c o m p u t e r l a w & s e c u r i t y r e v i e w 2 8 ( 2 0 1 2 ) 2 0 1 e2 0 7

Available online at www.sciencedirect.com

www.compseconline.com/publications/prodclaw.htm

Data attack of the cybercriminal: Investigating the digital

currency of cybercrime

Paul Hunton
Hunton Woods Limited, UK

abstract

Keywords: It is increasingly argued that the primary motive of the cybercriminal and the major reason
Cybercrime for the continued growth in cyber attacks is financial gain. In addition to the direct financial
e-Crime impact of cybercrime, it can also be argued that the digital data and the information it
Internet Crime represents that can be communicated through the Internet, can have additional intrinsic
Hi-tech Crime value to the cybercriminal. In response to the perceived value and subsequent demand for
Cybercriminal illicit data, a sophisticated and self-sufficient underground digital economy has emerged.
Police The aim of this paper is to extend the author’s earlier research that first introduced the
Policing concept of the Cybercrime Execution Stack by examining in detail the underlying data
Law enforcement investigation objectives of the cybercriminal. Both technical and non-technical law enforcement
Digital investigation investigators need the ability to contextualise and structure the illicit activities of the
cybercriminal, in order to communicate this understanding amongst the wider law
enforcement community. By identifying the potential value of electronic data to the
cybercriminal, and discussing this data in the context of data collection, data supply and
distribution, and data use, demonstrates the relevance and advantages of utilising an
objective data perspective when investigating cybercrime.
ª 2012 Paul Hunton. Published by Elsevier Ltd. All rights reserved.

1. Introduction and background rights; money laundering; online grooming; cyber-bullying;

As the Internet continues to grow and rapidly transform many
aspects of modern life, the benefits and opportunities afforded
by a globalised digital society are arguably immense.
However, as networked communication technologies
continue to evolve and increasing reliance is placed on the
extensive range of functions and services on offer, individ-
uals, organisations and governments alike are increasingly
exposed to the risks and threats of the cybercriminal. As
a consequence of this vast digital freedom, the Internet also
offers the motivated and organised cybercriminal new and
innovative opportunities to commit a vast range of repeatable
illicit activities against a global community with near
anonymity (Bryant, 2008; Fletcher, 2007; Hoare, 2010). Daily
examples of cyber related crimes are demonstrated by such
offences as: fraud; identity theft; theft of intellectual property
pornography and paedophilia. The concept of cyber security
extends this virtual threat even further when considering
such illicit activities as cyber terrorism and cyber warfare,
industrial espionage and disinformation ranging from infor-
mation warfare to propaganda and political attack. It is now
argued that terrorists and extremists are utilising the content
rich interactivity of the Internet with the same level of tech-
nical sophistication as national governments (Qin et al., 2007).
Already highlighted by the author elsewhere (Hunton,
2009, 2010), are the many common issues and challenges
faced by the global law enforcement community when
investigating the complexity of cybercrime. These challenges
include: under reporting of technology crime; potential for
mass and globally spread victims; the issue of jurisdiction;
evidence acquisition of distributed and volatile technology;
evidence presentation; pace of changing technology; and the

0267-3649/$ e see front matter ª 2012 Paul Hunton. Published by Elsevier Ltd. All rights reserved.
doi:10.1016/j.clsr.2012.01.007
202 c o m p u t e r l a w & s e c u r i t y r e v i e w 2 8 ( 2 0 1 2 ) 2 0 1 e2 0 7
need for investigators to continually develop and maintain
adequate technical skills and knowledge. The evolving state of
technology is a major challenge for law enforcement, as the
dynamics of a specific technology environment become
understood, that environment can again quickly change
(Mitchell et al., 2010). Furthermore, the concept of cyber
criminality is often clouded by the interchangeable, inaccu-
rate and even contradictory terms commonly used to describe
the vast array of illicit activities and behaviours associated
with cybercrime and cyber security (Bryant, 2008; Sommer
and Brown, 2011; Wall, 2007). However, cybercrime is now
considered a very real and serious global issue by many
nations and a problem that has evolved to become a sophis-
ticated transnational threat operating on an industrial scale
(Cabinet Office, 2009; Commonwealth of Australia, 2010;
Cyberspace Policy Review, 2009; e-Crime Congress, 2009;
Finklea, 2009; New Zealand Police, 2009).
