FIGURE 4.1 Cyber Investigators Staircase Model. 35

35
 
Investigative problem solving
the investigative information and to identify where there are knowledge gaps. For 
a cyber crime investigation this may look as follows:
• Who is the victim? 
– Victim details and why this victim?
• What happened? 
– Precise details on incident/occurrence
• When did it happen? – Temporal issues such as relevant times
• Where did it happen? – Geographic locations, national/international?
• Why did it happen? 
– Motivation for crime or terrorism
• How did it happen? 
– Precise modus operandi details
This information can then be developed into a useful investigative matrix which will 
help identify the gaps in information by setting out all the relevant details in a logical 
sequence which is easily understood. The matrix can then be populated as the cyber 
investigation develops and used as a source of reference for the basis of applying the 
CISM and any associated decision making that is required. The matrix must be a 
living document, being regularly updated as the investigation progresses. The matrix 
can then be cross-referenced to decisions as and when they are made and will serve 
to illustrate just what was known or not known at the time any particular decision was 
made. This is a very important point for justifying why a particular course of action 
was, or was not, taken by the investigator.
The 5
×
WH 
+
H structure can also be useful when being briefed or updated 
about an incident or set of circumstances. Investigators can pose questions using the 
5
×
WH 
+
H headings in order to establish sufficient detail about what may already be 
known. The method can be used to ensure clear and concise information is supplied 
in a systematic rather than a random approach. To support investigators engaged in 
progressing complex cyber cases, the Scanning, Analysis, Response and Assessment 
(SARA) model for problem solving, shown in 
Figure 4.2
, provides an effective pro-
cess for police officers (
Caless et al., 2012
).
The SARA analytical methodology offers a staged process for identification, un-
derstanding and resolution of specific problems through scanning, analysis, response, 
and assessment. The four-staged process is used by a number of law enforcement 
agency practitioners to provide a framework to guide them through the challenges of 
finding solutions to complex problems. It is an approach that works well for prob-
lems and challenges arising during cyber crime and cyber terrorism investigations. 
Of course, in reality, no theoretical model can cover all potential issues when at-
tempting to dynamically solve problems during complex cyber investigations with 
international dimensions, but the model provides a methodical approach that shall 
support and inform key investigative decisions (
Staniforth, 2014
). It must also be 
recognized that stages of the SARA cycle may overlap, repeat themselves and some 
can remain undeveloped while others move to completion. This mirrors the pace of 
cyber investigations as some strands of a complex investigation can develop rapidly, 
while others require more time to progress. It is also acknowledged that when ad-
dressing problems police officers do not go steadily round the four stages of the 
SARA cycle, but instead cut across some stages when experience informs them it is 
expedient and in the interests of the wider investigation to do so. That being said, the 

Download 5,67 Mb.

Do'stlaringiz bilan baham: