoring harmony. In consequence Mr. Howard, of
Tennessee, stated to the Convention that “he had a proposition to
present in behalf of the delegation from Tennessee, whenever, under
parliamentary rules, it would be proper to present it.” In this
Tennessee was joined by Kentucky and Virginia. He should propose
the following resolution whenever it would be in order: ‘Resolved,
That the citizens of the United States have an equal right to settle
with their property in the Territories of the United States; and that,
under the decision of the Supreme Court of the United States, which
we recognize as the correct exposition of the Constitution of the
United States, neither the rights of person nor property can be
destroyed or impaired by Congressional or Territorial legislation.’
On a subsequent day (May 3d), Mr. Russell informed the
Convention that this resolution had, “he believed, received the
approbation of all the delegations from the Southern States which
remained in the Convention, and also received the approbation of the
delegation from New York. He was informed there was strength
enough to pass it when in order.”
Mr. Howard, however, in vain attempted to obtain a vote on his
resolution. When he moved to take it up on the evening of the day it
had been offered, he was met by cries of “Not in order,” “Not in
order.” The manifest purpose was to postpone its consideration until
the hour should arrive which had been fixed by a previous order of
the Convention, in opposition to its first order on the same subject,
for the balloting to commence for a Presidential candidate, when it
would be too late. This the friends of Mr. Douglas accomplished, and
no vote was ever taken upon it either at Charleston or Baltimore.
Before the balloting commenced Mr. Howard succeeded, in the
face of strong opposition, with the aid of the thirty-five votes from
New York, in obtaining a vote of the Convention in re-affirmance of
the two-thirds rule. On his motion they resolved, by 141, to 112 votes,
“that the President of the Convention be and he is hereby directed
not to declare any person nominated for the office of President or
Vice-President, unless he shall have received a number of votes equal
to two-thirds of the votes of all the electoral colleges.” It was well
known at the time that this resolution rendered the regular
nomination of Mr. Douglas impossible.
The balloting then commenced (Tuesday evening, May 1st), on the
eighth day of the session. Necessary to a nomination, under the two-
thirds rule, 202 votes. On the first ballot Mr. Douglas received 145½
votes; Mr. Hunter, of Virginia, 42; Mr. Guthrie, of Kentucky, 35½;
Mr. Johnson, of Tennessee, 12; Mr. Dickinson, of New York, 7; Mr.
Lane, of Oregon, 6; Mr. Toucey, of Connecticut, 2½; Mr. Davis, of
Mississippi, 1½; and Mr. Pearce, of Maryland, 1 vote.
The voting continued until May 3d, during which there were fifty-
four additional ballotings. Mr. Douglas never rose to more than
152½, and ended in 151½ votes, 202 votes being necessary to a
nomination.
Until 1824 nominations had been made by Congressional caucus.
In these none participated except Senators and Democratic States,
and Representatives from Democratic Congressional districts. The
simple majority rule governed in these caucuses, because it was
morally certain that, composed as they were, no candidate could be
selected against the will of the Democratic States on whom his
election depended. But when a change was made to National
Conventions, it was at once perceived that if a mere majority could
nominate, then the delegates from Anti-Democratic States might be
mainly instrumental in nominating a candidate for whom they could
not give a single electoral vote. Whilst it would have been harsh and
inexpedient to exclude these States from the Convention altogether,
it would have been unjust to confer on them a controlling power over
the nomination. To compromise this difficulty, the two-thirds rule
was adopted. Under its operation it would be almost impossible that
a candidate could be selected, without the votes of a simple majority
of delegates from the Democratic States. This was the argument of its
friends.
It had now become manifest that it was impossible to make a
nomination at Charleston. The friends of Mr. Douglas adhered to
him and would vote for him and him alone, whilst his opponents,
apprehending the effect of his principles should he be elected
President, were equally determined to vote against his nomination.
In the hope that some compromise might yet be effected, the
Convention, on the motion of Mr. Russell, of Virginia, resolved to
adjourn to meet at Baltimore on Monday, the 18th June; and it was
“respectfully recommended to the Democratic party of the several
States, to make provision for supplying all vacancies in their
respective delegations to this Convention when it shall reassemble.”
The Convention reassembled at Baltimore on the 18th June, 1860,
according to its adjournment, and Mr. Cushing, the President, took
the chair.
Immediately after the reorganization of the Convention, Mr.
Howard, of Tennessee, offered a resolution, “that the President of
this Convention direct the sergeant-at-arms to issue tickets of
admission to the delegates of the Convention, as originally
constituted and organized at Charleston.” Thus the vitally important
question was distinctly presented. It soon, however, became manifest
that no such resolution could prevail. In the absence of the delegates
who had withdrawn at Charleston, the friends of Mr. Douglas