Therefore, the aim of this paper is to extend the author’s
earlier research that first introduced the concept of the
Cybercrime Execution Stack (Hunton, 2009) by examining in
detail the underlying data objectives of the cybercriminal
when attempting to execute cyber attacks. By identifying the
intrinsic value of electronic data to the cybercriminal and by
discussing this data in the context of: data collection; data
supply and distribution; and data use, is aimed at demon-
strating the advantages and relevance of utilising an objective
data perspective when investigating cybercrime. The final
outcomes from this discussion are intended to provide addi-
tional insight into how the initial complexity of a cybercrime
investigation can be broken down, the outcomes used to
directly assist understanding and knowledge sharing, and
also influence and support further investigative enquires by
both technical and non-technical investigators.
2. The digital currency of the cybercriminal
It is increasingly argued that the primary pursuit of the
cybercriminal and likewise, a major factor for the continued
growth in cybercrime is financial gain (Choo and Smith, 2008;
Commonwealth of Australia, 2010; Kapitanskaya, 2010;
Maple and Phillips, 2010; Symantec, 2009). The growing
problem, and the financial motivation behind cybercrime, can
be demonstrated when considering research in the Garlik
(2009) UK cybercrime report that suggests between 2007 and
2008 in the UK alone 40% (86,900) of all identity fraud was
facilitated online. Again, during this period, online UK banking
fraud increased from the previous year by 132%, totalling £52.5
million fraudulently obtained, and card fraud that took place
on the Internet accounted for a further £181.7 million in losses
(Garlik, 2009). The UK government now suggest that the impact
of electronic crime on the economy is running into billions of
pounds annually (Cabinet Office, 2011), and that the wider
global impact is now calculated at $1 trillion per year (HM
Government, 2010). From a UK law enforcement perspective,
cybercrime is considered to be one of the biggest threats to the
country’s economic future well being (Orde, 2011).
Fundamental to all communication and interaction across
the Internet and other networked technology is electronic
data and the information it represents. Therefore, like any
essential commodity, electronic data in addition to the
immediate use and direct financial impact in crime can also be
argued as having a wider intrinsic value to the cybercriminal.
This additional value can be realised based on the opportu-
nities it represents to other criminals. Unlike a single physical
criminal activity that results in monetary gain, online crime
has the potential to be repeated numerous times to commit
such illicit activities as: online-banking transfers; credit card
purchases or accessing secure networks. In response to the
demand and subsequent value placed on illicit data,
a sophisticated and self-sufficient underground digital
economy and marketplace has emerged (Cisco, 2010; DeBolt,
2010; Europol, 2011; Symantec, 2009, 2010b). These digital
criminal markets can be seen to facilitate the direct financial
gain from the: collection; sale; distribution and use of illicit
data and the subsequent information it represents. Examples
can include notorious sites and forums such as Darkweb,
Ghostmarket, Maza and Direct Connection that when exposed
where found to be conducting illicit trade with business like
scale, professionalism and coordination. The underground
trading of illicit data can include sensitive personal identity
details, credit card and online account credentials through to
intellectual property theft covering business data and even
industrial espionage (Symantec, 2008, 2010a). Further exam-
ples of the cybercriminals profiteering from the supply and
demand for illicit data can also include digital copyright
infringement covering the distribution of eBooks, software
applications, music and videos through to the more depraved
and sinister issue of paedophilia and pornography.
Knowledge and skills that can be used in an illicit context
covering technical details such as system weaknesses, pre-
defined attack scripts and purpose built crimeware toolkits
are also data driven and widely available at a cost within the
context of an underground illicit marketplace. In addition, to
support the conversion of digital currency into real-world
profits, other services surrounding money laundering and
the use of ‘money mules’ are also increasingly available
(Cisco, 2010). Symantec (2009) estimate an average value for
the potential opportunity for fraud, based on the many data-
centric goods and services offered for sale by cybercriminals
on the Internet, to be over £3.5 billion. Although many of these
online criminal markets are concealed from public view,
others are just discreetly placed amongst the numerous
legitimate Internet resources and can be found using
a conventional search engine or by following the discussions
and links on social networking sites; online gaming and other
Internet community forums.
