Head back to the blog list

Monday, September 23, 2019 10:00 AM

Breach to Prosecution - An Investigators Story


From 2014 to 2017 I was working as an investigator in the Queensland Police Cyber Crime Unit.

Much of my day to day work during that time involved speaking to people who had been adversely affected by cyber-crime type offences, including several 'complete' cyber-crime investigations that ran the full gauntlet, from investigation through to prosecution.

This is the story of one of those investigations.

The Offence

A Brisbane business was contacted via e-mail by the offenders, who advised the business that the third-party systems managing their data had been breached.  This was the beginning of correspondence between the business and the offenders.

Once the data breach had been confirmed, the affected business attempted to negotiate with the offenders, which resulted in a payment being made to the offenders using Bitcoin.

Once the offenders received this payment, which had been negotiated to be a one-time payment only, the offenders then sought further payment and began escalating the threats and language used into more aggressive tactics. Including threatening the business with DOS (Denial-Of-Service) attacks.

The affected business, which had been attempting to manage the incident by themselves for three days, had worked themselves to a point of exhaustion.

It was at this point that they sought assistance through AusCERT, who suggested that the QPS (Qld Police Service) should get involved. I had only just commenced work in the Cyber Crime Unit, and this was my first incident response.  Once the QPS became involved, we provided assistance to the business members involved, and got the incident to the point where the escalation and demands from the offender ceased, and the business recovered.

A year goes by

I was sitting in my office when I took a call from the manager of the affected business.  He indicated that he had received a call from a male claiming to be part of a UK-based cyber team, and that the caller had information relating to the breach.

I made some further enquires using the AFP (Australian Federal Police) to confirm the identities of the callers, and the nature of their parallel investigation running in the UK.  Once positions were established and unit introductions were made, approval was sought and granted that allowed information to be shared between the QPS Cyber Crime Unit and the and UK-based cyber-crime teams.

Overview of the UK investigation

The UK cyber crime team had been investigating an older case where a local institution had been hacked.  As part of that older investigation a UK-based offender had been identified, with search warrants executed and equipment seized.

Once the UK investigators forensically examined the seized equipment, they identified chat logs that led to SMS evidence of multiple UK-based offenders, and also identified multiple offences across three countries over an extended period of time.

The UK investigation team then commenced a larger operation, started to work with local law enforcement agencies to identify victims and see what further evidence could be obtained.

Collecting Evidence

To ensure that charges were laid against the UK offender for the Brisbane offences (this single offender was subsequently identified in a second breach to a Queensland organisation, which will have to be a story for another day!), the QPS had to demonstrate to the UK Crown Prosecutors that we had victims who would offer formal court statements, that we could produce evidence that would prove the offence and that this evidence had been collected in a forensically sound manner.

I then proceeded to collect lengthy statements from Brisbane-based witnesses detailing the offences and introducing evidence, which included correspondence from the offender, consisting of multiple email messages from numerous accounts skype voice messages and Bitcoin payments.

By the end of the UK-based operation a total of five victims in three countries had been identified, with local law enforcement agencies collecting statements and evidence of each of the offences.

As a result of this international joint investigation multiple offenders were charged with blackmail, computer hacking, fraud, and money laundering offences.

The offenders plead guilty, with one juvenile offender sentenced to four years incarceration in a juvenile detention facility.

It's not just the dollars, or the ones and zeros

While the business itself recovered from the original breach the affected business manager had a much longer road to travel.

He had initially corresponded with the offenders using his work email account which meant that they had his name.

Well after the initial incident he was personally subjected to threats, misuse (abuse) of images linked to his personal social media accounts, and threats of SWAT hoaxing his home address (making false reports to police resulting in a raid by SWAT (or SERT) to the subjects home).

At the sentencing hearing for one of these offences, the presiding judge even made mention that the length and severity of this continual harassment had a lasting effect on the individual and his family.

Quick segue - a brief history of DNA

In 1985 Sir Alec Jeffreys developed DNA profiling in the UK, which was used to identify and convict Colin Pitchfork for the rape and murder of two girls. Prior to 1985, police were not even aware that DNA was one day going to change policing.

However, what police were already doing, before they knew anything about DNA, was examining and collecting evidence in a forensically sound manner.

This allowed for cold cases that were previously deemed unsolvable, to be re-opened and offenders identified and convicted, solely because of the evidence they had collected.

What future changes in technology may occur, which will lead to previously unsolvable cyber-crimes becoming solvable?

We simply do not know.  However, unlike traditional policing methods even before DNA profiling, we are not collecting electronic evidence, which means criminals who may have been identified using as-yet undiscovered methods, will never face justice.

Lessons learned

If your house is broken into or if you are assaulted, police will attend and collect details of the offence, and secure forensic evidence.

However, the sheer volume of cyber-crime means this just will not happen.

Often, many businesses will commence their own 'investigation' into cyber-styled offences (including the big one, insider attacks).  Some common errors with internal investigations that I have seen include:

  • Chain of custody - Who found what, and where did they store it. "I think that it was Steve who found that USB, not sure, he's in London now..."
  • Not securing evidence - Why would you keep a single copy of a log file, and then view, save and modify the date? Please don't do this!
  • Forming an opinion too early - "The old IT guy left angry, so he must have done it..."
  • Valuing certain evidence - Don't place a value on evidence, collect it all "I found the log file with suspect IP's, we can stop looking now..."
  • Overstepping expertise - calling in a mate who is 'good with computers'...
  • Don't conduct your own forensic examination - calling in the same mate who, as it turns out, is NOT that 'good with computers'...

I have personally reviewed dozens of criminal complaints where the affected business conducted their own investigation.  Most of the 'evidence' collected by those within the business is actually compromised, and therefore can best be treated as 'intel' for future police enquiries, but it often cannot be used as evidence in any (potential) future criminal prosecution.

What's my point?

Considering the sheer volume of cyber-crime, and the massive costs associated with it to businesses and the community, are we identifying / storing / collecting evidence of these offences in a forensically sound manner? Identifying the criminal is only one part of the puzzle.

To prove offences in a court of law we need willing victims and forensically sound evidence.

All businesses should consider building 'Chain of Custody' procedures into your Incident Response plan.  Ensure you have a threshold built into the plan, so the business knows when and how to start collecting evidence and then, you never know, in two or three years police from the other side of the world may call you and say "we have an offender in custody".

What will be your response?

About the Author

Michael Leboydre has served with the Queensland Police Service, culminating in his time as a Detective with the QPS Cyber Squad. During more than two years with the Cyber Squad, Michael conducted investigations and liaised with other state, national and international Agencies on many cases involving fraud, identity theft and other cyber crimes, including many originating in Queensland and heading interstate or overseas, and coming back the other way.

As a result of witnessing first hand the impact these crimes have on unsuspecting members of the general public, through investigations and victim statements, Michael has since devoted his time to educate all who will listen on how they can reduce their risk and exposure to these serious crimes and their devastating consequences.

Like to know more about how WyldLynx can help your organisation? Contact us today!