constituted a controlling majority. At the threshold they resisted the
admission of the original delegates, and contended that by
withdrawing they had irrevocably resigned their seats. In support of
this position, they relied upon the language of the resolution
adjourning the Convention to Baltimore, which, as we have seen,
“recommended to the Democratic party of the several States to make
provision for supplying all vacancies in their respective delegations
to this Convention, when it shall reassemble.” On the other hand, the
advocates of their readmission contended that a simple withdrawal
of the delegates was not a final renunciation of their seats, but they
were still entitled to reoccupy them, whenever, in their judgment,
this course would be best calculated to restore the harmony and
promote the success of the Democratic party; that the Convention
had no right to interpose between them and the Democracy of their
respective States; that being directly responsible to this Democracy,
it alone could accept their resignation; that no such resignation had
ever been made, and their authority therefore continued in full force,
and this, too, with the approbation of their constituents.
In the mean time, after the adjournment from Charleston to
Baltimore, the friends of Mr. Douglas, in several of these States, had
proceeded to elect delegates to take the place of those who had
withdrawn from the Convention. Indeed, it was manifest at the time,
and has since been clearly proved by the event, that these delegates
represented but a small minority of the party in their respective
States. These new delegates, nevertheless, appeared and demanded
seats.[7]
After a long and ardent debate, the Convention adopted a
resolution, offered by Mr. Church, of New York, and modified on
motion of Mr. Gilmore, of Pennsylvania, as a substitute for that of
Mr. Howard, to refer “the credentials of all persons claiming seats in
this Convention, made vacant by the secession of delegates at
Charleston, to the Committee on Credentials.” They thus prejudged
the question, by deciding that the seats of these delegates had been
made and were still vacant. The Committee on Credentials had been
originally composed of one delegate from each of the thirty-three
States, but the number was now reduced to twenty-five, in
consequence of the exclusion of eight of its members from the States
of Georgia, Alabama, Mississippi, South Carolina, Texas, Louisiana,
Arkansas, and Florida. The committee, therefore, now stood 16 to 9
in favor of the nomination of Mr. Douglas, instead of 17 to 16 against
it, according to its original organization.
The committee, through their chairman, Mr. Krum, of Missouri,
made their report on the 21st June, and Governor Stevens, of
Oregon, at the same time presented a minority report, signed by
himself and eight other members.
It is unnecessary to give in detail these conflicting reports. It is
sufficient to state that whilst the report of the majority maintained
that the delegates, by withdrawing at Charleston, had resigned their
seats, and these were still vacant; that of the minority, on the
contrary, asserted the right of these delegates to resume their seats in
the Convention, by virtue of their original appointment.
On the next day (June 22), the important decision was made
between the conflicting reports. Mr. Stevens moved to substitute the
minority report for that of the majority, and his motion was rejected
by a vote of 100½ to 150. Of course no vote was given from any of
the excluded States, except one-half vote from each of the parties in
Arkansas.
The resolutions of the majority were then adopted in succession.
Among other motions of similar character, a motion had been made
by a delegate in the majority to reconsider the vote by which the
Convention had adopted the minority report, as a substitute for that
of the majority, and to lay his own motion on the table. This is a
common mode resorted to, according to parliamentary tactics, of
defeating every hope of a reconsideration of the pending question,
and rendering the first decision final.
Mr. Cessna with this view called for a vote on laying the motion to
reconsider on the table. Should this be negatived, then the question
of reconsideration would be open. The President stated the question
to be first “on laying on the table the motion to reconsider the vote by
which the Convention refused to amend the majority report of the
Committee on Credentials by substituting the report of the
minority.” On this question New York, for the first time since the
meeting at Baltimore, voted with the minority and changed it into a
majority. “When New York was called,” says the report of the
proceedings, “and responded thirty-five votes” (in the negative) “the
response was greeted with loud cheers and applause.” The result of
the vote was 113½ to 138½—“so the Convention refused to lay on
the table the motion to reconsider the minority report.” The
Convention then adjourned until evening, on motion of Mr.
Cochrane, of New York, amidst great excitement and confusion.
This vote of New York, appearing to indicate a purpose to
harmonize the party by admitting the original delegates from the
eight absent States, was not altogether unexpected. Although voting
as a unit, it was known that her delegation were greatly divided
among themselves. The exact strength of the minority was
afterwards stated by Mr. Bartlett, one of its members, in the
Breckinridge Convention. He said: “Upon all questions and