3. Data attack of the cybercriminal
A cybercriminal’s ability to use technology and exploit the
Internet to directly access, manipulate and communicate
electronic data is a basic feature in the commission of cyber-
crime and other illicit or criminal behaviours. Internet related
technology can be used to commit crime either entirely within
a technical environment, or to facilitate conventional crime by
using various elements of networked technology. Regardless
of the extent of networked technology used in the commission
of cybercrime, the common technical activities of the
 c o m p u t e r l a w & s e c u r i t y r e v i e w 2 8 ( 2 0 1 2 ) 2 0 1 e2 0 7
cybercriminal can be seen to converge on compromising the
legitimate use of electronic data held, communicated or
exchanged by the networked technology that is the global
Internet. Exploitation of the Internet can range from low-level
complex technical attacks through to user deception tech-
niques or as a means to facilitate discrete criminal interaction.
A global study published in the Norton Cybercrime Report
(Norton, 2010) suggested that 65% of adults using the Internet
have fell victim to cybercrime, and over 50% had been sub-
jected to a computer virus and malware attack. Marx (2007),
comments on the engineering of social control and the global
impact caused by distributed technology, and suggests that by
manipulating an individual based on their technical environ-
ment can minimise the opportunity for alternative activity and
result in an intended action being performed. Cybercriminals
are also becoming increasingly sophisticated in their attempts
to make victims disclose personal data, utilising social engi-
neering based deception attacks often linked to trusted
Internet activities such as banking and social networking.
Research by Symantec (2010a) found that during 2009 74% of all
phishing attacks targeted the financial sector, whereas spam
emails were increasingly related to pharmaceuticals (Security
Labs, 2010). The issue of cyber attack is also a major concern on
a global scale for many organisations. Further research by
Symantec (2010b) also found that 42% of the organisations
studied perceived a cyber attack to be the most significant
security risk. This risk is further highlighted when considering
that nearly 90% of all inbound email to organisations repre-
sents spam attacks (Security Labs, 2010). Government tech-
nology networks are also the direct target of cybercriminals
with UK government networks receiving more that twenty
thousand malicious emails every month (Lobban, 2010).
Cybercrime has rapidly evolved from the idea of the lone
teenager hacking into remote computer systems for personal
gain and kudos, to that of organised criminal networks mir-
roring structured business like models that would be more
commonly associated with the activities of legitimate e-
commerce. It is now suggested that the Internet not only
provides organised criminals with the ability to commit crime
online, but is also facilitating the wider access to other crim-
inal markets and therefore, further enables other types of
organised crime to be committed (Johnson and Rt Hon, 2009).
Cybercriminals are becoming increasingly more structured
and it is now suggested that 90% of all cyber attacks are as
a direct result of organised crime (Norton, 2010). Regardless of
the exploitation tactics and attack vectors used, the Internet
now provides motivated and organised cybercriminals with
a global platform for electronic data attack by exposing the
means and opportunity to compromise, steal, change or
totally destroy the information it holds (Cyberspace Policy
Review, 2009).
4. The need for a data driven investigation
perspective
The many challenges and difficulties of cybercrime investi-
gation are commonly highlighted throughout the literature
(Brenner, 2007; Bryant, 2008; Gallagher, 2009; Hibbert and
Robinson, 2009; McMurdie, 2010; Metcalfe, 2007; Schmalleger
203
and Pittaro, 2009; Wall, 2007; Yar, 2006). However, the
complexity surrounding cybercrime investigation is further
hindered when considering the ability of the cybercriminal to
quickly evolve and react to the changing opportunities pre-
sented by the Internet. An example of the evolving illicit
activities of the cybercriminal can be demonstrated by the
rapid growth in Smartphone sales and the resulting increase
in attacks towards such devices (Cisco, 2010). It is now
commonplace for cybercriminals to utilise a distributed
approach in the commission of cybercrime when attempting
to conceal their activities across a global landscape that can
span several jurisdictions. Such distributed attacks can also
include the use of multiple attack vectors and various aspects
of networked technology covering: infrastructure; access
devices; and a range of other online resources.
Already discussed in this paper is the fundamental
importance to the cybercriminal of electronic data and the
digital information it represents. Also highlighted is the
potential value and opportunity for financial gain from such
illicit data, and the key role this data plays in the growing
underground digital economy. From a law enforcement
perspective, the need to react and keep pace with the rapidly
changing threats of the cybercriminal is essential (ACPO,
2009). A key feature of successful law enforcement investi-
gation is the effective and efficient knowledge sharing
between all parties involved (Fahsing et al., 2008). Likewise, all
investigators need to learn from their experiences, with an
investigative focus capable of considering a range of potential
hypotheses to include the broader implications of what
offences have occurred, how were they committed and by
which suspects (Carson, 2009). This raises the further chal-
lenge for law enforcement surrounding the process of
knowledge management as cybercrime investigations like
physical investigations are information-rich and knowledge-
intensive and require the means of sharing, distributing,
creating, capturing and understanding knowledge (Gottschalk
and Dean, 2010). Therefore, when considering the motivating
factors specific to financial gain and the underlying relevance
of data driven attacks, it becomes vital for global law
enforcement to have the capability to rapidly gaining
a detailed insight and common understanding of the illicit
data attacks of the cybercriminal.
