Cyber Crime Investigations

Data retrieval

Internet based

If the case is internet based, finding the internet protocol (IP) addresses is your first step in the investigation. An IP address consists of numbers and letter, and that series is attached to any data moving through the internet. In order to retrieve an IP address from some Internet Service Providers (ISP) you will need to subpoena, warrant, or court order the company for information.

What an IP address contains:

  • who owns and operates the network address,
  • associated domain name/ computer name,
  • geolocation,
  • email addresses, and
  • local service provider identifier.

All ISPs are based on subscriptions to the company, these companies have records of everything their subscriber’s do while on the internet. The timeframe that ISPs retain data from subscribers varies, therefore the investigation must move quickly. As the investigator, you can make a formal request to the ISP requesting they preserve the data in question while a subpoena, warrant, or court order is made requiring the records. Even with this letter, ISPs are not legally obligated to preserve the data for law enforcement.

Device based

If possible, place the device in a faraday bag prior to turning on and examining the device. If a faraday bag is not accessible, turn the device into airplane mode, this will prevent any reception or remote communication.

A copy of the original data is needed prior to investigating its contents. Having a copy of the original data prevents the contamination of the evidence. Cell phone and other wireless devices should be examined in an isolated environment where it cannot connect to networks, internet, or other systems.

Data Investigation

In order to begin investigating the data you will need to install a lock on the copy made of the data. This lock will allow you to manipulate the data and view it without making permanent changes. Once you have identified the make and model of the device in hand, select an extraction software that will be best suited to analyze the data or permit the investigator to view as much data as possible. (List of Data extraction software found below)

When the data has been removed, the device should be sent to your evidence department, as the device might contain; traces of DNA, fingerprints, and/or other evidence.

While the physical device is with the evidence department, the investigator should run the software to see all files on the drive, the software should display any data areas that might have otherwise been hidden or partially deleted. Information on the suspect’s participation in internet chat rooms, instant messages, emails, websites, apps and networks will become available. The software system will also assist your investigation in providing information such as:

  • Time stamps,
  • Images,
  • Text documents,
  • GPS locations, and
  • Other encrypted data.

Additional Resources

NIJ-Funded Software Tools, Apps and Databases



IACP Conference