especially upon the adoption of the majority report on credentials, in
which we had a long contest, the line was strictly drawn, and there
were thirty on one side and forty on the other.”
The position of New York casting an undivided vote of thirty-five,
with Dean Richmond at their head, had been a controlling power
from the commencement.
Strong expectations were, therefore, now entertained that after the
New York delegation had recorded their vote against a motion which
would have killed the minority report beyond hope of revival, they
would now follow this up by taking the next step in advance and
voting for its reconsideration and adoption. On the evening of the
very same day, however, they reversed their course and voted against
its reconsideration. They were then cheered by the opposite party
from that which had cheered them in the morning. Thus the action of
the Convention in favor of the majority report became final and
conclusive.
Mr. Cessna, of Pennsylvania, at once moved “that the Convention
do now proceed to nominate candidates for President and Vice-
President of the United States.”
Mr. Russell rose and stated, “It has become my duty now, by
direction of a large majority of the delegation from Virginia,
respectfully to inform you and this body, that it is not consistent with
their convictions of duty to participate longer in its deliberations.”
Mr. Lander next stated “that it became his duty, as one of the
delegates from North Carolina, to say that a very large majority of the
delegation from that State were compelled to retire permanently
from this Convention, on account, as he conceived, of the unjust
course that had been pursued toward some of their fellow-citizens of
the South. The South had heretofore relied upon the Northern
Democracy to give them the rights which were justly due them; but
the vote to-day had satisfied the majority of the North Carolina
delegation that these rights were now refused them, and, this being
the case, they could no longer remain in the Convention.”
Then followed in succession the withdrawal of the delegations
from Tennessee, Kentucky, Maryland, California, Oregon, and
Arkansas. The Convention now adjourned at half-past-ten o’clock
until the next morning at ten.
Soon after the assembling of the Convention, the President, Mr.
Cushing, whilst tendering his thanks to its members for their candid
and honorable support in the performance of his duties, stated that
notwithstanding the retirement of the delegations of several of the
States at Charleston, in his solicitude to maintain the harmony and
union of the Democratic party, he had continued in his post of labor.
“To that end and in that sense,” said he, “I had the honor to meet
you, gentlemen, here at Baltimore. But circumstances have since
transpired which compel me to pause. The delegations of a majority
of the States have, either in whole or in part, in one form or another,
ceased to participate in the deliberations of the Convention. * * * In
the present circumstances, I deem it a duty of self-respect, and I
deem it still more a duty to this Convention, as at present
organized, * * * to resign my seat as President of this Convention, in
order to take my place on the floor as a member of the delegation
from Massachusetts. * * * I deem this above all a duty which I owe to
the members of this Convention, as to whom no longer would my
action represent the will of a majority of the Convention.”
Governor Tod, of Ohio, one of the Vice-Presidents, then took the
vacant chair, and was greeted with hearty and long-continued cheers
and applause from members of the Convention.
Mr. Butler, of Massachusetts, now announced that a portion of the
Massachusetts delegation desired to retire, but was interrupted by
cries of “No,” “No,” “Call the roll.” Mr. Cessna called for the original
question, to wit, that the Convention now proceed to a nomination
for President and Vice-President.
The President here ordered the Secretary to call the States. Maine,
New Hampshire, and Vermont were called, and they gave an
unbroken vote for Stephen A. Douglas. When Massachusetts was
called, Mr. Butler rose and said he had a respectful paper in his hand
which he would desire the President to have read. A scene of great
confusion thereupon ensued, cries of “I object” being heard upon all
sides. Mr. Butler, not to be baffled, contended for his right at this
stage to make remarks pertinent to the matter, and cited in his
support the practice of the Conventions at Baltimore in 1848 and
1852, and at Cincinnati in 1856. He finally prevailed, and was
permitted to proceed. He then said he “would now withdraw from
the Convention, upon the ground that there had been a withdrawal,
in whole or in part, of a majority of the States; and further, which
was a matter more personal to himself, he could not sit in a
convention where the African slave trade, which was piracy
according to the laws of his country, was openly advocated.”
Mr. Butler then retired, followed by General Cushing and four
others of the Massachusetts delegation. All of these had voted with
the South and against Douglas.
The balloting now proceeded. Mr. Douglas received 173½ votes;
Mr. Guthrie 9; Mr. Breckinridge 6½; Mr. Bocock and Mr. Seymour
each 1; and Mr. Dickerson and Mr. Wise each half a vote. On the next
and last ballot Mr. Douglas received 181½ votes, eight of those in the
minority having changed their votes in his favor.
To account for this number, it is proper to state that a few
delegates from five of the eight States which had withdrawn still