4.1. Examining the attack of the cybercriminal
One such model aimed at providing law enforcement and
researchers alike with a framework for contextualising each
stage of the illicit activities surrounding a cyber attack, is the
Cybercrime Execution Stack shown in Fig. 1. The research first
introduced in Hunton (2009) and extended in Hunton (2011),
highlights the relevance and benefit of modelling the logical
execution of cybercrime as a means of gaining a greater
understanding of a cyber attack.
The model in Fig. 1 provides a structured logical approach
to identifying the wider technical and criminal characteristics
of cybercrime by following the progressive stages of an
abstract cyber attack lifecycle. The Cybercrime Execution
Stack demonstrates the key entities of cybercrime based upon
the data objectives of an attack, the exploitation tactics and
subsequent attack methods used, and finally the technical
204 c o m p u t e r l a w & s e c u r i t y r e v i e w 2 8 ( 2 0 1 2 ) 2 0 1 e2 0 7
Criminal or Illicit Intent
Data
Objectives
Exploitation
Tactics
Globalised Evasion and
Environment Concealment
Attack
Methods
Networked
Technology
Fig. 1 e The Cybercrime Execution Stack.
implementation of an attack. The model also considers the
primary compounding factors covering the criminal or illicit
intent, the issues of a globalised environment, and the
implications of digital evasion and concealment by the
attacking cybercriminal.
4.2. The illicit objectives of data driven attacks
When considering the primary data attack objectives of
cybercrime highlighted in this paper, a further layer of
cybercrime investigation that considers the data driven
motives of the cybercriminal can be identified. The data
objectives layer of the Cybercrime Execution Stack logically
defines the primary aims of a data attack as data collection,
data supply and distribution, and data use (see Fig. 2). The
Cybercrime Execution Stack accepts that just as cybercrimi-
nals will likely use multiple attack vectors to commit cyber-
crime, there will also be multiple data objectives underlying
the various stages of a cyber attack.
By utilising a data driven perspective based around the
primary data objectives used in the commission of cybercrime
will provide law enforcement with an additional level of
logical abstraction. This approach is aimed at assisting law
enforcement when establishing the deliberate data attack
strategies used in the commission of cybercrime. In turn this
will support investigators to identify the many obscured and
evasive activities of the cybercriminal.
The further intention of this approach is aimed at assisting
in the formulation of hypotheses of the likely criminal or illicit
Criminal or Illicit
Data Objectives
Data
Collection
Fig. 2 e Cybercrime data objectives.
intent of an attack. In turn, this will allow cybercrime inves-
tigators to consider the exploitation tactics and subsequent
attack methods used. As law enforcement response moves
towards low-level digital investigation, utilising a data objec-
tive approach will also provide a logical structure to assist in
examining, describing and communicating the various tech-
nical processes, methods and activities of the technology used
in the commission of an attack. Furthermore, by identifying
the cybercriminals data attack strategies will also assist
investigators to consider the potential scale and subsequent
harm caused by an attack, and the likelihood of a repeat or
continuation of an attack.
4.2.1. Data collection
The value of electronic data and the information it represents
makes data collection a lucrative activity for the cybercrimi-
nal. This illicit financial gain can be generated from both the
direct use of the data obtained, or based on the potential value
to others within an illicit underground digital market. Tar-
geted data attacks can include attempts to retrieve a wide
range of information and, as already identified in this paper
can include personal identity, banking and credit card details,
and online account credentials. Data collection may also form
part of an accepted common purpose for an organised online
community, such as illegal file sharing or gathering attack
scripts and malware applications for further resale or distri-
bution. One example of imposed data collection is commonly
implemented by private peer-to-peer networks where
members must comply to a defined ratio of shared or new data
in order to remain a member.
