Evidence no. 5. How to sniff out cybercrimes and build a successful case
More and more companies are being subjected to cyberattacks. To effectively respond to this criminal phenomenon, it is essential to be prepared, meaning making sure you have solid evidence to build a criminal case.
The practice of criminal law has demonstrated that many cybercrime cases brought before Romanian criminal investigators are closed in the criminal investigation phase. This is due partly to a lack of expertise in dealing with cybercrimes and partly to improper or insufficient evidence collected in advance by the parties, which is critical for the investigation.
When confronted with a cybersecurity incident, a company must be prepared to have at least five pieces of evidence essential for obtaining prosecution prosecuting criminals and recovering damages.
Digital evidence is volatile and any improper handling can alter it. Companies therefore need to follow well-established protocols to ensure that such data are not modified during handling.
Based on specific protocols here is the evidence needed:
- a digital forensic report, aimed at the recovery and proper preservation of cyber data;
- witness testimonies, ideally containing reports from cyber experts inside or outside the organisation;
- national and/or international case law on similar cybersecurity breaches. While it does not qualify as evidence in the proper sense of the term, it consolidates the particular case evidence;
- besides digital evidence and favourable case law, other relevant items, e.g. traditional written evidence that could be notes on passwords or other information about online credentials, telephones, fax machines, printers, routers, etc. will constitute evidence; and
- any information related to the potential offenders, if traceable and/or available, ideally within the cyber system which has been hacked.
Be ready to collect cybercrime evidence!
In addition to regular training programmes to prevent cybersecurity incidents and ensure a prompt response in the event of a cyberattack, relevant employees should be trained on how to promptly and effectively contribute to the preservation of evidence that the company can use in a criminal case.
By preparing this evidence in advance, the affected companies will increase the chances of successfully prosecuting and convicting cybercriminals, and maximising their chances of recovering damages.