Course Report: Investigating Cybercrime

Status message

Active context: context_uid_blog
08 November 2012

The CEPOL Course on Cybercrime was organized and delivered under the cooperation of the Cepol Italian National Unit and Arma dei Carabinieri. It was held in Velletri (Rome) at the Istituto Superiore Tecniche Investigative (the Italian Institute of Superior Invetigation Techniques of Arma dei Carabinieri).

25 experts coming from 17 Countries including Switzerland and Turkey shared their experiences, compared their national laws on this matter and deepened their knowledge on the European rules in this field.

During the Course, a special attention was given to the respective national experiences as well as to the cases studies which have been presented with enthusiasm and a lot of data by all the participants, in particular by the experts from private companies such as eBay-PayPal Google which contributed in carrying out this event.

The contribution given by Raggruppamento Operativo Speciale (R.O.S.) Arma dei Carabinieri is to be pointed out Mar. Ca. Giorgio Ruggieri, the lecturer from R.O.S. Carabinieri, focused his presentation on the following aspects: if in one hand the commission of crimes is a social behaviour of the human being on the other hand, nowadays, the digital communication channels is a very silently pervasive reality. Therefore “Cybercrime“ isn’t anymore a proper definition of the criminal reality: would be more specific the definition “Crimes committed through the use of digital communication channels”.

Assuming that the LEA have the ambition of delivering investigation on criminal organization, the first step to be done consists in providing the police officers with the awareness of the digital communication channels and trends of the Criminal Organizations.

There is a vast range of data and services available via the Internet which may be employed in an investigation to counter criminal use of the Internet, the lecturer from R.O.S. Carabinieri analysed and explained two of those : WiFi communication Channels and Skype investigation. While the first part of both the sessions provided the attendees with the explication of these two realities, the second part was related to the activities to be done to gather pieces of data useful for the ongoing investigation (site survey, profiling the wifi clients, capturing a VoIP call and analysing the content as well as reproducing the voices, geolocating a Skype user to identify a criminal or to identify the members of an organized crime…).

During the second part of these sessions the attendees were also provided with some practical case studies, to focus the specific use of these solution in real cases, and paramount significance was given also to the importance of assigning a well defined identity to the data acquired to avoid a possible reject during the prosecution. Some example on how to assign a non repudiable identity to the acquired pieces of data was shown providing the acquired data with: GPS coordinates, timestamps, hardware signatures captured from the communication originated uniquely by the criminal’s device. Paramount importance was given also, within the mentioned lectures, to the “chain of custody” of the acquired evidences. In other words the attendees faced the technical knowledge applied to real investigation to retrieve evidences. The R.O.S. lecturer provided also the attendees with the opportunity to test the skills learned during the course with a scenario. In the given scenario all the police officers were asked to contribute as investigators to retrieve evidences in a kidnapping test live case created.

A proactive approach to investigative strategies and supporting specialist tools, which capitalize on evolving Internet resources, promotes the efficient identification of data and services likely to yield the maximum benefit to an investigation and this was the reason why R.O.S. of Arma dei Carabinieri developed the following guidelines, which have been disseminated through the UCD Masters programme in Cybercrime Investigation and Forensic Computing, and implemented by domestic enforcement authorities of many member States of Interpol and Europol:

Protocol of a Systematic Approach

(a) Data Collection: This phase involves the collection of data through traditional investigative methods, such as information relating to the suspect, any co-inhabitants, relevant co-workers or other associates, or information compiled through conventional monitoring activities of channels of communication, including in relation to fixed-line and mobile telephone usage.

(b) Research for Additional Information Available via Internet-Based Services: This phase involves requests to obtain information collected and stored in the data bases of web-based e-commerce, communications and networking services, such as eBay, PayPal, Google, Facebook, as well as using dedicated search engines such as Data collected by these services through commonly used Internet “cookies” also provides key information regarding multiple users of a single computer or mobile device.

The activities in phases (a) and (b) above provide information that may be combined and cross-referenced to build a profile of the individual or group under investigation and made available for analysis during later stages of the investigation.

(c) VoIP Server Requests: In this phase, law enforcement authorities request information from VoIP service providers relating to the persons under investigation and any known affiliates or users of the same networking devices. This information collected in this phase may also be used as a form of “smart filter,” for the purposes of verifying the information obtained in the two prior phases.

(d) Analysis: The large volume of data obtained from VoIP servers and the providers of various Internet services are then analyzed to identify information and trends useful for investigative purposes. This analysis may be facilitated by computer programs which may filter information or provide graphic representations of the digital data collected to highlight, inter alia, trends, chronology, the existence of an organized group or hierarchy, the geolocation of members of such group, or common factors between multiple users, such as a common source of financing.

(e) Identification of Subjects of Interest: In this phase, following smart analysis of the data, it is common to identify subjects of interest based, for example, on subscriber information linked to a financial, VoIP or email account.

(f) Interception Activity: In this phase, law enforcement authorities employ similar interception tactics used for traditional communication channels, shifting them to a different platform: digital communication channels. Interception activity may be undertaken in connection with telecommunications services, such as fixed-line broadband, mobile broadband and wireless communications, as well as with regard to services provided by ISPs, such as e-mail, chat and forum communication services. In particular, in recent years, experience has revealed vulnerabilities in new communications technologies which may be exploited for investigative or intelligence gathering purposes. Due care should be placed on ensuring the forensic integrity of the data being gathered and the corroboration, to the extent possible, of any intelligence gathered with objective identifiers such as GPS coordinates, time stamps or video surveillance.

Where permitted by domestic law, some law enforcement authorities may also employ digital monitoring techniques facilitated by the installation computer hardware or applications such as a virus, “trojan horse” or keystroke logger on the computer of the person under investigation. This may be achieved through direct or remote access to the relevant computer, taking into consideration the technical profile of the hardware to be compromised (such as the presence of antivirus protections or firewalls) and the personal profile of all users of the device, targeting the least sophisticated user profile.

The mentioned Protocol of Systematic Approach (P.S.A.) presented in its details by the Commander of Reparto Indagini Tecniche of R.O.S. Col. Mario Conio, aroused high interest among the attendees as investigators for the simplicity of the steps suggested to identify and monitor the sensitive communication channels with investigative purposes. The mentioned Protocol will be part of the UNODC document “The use of Internet for terrorist purposes” that will be officially published on the 22th of October in Vienna.

In this framework, all the experts who took part in this meeting held in Rome expressed their intention to keep in contact with each other and to exchange examples of good practices. The Italian CEPOL Unit ensured its availability in supporting them in this activity, according to the “leading principles” of CEPOL.


05 February 2016

Training law enforcement officers in detecting false documents is key to tackle terrorism, which is currently one of the main threats to the security of the European Union and its citizens.

This was the topic of the CEPOL course 87/2015 “Detecting false documents - new trends and...

12 January 2016

The Portuguese Guarda Nacional Republicana organised from 9 to 20 November 2015 the CEPOL course 52/2015 on EU CSDP police command and planning. This two-week activity took...

17 November 2015

From 19 to 23 October 2015, CEPOL organised the course 46/2015 “Schengen evaluation” in close collaboration with the Security Academy under the Austrian Federal Ministry of the Interior. Experts from 21 EU Member States with broad...



Office address

European Union Agency for Law Enforcement Training
1066 Budapest
Ó utca 27

Correspondence address

European Union Agency for Law Enforcement Training
1903 Budapest

Email address

Telephone: +36 1 803 8030/8031

Fax: +36 1 803 8032