Large-scale data harvesting attacks such as spam emails
and phishing websites that utilise sophisticated social engi-
neering techniques aimed at deceiving the victim into
disclosing personal data are common methods used by the
cybercriminal. The specific use of email is continued to be
seen as a major attack vector increasingly used against both
organisations and individuals alike (McAfee, 2010; Security
Labs, 2010; Symantec, 2010b). Alternatively, a direct
computer based attack can result from the deployment of
malware such as trojans to form part of a Botnet and allow
cybercriminals to covertly monitor and track user activity
from afar in an attempt to capture useful data. Symantec
(2010a) suggest that during 2009, 6.7 million computers were
infected globally with an average of over 46.5 thousand
compromised devices being active each day.
From a cybercrime investigation perspective, by estab-
lishing the data collection objectives alongside the potential
Intent
Data Supply Data
& Distribution Use
Exploitation
Tactics
 c o m p u t e r l a w & s e c u r i t y r e v i e w 2 8 ( 2 0 1 2 ) 2 0 1 e2 0 7
scale of an attack and the likely type and combination of
attack methods used, will further assist in establishing the
wider technology implications. For example, if a single indi-
vidual has been targeted in contrast to a mass data harvesting
attack, the exploitation tactics and technology used may be
significantly different. Again, in the scenario of peer-to-peer
networking then in a distributed decentralised technical
environment some form of additional Internet resources may
also be used. Such resources can act as a collective repository
to index the metadata about the data being gathered, or to
facilitate access and communication for ongoing data collec-
tion and distribution amongst an online community.
However, by establishing what initial data is being collected in
the commission of cybercrime, can provide law enforcement
with a better understanding of the illicit cyber activities and
motives of the cybercriminals.
4.2.2. Data supply and distribution
The Internet can be used by cybercriminals to facilitate illicit
interaction for many reasons, covering direct communication
through to large-scale attacks. For this reason, the complexity
and variation in the technology exploited can be considerable.
To further assist cybercrime investigators in gaining an
understanding of illicit digital data exchange, a subtle
distinction can be made between data supply and data
distribution. Data supply can be considered as the intentional
interactions between specific networked resources and
endpoints, such as illicit data exchange using individual
email, file transfer or website interaction. Whereas data
distribution is the exchange of data on a larger distributed
scale that can potentially involve a vast number of online
devices, resources and managed by organised online
communities and criminal networks.
The issue of large-scale decentralised data distribution can
be further highlighted when considering Botnets were cited as
being responsible for distributing 85% of all spam messages
during 2009 (Symantec, 2010a). The use of Botnets is further
demonstrated in the research by Microsoft (2010) that showed
in the first six months of 2010 there were more than 2.2 million
affected computers in the US alone. These infected computers
are commonly used to distribute malicious data through such
attack methods as spam and phishing emails or to launch
data flood attacks. Alternatively, peer-to-peer networks can be
used in a range of criminal activities to supply and distribute
copyright material, indecent images, crimeware applications
and other illicit data on a global scale by individuals, criminal
gangs and even terrorist groups (Taylor et al., 2010).
4.2.3. Data use
When considering the need for investigators to quickly gain
an understanding of the vast array of uses electronic data can
be applied during the commission of cybercrime and other
illicit online activity, specifically highlights the relevance of
this approach. This can range from the fraudulent use of
stolen credit card and banking details, through to complex
identity theft offences and low-level technology attacks.
Alternatively, the use of data by the cybercriminal may be to
facilitate evasion and concealment, and might include the use
of such data as IP block lists identifying the known IP
addresses used by law enforcement or remote proxy network
205
credentials. Alternatively, the intended data use might be to
make financial gain from resale within an online illicit
marketplace where the data in question might never even be
used in the commission of crime. However, by identifying the
intended data use can support cybercrime investigators to
consider the likely attack vectors used and begin to identify
the technology exploited.
5. Example scenarios
The relevance of using a formal objective data driven
approach within a practical cybercrime investigation can be
demonstrated by a number of scenarios. Scenario one
considers a simple example of a cybercrime where stolen
credit card details are used over the Internet. In this scenario,
a data driven perspective can formally support cybercrime
investigators to consider the initial high-level data attack
objectives alongside traditional investigation processes and
practices. Furthermore, this provides a starting point for
investigators, when investigating the technical elements of
the cyber offence. Example questions to consider can include:
how were the credit card details obtained (data collection);
were the credit card details supplied by other cybercriminals
or distributed through a wider organised criminal network
(data supply and distribution); and how were the credit card
details actually used to commit the offence. As each data
objective is examined, and further information and additional
lines of technical enquiry are identified, the process of
considering the data attack objectives can be repeated again,
each time moving towards the low-level technical activities of
the cybercriminal.
