WHAT IS THE PROCESS FOR CYBER INTELLIGENCE? 

Just like an investigation, Cyber Intelligence should start with a plan. The biggest users of intelligence are the government, military and police. They use intelligence to monitor people or groups for criminal behaviour, terrorism, and threats. For ongoing intelligence, The Intelligence Cycle is commonly used. In the private sector, intelligence is usually requested as a one-time service, such as a background check. Regardless of the purpose, certain steps should always be taken:

1. Requirement Gathering: In the first stage, the CIP needs to understand why intelligence is being requested, what information the client would like to find, the scope or boundaries of the search, and if there are any deadlines.
2. Information Gathering: The CIP will gather as much information as possible about the subject. Sometimes the smallest, most mundane or seemingly unimportant details, can yield the most results. 
3. Planning: The CIP will use the above details to create a plan on how they will approach the search to yield the fastest results, and to avoid missing useful search strings or running in circles. Any sites, databases, and tools they plan to use should be noted.
4. Set Up: A dedicated laptop should be set up and scanned beforehand. Any tools needed should be downloaded or updated, and any sock puppet accounts should be checked or created. More details on privacy and security concerns in the next topic. 
5. Collection: Intelligence gathering can now commence. The CIP will proceed with their Intelligence plan. As new information appears, the plan may be extended. Collection usually ends in two ways: The client has a deadline, or the CIP feels there are no other paths they can take to garner more information.
6. Analysis: Depending on the purpose of the investigation, analysis may be required. The findings should be analyzed and sorted based on its trustworthiness and relevance. Charts, matrices, and other visual boards can then be used to make the information more understandable.
7. Reporting: A detailed report should be written based on the clients requirements. The report should be easy for any potential readers to understand, and recommendations for action should be included.

WHAT SHOULD BE CONSIDERED WHEN CONDUCTING CYBER INTELLIGENCE?

Through research and experience, I believe there are three big domains that should be considered when conducting Cyber Intelligence: security, laws, and evidence. 

I put security first because it is very common for people to quickly look up a person’s name on social media without thinking about the risks. During a CPIO (Certified Private Investigators of Ontario) event, one retired officer shared a story of how he casually looked up a suspect’s name during a case, and that same night, the suspect called the officer on his cell phone and threatened him. That experience changed his life and he started taking online security very seriously.

What makes the digital world so frightening is that every single thing you do on a digital device is recorded in some way. Devices have logs of every program and file you open, browsers keep track of your search and site history, and your service provider keeps track of how every byte of data is spent as well.

Every device has a unique MAC (Media Access Control) number and every time you connect to the internet, your device is also given a unique IP (Internet Protocol) address via your ISP (Internet Service Provider). When you connect to a site, there is a record of what MAC and IP is connecting to what MAC and IP, and that information can be found and traced by others. Adding on, you also have websites that share the information you provide, and install cookies to track everything else you do on your browser. 

As internet users become more aware of how often their personal information is being recorded and shared by third parties, tools like VPNs (Virtual Private Networks), browsers like TOR (The Onion Router, also used to access the deep web), and search engines like DuckDuckGo are growing in popularity. 

When conducting Cyber Intelligence, tools like these are highly recommended, as intelligence should be done covertly and cautiously, for your own protection and for your client(s).

A dedicated laptop is also recommended regardless of the kind of case, for if it were hacked, traced, or bugged in any way, you wouldn’t want your personal information to be accessed, stolen, shared, or used for blackmail.

The next big consideration is the laws surrounding privacy and digital information. Although there are a lot of grey areas when it comes to collecting someone’s information from the web, a CIP should be well aware of any laws or acts that may affect their ability to collect intelligence. Under the Criminal Code in Canada, hacking, phishing, or installing spyware is a federal offense and should not even be considered. There’s also the Personal Information and Protection and Digital Evidence Act (PIPEDA) to be aware of as it covers how private businesses can collect and share a person’s private information.

Another aspect to consider during Cyber Intelligence is the “Terms of Use/Service” for social media websites. In many cases, creating a fake account is a breach of the contract. Although you can easily get away with it, you should still put some consideration into those accounts to avoid them being reported or deleted. A blank profile with no friends will look sketchy to anyone who is informed that your fake account is viewing their profile, so it can be tempting to use a random person’s photo(s) for your sock puppet account, but you risk that person finding out you are impersonating them, and the subject easily finding out you aren’t who you say you are. 

The last big hurdle is evidence. It was near impossible for me to find any information on collecting evidence from the internet since digital forensics usually refers to collecting evidence off a computer or hard drive that is in custody. But with social media evidence being used more and more in court, this is vital information. 

If you ask the general public “how would you save a social media picture for court?” the consensus would suggest saving the photo, a screenshot, and the URL of the post. Sadly, but understandably, courts will analyze and question every piece of evidence before it is accepted. If the judge or the opposing party asked how you found the evidence, you wouldn’t have a record. If asked how you can prove the photo wasn’t edited, you couldn’t prove it. When you ask them to open the link so they can see it themselves, they get a 404 ‘page not found’ message, because the opposing party deleted it before that day.

Many cases that could have been won were lost due to negligent collection of evidence. Avoid the headache and embarrassment by documenting your search, ensuring you can prove its authenticity and integrity, and maintaining a Chain of Custody. 

More information on electronic evidence and it’s admissibility into court here.