remained in the Convention. On the last ballot Mr. Douglas received
all of their votes, to wit: 3 of the 15 votes of Virginia, 1 of the 10 votes
of North Carolina, 1½ of the 3 votes of Arkansas, 3 of the 12 votes of
Tennessee, 3 of the 12 votes of Kentucky, and 2½ of the 8 votes of
Maryland, making in the aggregate 14 votes. To this number may be
added the 9 votes of the new delegates from Alabama and the 6 from
Louisiana, which had been admitted to the exclusion of the original
delegates.
Mr. Douglas was accordingly declared to be the regular nominee of
the Democratic party of the Union, upon the motion of Mr. Church,
of New York, when, according to the report of the proceedings, “The
whole body rose to its feet, hats were waved in the air, and many
tossed aloft; shouts, screams, and yells, and every boisterous mode of
expressing approbation and unanimity, were resorted to.”
Senator Fitzpatrick, of Alabama, was then unanimously nominated
as the candidate for Vice-President; and the Convention adjourned
sine die on the 23d June, the sixth and last day of its session. On the
same day, but after the adjournment, Mr. Fitzpatrick declined the
nomination, and it was immediately conferred on Mr. Herschel V.
Johnson, of Georgia, by the Executive Committee. Thus ended the
Douglas Convention.
But another Convention assembled at Baltimore on the same 23d
June, styling itself the “National Democratic Convention.” It was
composed chiefly of the delegates who had just withdrawn from the
Douglas Convention, and the original delegates from Alabama and
Louisiana. One of their first acts was to abrogate the two-third rule,
as had been done by the Douglas Convention. Both acted under the
same necessity, because the preservation of this rule would have
prevented a nomination by either.
Mr. Cushing was elected and took the chair as President. In his
opening address he said: “Gentlemen of the Convention, we
assemble here, delegates to the National Democratic Convention,
duly accredited thereto from more than twenty States of the Union,
for the purpose of nominating candidates of the Democratic party for
the offices of President and Vice-President of the United States, for
the purpose of announcing the principles of the party, and for the
purpose of continuing and re-establishing that party upon the firm
foundations of the Constitution, the Union, and the co-equal rights
of the several States.”
Mr. Avery, of North Carolina, who had reported the majority
resolutions at Charleston, now reported the same from the
committee of this body, and they “were adopted unanimously, amid
great applause.”
The Convention then proceeded to select their candidates. Mr.
Loring, on behalf of the delegates from Massachusetts, who with Mr.
Butler had retired from the Douglas Convention, nominated John C.
Breckinridge, of Kentucky, which Mr. Dent, representing the
Pennsylvania delegation present, “most heartily seconded.” Mr.
Ward, from the Alabama delegation, nominated R. M. T. Hunter, of
Virginia; Mr. Ewing, from that of Tennessee, nominated Mr.
Dickinson, of New York; and Mr. Stevens, from Oregon, nominated
General Joseph Lane. Eventually all these names were withdrawn
except that of Mr. Breckinridge, and he received the nomination by a
unanimous vote. The whole number of votes cast in his favor from
twenty States was 103½.
General Lane was unanimously nominated as the candidate for
Vice-President. Thus terminated the Breckinridge Convention.
The Chicago Republican Convention.
The Republicans had named May 16th, 1860, as the date and
Chicago as the place for holding their second National Convention.
They had been greatly encouraged by the vote for Fremont and
Dayton, and, what had now become apparent as an irreconcilable
division of the Democracy, encouraged them in the belief that they
could elect their candidates. Those of the great West were especially
enthusiastic, and had contributed freely to the erection of an
immense “Wigwam,” capable of holding ten thousand people, at
Chicago. All the Northern States were fully represented, and there
were besides partial delegations from Delaware, Maryland,
Kentucky, Missouri and Virginia, with occasional delegates from
other Slave States, there being none, however, from the Gulf States.
David Wilmot, of Penna., author of the Wilmot proviso, was made
temporary chairman, and George Ashmun, of Mass., permanent
President. No differences were excited by the report of the committee
on platform, and the proceedings throughout were characterized by
great harmony, though there was a somewhat sharp contest for the
Presidential nomination. The prominent candidates were Wm. H.
Seward, of New York; Abraham Lincoln, of Illinois; Salmon P. Chase,
of Ohio; Simon Cameron, of Pennsylvania, and Edward Bates, of
Missouri. There were three ballots, Mr. Lincoln receiving in the last
354 out of 446 votes. Mr. Seward led the vote at the beginning, but
he was strongly opposed by gentlemen in his own State as prominent
as Horace Greeley and Thurlow Weed, and his nomination was
thought to be inexpedient. Lincoln’s successful debate with Douglas
was still fresh in the minds of the delegates, and every addition to his
vote so heightened the enthusiasm that the convention was finally
carried “off its feet,” the delegations rapidly changing on the last
ballot. Lincoln had been a known candidate but a month or two
before, while Seward’s name had been everywhere canvassed, and
where opposed in the Eastern and Middle States, it was mainly