Scenario two presents the abstract circumstances of an
attack that is increasingly more complex than the previous
scenario. This scenario is not intended to demonstrate an
entire cybercrime investigation process, but highlight the
specific benefits of including an objective data driven
perspective. In this scenario, an email spam attack is consid-
ered, aimed at deceiving a victim into accepting a malware
Trojan to be installed onto an access device such as a personal
computer. The Trojan is then used to remotely deploy software
that monitors activity in an attempt to capture personal details
and Internet banking credentials. The data captured is then
offered for sale through an illicit underground website where it
is bought, and an attack against a bank account is made in the
form of establishing a reoccurring low value standing order for
the purchase of goods. Upon first reflection, this scenario is
a complex and technically distributed form of cyber attack that
can make law enforcement investigation appear a daunting
task. However, by applying a data driven perspective, based on
the primary attack objectives described in this paper, can
assist investigators to break down the complexity of an attack,
and establish further lines of investigation. The initial exami-
nation of what information is initially known about the attack
may include the online activities of the individual whose bank
details have been obtained; any digital evidence relating to the
malware attack on the initial victim’s computer; the business
where the goods have been obtained from and any informa-
tion in relation to the banking transaction. Again by applying
an objective data driven approach at each logical point of
206 c o m p u t e r l a w & s e c u r i t y r e v i e w 2 8 ( 2 0 1 2 ) 2 0 1 e2 0 7
attack, will provide investigators with a means to formally
consider the actions of the cybercriminal, communicate what
is found and finally assist in directing progressive lines of
research and investigation.
The above two scenarios are intended to demonstrate how
the data objectives layer can be used within a cybercrime
investigation. The scenarios highlight how the underlying
data activities can be contextualised across the entire attack
or at specific points in an attack. This approach is also
intended to be applied iteratively as further information is
identified and also to support the formulation of likely
hypotheses of the cybercriminals motives and intended
actions or outcomes from the attack.
6. Discussion/conclusions
With the potential for a single cybercrime to exploit a vast
array of technology whilst spanning a globally distributed
crime scene that can cross several legislative boundaries,
makes cybercrime investigation a challenging and often
difficult task. As with all investigations, law enforcement
must quickly gather and evaluate what initial information is
known about the illicit actions of the cybercriminal in order to
establish the necessity and proportionality of any response.
Cybercrime investigation is further compounded by the
virtual yet highly technical online environment of the
Internet. Again, common to law enforcement investigations
and also a primary feature of cybercrime, will be the need to
establish any criminal or illicit intent. However, more specific
to the distributed technical nature of the Internet are the
additional characteristics of a globalised environment and the
added opportunity for evasion and concealment available to
the cybercriminal. These three characteristics are primary
considerations at each stage of the Cybercrime Execution
Stack (see Fig. 1), and as such, equally apply at the data
objectives layer.
Both technical and non-technical law enforcement inves-
tigators need the ability to contextualise and structure the
illicit activities of the cybercriminal, and further interpret and
communicate this understanding amongst the wider law
enforcement community. As a starting point in the abstract
lifecycle of a cybercrime attack, the data objectives layer is
placed at the top of the Cybercrime Execution Stack. Typically
a cybercrime attack will have multiple data objectives as an
investigation unfolds. By considering the data objectives layer
described in this paper against what is initially known about
a given cybercrime, will allow law enforcement investigators
and technology examiners to formalise likely hypotheses
relating to the initial data attack strategies of the cybercri-
minal. By formalising the initial data objectives, will also
provide cybercrime investigators with the opportunity to
break down the attack in greater detail and move from
a conceptual strategic data perspective towards the activities
necessary in a low-level technical investigation. As an integral
part of the Cybercrime Execution Stack, this element is
intended to form part of an iterative approach, and will run
alongside conventional law enforcement activities aimed at
establishing new information and additional lines of enquiries
as an investigation progresses. When placed inside a broader
investigation framework, such as the model proposed by the
author elsewhere (Hunton, 2010), understanding the illicit
data motives of the cybercriminal becomes a vital and
intrinsic part of a structured cybercrime investigation.
Finally, when considering the intrinsic value of electronic
data amongst an online organised and underground criminal
community, and the likely data attack objectives identified in
this paper, the inclusion of a data driven investigation
perspective becomes a fundamental feature in gaining
a detailed understanding of the illicit motives and activities of
the cybercriminal.
Paul Hunton (Paul.Hunton@huntonwoods.co.uk) Hunton Woods
Ltd.
