Foundations of Cybercriminalistics: From General Process Models to Case-Specific Concretizations in Cybercrime Investigations

Despite spectacular stories of successful cyber operations by law enforcement agencies, we continue to be extremely inefficient in fighting cybercrime. The research community has contributed many abstract models to guide digital forensic analyses, but these are usually too abstract to be helpful in concrete cybercrime investigations since they do not give an immediate and straightforward translation of a confronted (digital) crime scene into viable yet promising criminalistic actions. We propose a method to systematically bridge the gap between high-level process models and the demands of actual in- vestigations. The idea is to encode phenomenon-specific knowledge of cybercrime into node-link rep- resentations, thereby literally mapping the digital crime scene in well-founded visual representations e so-called cognitive maps. These can be used to derive a prioritized plan of action for targeted acquisition and analysis of case-relevant artifacts. To illustrate our approach, we present a cognitive map for the category of botnet crime and evaluate it with the help of domain experts and by applying it to two real- world cases.