Free Download Cybercrime Investigators Handbook Graeme Edwards Full Chapter PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Free Download Cybercrime Investigators Handbook Graeme Edwards Full Chapter PDF

Uploaded by

Copyright:

Available Formats

Cybercrime Investigators Handbook

About the Author xiii

Chapter 2: Cybercrime Offenses 9

Chapter 3: Motivations of the Attacker 29

Chapter 4: Determining That a Cybercrime Is Being

Chapter 5: Commencing a Cybercrime Investigation 47

Chapter 6: Legal Considerations When Planning

Chapter 7: Initial Meeting with the Complainant 65

Chapter 8: Containing and Remediating the Cyber

Chapter 9: Challenges in Cyber Security Incident

Chapter 10: Investigating the Cybercrime Scene 93

Chapter 11: Log File Identiﬁcation, Preservation,

Chapter 12: Identifying, Seizing, and Preserving Evidence

Chapter 13: Identifying, Seizing, and Preserving Evidence

Where Is Your Internet of Things Digital Evidence Located? 228

Chapter 14: Open Source Evidence 231

Chapter 15: The Dark Web 237

Chapter 16: Interviewing Witnesses and Suspects 243

Chapter 17: Review of Evidence 257

Chapter 18: Producing Evidence for Court 265

Chapter 19: Conclusion 273

Figure 10.1 Hard drive showing serial number as a unique

Dr. Graeme Edwards is a financial and cybercrime investigator located in

Professor David Lacey

I T IS APPROPRIATE to thank those who have supported the writing of

available to undertake an investigation and locate the offender. Police resources

their chosen cybercrimes, we gain an understanding of how the crime was

The cyber investigator will be involved in preserving evidence and in discussion

may now be gathered from anywhere there is a device connected to the

A glossary is also provided. It is prepared using nontechnical language, as

Internet connectivity, criminals started storing evidence of their crimes—such

POTENTIAL CYBERCRIME OFFENSES

It may be of benefit to contract with a company that specializes in operating in

Theft of Information Such as Identities, Staff Files, and

Computer Hacking to Gain Access to System Resources

especially in fields such as robotics, artificial intelligence, and nanotechnology.

Gaining or Exceeding Authorized Access Levels to Obtain

Exploiting Information Security Weaknesses through the

Stealing Credit Card Data for Selling Online,

Article VIII.—Elections and Rights of Suffrage.

The following are the political features of the Topeka constitution:

Bill of Rights, Sec. 6. There shall be no slavery in this state, nor

Amendments to the Constitution.

Sec. 1. All propositions for amendments to the constitution shall

Schedule, Sec. 2. That this constitution shall be submitted to the

The following is the Douglas amendment, which really formed the

Such was the condition of the parties when the Democratic

You might also like