Paul Hunton is an independent cyber-crime and security consul-
tant, and specialist online Internet investigator with over 20 years
policing experience. For the majority of his police career, Dr. Hunton
focused on the examination of data integration systems and net-
worked computer technologies. His expertise includes both technical
criminal investigation and the development of data integration and
analysis systems to support business and criminal intelligence. Dr.
Hunton has a D.Prof in Business Intelligence Systems and Data
Integration and Analysis Technologies, an MSc in e-Business Tech-
nologies, a BSc in Business Computing, and has publications in
cybercrime investigation and distributed data integration. Dr. Hun-
ton provides specialist technical support for complex digital inves-
tigations, along with expert evidence reports and court testimony.
references
ACPO. The Association of Chief Police Officers of England, Wales
and Northern Ireland, e-crime strategy. Available on the 17th
October 2009 at: http://www.acpo.police.uk/asp/policies/Data/
Ecrime%20Strategy%20Website%20Version.pdf; 2009.
Brenner SW. Privateepublic sector cooperation in combating
cybercrime: in search of a model. Journal of International Law
and Technology 2007;2(2).
Bryant R. Investigating digital crime. Wiley; 2008.
Cabinet Office. Cyber security strategy of the United Kingdom.
The Stationary Office; 2009.
Cabinet Office. The cost of cyber crime. A Detica report in
partnership with the Office of Cyber Security and Information
Assurance in the Cabinet Office. Available on the 20th
February 2011 at:, http://www.cabinetoffice.gov.uk/resource-
library/cost-of-cyber-crime; 2011.
Carson D. Detecting, developing and disseminating detectives’
‘creative’ skills. Policing and Society September 2009;19(3):
216e25.
Choo KR, Smith RG. Criminal exploitation of online systems by
organised crime groups. Asian Criminology 2008;3:37e59.
Cisco. Cisco 2010 annual security report. Available on the 21st
January 2010 at: http://www.cisco.com/en/US/prod/collateral/
vpndevc/security_annual_report_2010.pdf; 2010.
Commonwealth of Australia. Hackers, fraudsters and botnets:
tackling the problem of cyber crime. The Report of the Inquiry
into Cyber Crime, Standing Committee on Communications.
The Parliament of the Commonwealth of Australia; 2010.
Cyberspace Policy Review. Assuring a trusted and resilient
information and communications infrastructure. Available on
 c o m p u t e r l a w & s e c u r i t y r e v i e w 2 8 ( 2 0 1 2 ) 2 0 1 e2 0 7
the 1st June 2010 at: http://www.whitehouse.gov/assets/
documents/Cyberspace_Policy_Review_final.pdf; 2009.
DeBolt D. State of the Internet 2010: a report on the ever-changing
threat landscape. CA Technologies Internet Security
Intelligence Report. Available on the 19th January 2011 at:,
http://www.ca.com/w/media/Files/SecurityAdvisorNews/
h12010threatreport_244199.pdf; 2010.
e-Crime Congress. e-crime survey 2009. The 7th Annual e-Crime
Congress. Available on the 16th October 2010 at:, http://www.
e-crimecongress.org/ecrime2009/documents/e-
CrimeSurvey2009_AKJ_KPMG(1).pdf; 2009.
Europol. Internet facilitated organised crime threat assessment.
Available on the 18th January 2011 at: http://www.europol.
europa.eu/publications/Serious_Crime_Overviews/Internet%
20Facilitated%20Organised%20Crime%20iOCTA.pdf; 2011.
Fahsing IA, Glomseth R, Gottschalk P. Characteristics of effective
SIOs: a content analysis for management in police
investigations. International Journal of Management and
Enterprise Development 2008;5(6):708e22.
Finklea KM. Organised crime in the United States: trends and
issues for Congress. Congressional Research Service; 2009.
Fletcher N. Challenges for regulating financial fraud in
cyberspace. Journal of Financial Crime 2007;14(2).
Gallagher F. The future of fighting crime. Police Professional;
September 10, 2009.
Garlik. UK cybercrime report 2009. Available on the 1st October
2010 at: http://www.garlik.com/cybercrime_report.php; 2009.
Gottschalk P, Dean G. Stages of knowledge management systems
in policing financial crime. International Journal of Law, Crime
and Justice 2010;38:94e108.
Hibbert K, Robinson A. Combating e-Crime. Police Professional;
June 18, 2009. Issue 166.
HM Government. A strong Britain in an age of uncertainty: the
National Security Strategy. The Stationary Office Limited;
2010.
Hoare P. SOCA emphasises value of collaboration in fight against
cyber crime. Police Professional; March 25, 2010.
Hunton P. The growing phenomenon of crime and the Internet:
a cybercrime execution and analysis model. Computer Law &
Security Review November 2009;25(6):528e35.
Hunton P. Cyber crime and security: a new model of law
enforcement investigation. Policing: A Journal of Policy and
Practice December 2010;4(4):385e95.
Hunton P. A rigorous approach to formalising the technical
investigation stages of cyber crime and criminality within
a UK law enforcement environment. Digital Investigation
April 2011;7(3e4):105e13.
Johnson A, Rt Hon MP. Home Secretary, Extending our reach:
a comprehensive approach to tackling serious organised
crime. The Stationary Office; 2009.
Kapitanskaya A. Cybercrime and the risk of proliferation finance,
centre for the study of threat convergence. Occasional
Research Series; August 2010.
Lobban I. UK infrastructure faces cyber threat, says GCHQ chief.
BBC News story. Available on the 13th of October 2010 at:,
http://www.bbc.co.uk/news/uk-11528371; 2010.
Maple C, Phillips A. UK security breach investigations report, an
analysis of data cases. Available on the 16th July 2010 at:
http://www.7safe.com/breach_report; 2010.
207
Marx GT. The engineering of social control: policing and
technology. Policing: a Journal of Policy and Practice 2007;1(1):
46e56.
McAfee. 2010 threat predictions. Available on the 17th January
2011 at: http://www.mcafee.com/us/resources/reports/rp-
threat-predictions-2010.pdf; 2010.
McMurdie C. Cyber skills a top challenge, says police cyber crime
unit. Available on the 12th November 2010 at: http://www.
computerweekly.com/Articles/2010/11/11/243902/Cyber-
skills-a-top-challenge-says-UK-police-cyber-crime.htm;
2010.
Metcalfe C. Policing operation ore. Criminal Justice Matters 2007;
68(1):8e9.
Microsoft. Battling botnets for control of computers; 2010.
Microsoft Security Intelligence Report, Volume 9 January
through June 2010.
Mitchell KJ, Finkelhor D, Jones LM, Wolak J. Use of social
networking sites in online sex crime against minors: an
examination of national incidence and means of utilization.
Journal of Adolescent Health 2010;47:183e90.
New Zealand Police. Electronic crime strategy, to 2010 policing
with confidence; 2009.
Norton. Norton cybercrime report: the human impact. Available
on the 20th September 2010 at: http://www.symantec.com/
content/en/us/home_homeoffice/media/pdf/cybercrime_
report/Norton_UK-Human%20Impact-A4_Aug4.pdf; 2010.
Orde H. Police left behind by cyber criminals; January 26th 2011.
Daily Telegraph newspaper article.
Qin J, Zhou Y, Reid E, Lai G, Chen H. Analyzing terror campaigns
on the Internet: technical sophistication, content richness,
and Web interactivity. International Journal of Human-
Computer Studies 2007;65:71e84.
Schmalleger F, Pittaro M. Crimes of the Internet. Prentice Hall;
2009.
Security Labs. Security Labs report JanuaryeJune 2010 recap.
Available on 21st November 2010 at: http://www.m86security.
com/documents/pdfs/security_labs/m86_security_labs_
report_1H2010.pdf; 2010.
Sommer P, Brown I. Reducing systemic cybersecurity risk. The
Organisation for Economic Co-operation and Development
(OECD). Available on the 18th January 2001 at: http://www.
oecd.org/dataoecd/3/42/46894657.pdf; 2011.
Symantec. Symantec report on the underground economy July
07eJune 08. Symantec Corporation; 2008. Published November
2008.
Symantec. Symantec global Internet security threat report, trends
for 2008, vol. XIV. Symantec Corporation; 2009. Published April
2009.
Symantec. Symantec Internet security threat report, trends for
2009, vol. XV. Symantec Corporation; 2010a. Published April
2010.
Symantec. State of enterprise security 2010. Symantec
Corporation; 2010b.
Taylor M, Haggerty J, Gresty D, Fergus P. Forensic investigation of
peer-to-peer networks. Journal of Network Security 2010;
2010(9):12e5.
Wall D. Cybercrime: the transformation of crime in the
information age. Polity Press; 2007.
Yar M. Cybercrime and society. Sage Publishing Ltd; 2006.