A investigacao de crimes ciberneticos

// PROFESSIONAL SERIES

CYBER INVESTIGATION
COURSE

PROGRESS 0%

// MODULES

00 🏠 Overview

01 🔍 OSINT & Digital Footprinting

02 🌐 Network Forensics

03 🕶️ Dark Web Investigations

04 📱 Social Media Investigation

05 🦠 Malware Analysis

06 ⚖️ Legal & Ethical Frameworks

07 ₿ Cryptocurrency Tracing

08 🎯 Incident Response

09 🔀 Pivoting Techniques

// EXTENDED CURRICULUM

10 📜 Cybercrime Legislation

11 🔬 Digital Forensics Fundamentals

12 🥷 Advanced Investigation & Undercover

13 💸 Fraud & Attack Investigation

14 📚 Bibliography & References

// cyber investigation course — professional edition

MASTER THE ART OF
CYBER INVESTIGATION

A comprehensive, hands-on training program for IT and Security Professionals. Covering intelligence gathering, forensics, threat hunting, and legal frameworks.

14 Modules

70+ Tools

13 Quizzes

PRO Level

01

🔍

OSINT & Digital Footprinting

02

🌐

Network Forensics

03

🕶️

Dark Web Investigations

04

📱

Social Media Investigation

05

🦠

Malware Analysis

06

⚖️

Legal & Ethical Frameworks

07

₿

Cryptocurrency Tracing

08

🎯

Incident Response

09

🔀

Pivoting Techniques

10

📜

Cybercrime Legislation

11

🔬

Digital Forensics Fundamentals

12

🥷

Advanced Investigation & Undercover

13

💸

Fraud & Attack Investigation

14

📚

Bibliography & References

// MODULE 01 — INTELLIGENCE GATHERING

OSINT & DIGITAL FOOTPRINTING

Open-Source Intelligence is the backbone of any cyber investigation. Learn to systematically collect, analyze, and correlate publicly available data to profile targets and uncover hidden connections.

ADVANCED PASSIVE RECON THREAT INTEL

Core Concepts

🌍

PASSIVE RECON

Collecting intelligence without directly interacting with the target. Uses public records, search engines, cached data, and third-party sources.

🔗

LINK ANALYSIS

Mapping relationships between entities — people, organizations, IPs, domains — to identify hidden patterns and networks.

🕰️

TEMPORAL ANALYSIS

Analyzing data across time to track behavioral patterns, infrastructure changes, and chronological activity of a target.

📡

PIVOT POINTS

Unique identifiers (email, username, phone, IP) that allow you to jump across data sources and expand your investigation graph.

OSINT Framework & Methodology

Define Objectives & Scope

Clearly define what intelligence is needed. What are you investigating — a person, organization, IP, domain, or incident? Set boundaries to avoid legal issues.

Identify Pivot Points

Seed data points: full name, known usernames, email addresses, phone numbers, domain names, IP addresses, employer, and physical location.

Expand via Data Sources

Cross-reference across search engines, WHOIS, Shodan, social media, data breach databases, GitHub, LinkedIn, and archived web data.

Correlate & Validate

Cross-validate findings from multiple independent sources. Never rely on a single data point. Build a confidence level for each claim.

Document & Report

Maintain a documented chain of evidence. Screenshot with timestamps, archive URLs, and record your methodology for reproducibility.

Key Tools

Maltego

Visual link analysis & data mining

Shodan

IoT/device search engine

theHarvester

Email, domain & IP enumeration

SpiderFoot

Automated OSINT collection

Recon-ng

Modular recon framework

Google Dorks

Advanced search operators

WHOIS / ARIN

Domain & IP registration data

Wayback Machine

Archived web snapshots

Hunter.io

Corporate email discovery

IntelTechniques

OSINT search aggregator

Google Dorking Cheatsheet

// GOOGLE ADVANCED OPERATORS

# Find login panels for a target domain
dork:// site:target.com inurl:admin OR inurl:login OR inurl:portal

# Exposed sensitive files
dork:// site:target.com filetype:pdf OR filetype:xlsx OR filetype:docx

# Config/environment file exposure
dork:// site:target.com filetype:env OR filetype:conf OR filetype:bak

# Find email addresses linked to a domain
dork:// "@target.com" -site:target.com

# Subdomain enumeration via cert logs
cmd:// curl -s "https://crt.sh/?q=%.target.com&output=json" | jq '.[].name_value'

// Always document queries + timestamps as part of chain of custody

⚠️

OPERATIONAL SECURITY

Always conduct OSINT from isolated VMs or dedicated investigation machines. Never search target information from your personal or corporate IP. Use separate browser profiles or Tor for anonymity.

KNOWLEDGE CHECK — MODULE 01

Which OSINT technique involves analyzing relationships between data points to reveal hidden network connections?

A Passive fingerprinting

B DNS enumeration

C Link analysis

D Hash correlation

01 / 09

// MODULE 02 — PACKET ANALYSIS & TRAFFIC FORENSICS

NETWORK FORENSICS

Network forensics involves capturing, recording, and analyzing network traffic to detect intrusions, reconstruct attacks, and collect evidence. Every packet tells a story.

PACKET ANALYSISIDS/IPSPCAP

Key Analysis Areas

📦

PACKET CAPTURE

Full-packet capture (FPC) stores every byte of every packet. Enables complete reconstruction of sessions, file transfers, and communications.

🌊

FLOW ANALYSIS

NetFlow/IPFIX records metadata (src/dst IP, port, bytes) without storing payload. Scalable for high-volume networks.

🕵️

PROTOCOL ANALYSIS

Dissecting application layer protocols — HTTP, DNS, SMB, FTP — to identify anomalies, exfiltration, and C2 communication.

📊

BASELINE DEVIATION

Establishing normal traffic patterns and alerting on statistical deviations — a core technique for detecting lateral movement.

Wireshark Analysis — Quick Reference

// WIRESHARK DISPLAY FILTERS

# Filter suspicious DNS (long queries = possible DNS tunneling)
filter: dns && frame.len > 512

# Detect possible beaconing (repeated connections to same IP)
filter: ip.dst == 185.220.101.x && tcp.flags.syn == 1

# HTTP POST requests (possible data exfiltration)
filter: http.request.method == "POST"

# SMB traffic (lateral movement indicator)
filter: smb || smb2

# TLS with suspicious certificate
filter: tls.handshake.type == 1 && !(tls.handshake.extensions_server_name)

# Extract files from pcap (tshark)
cmd: tshark -r capture.pcap --export-objects http,./extracted/

Attack Pattern Recognition

Pattern	Indicator	Tool to Detect
Port Scan	Sequential SYN packets to multiple ports	nmap, Zeek, Suricata
DNS Tunneling	Long subdomains, high query frequency	dnstop, Zeek DNS logs
C2 Beaconing	Regular interval connections to external IP	Zeek, RITA, Elastic SIEM
Data Exfiltration	Large outbound transfers off-hours	NetFlow, Wireshark stats
Lateral Movement	SMB/WMI/RDP between internal hosts	Zeek, Windows Event Logs
ARP Poisoning	Duplicate ARP replies, MAC conflicts	Wireshark ARP filter

Tools

Wireshark

Packet capture & analysis GUI

tshark

CLI Wireshark for scripting

Zeek (Bro)

Network security monitor

Suricata

High-performance IDS/IPS

RITA

Beaconing detection via Zeek

NetworkMiner

Passive file/credential extraction

ntopng

Real-time flow visualization

Arkime (Moloch)

Full-packet indexing at scale

KNOWLEDGE CHECK — MODULE 02

An analyst notices a host making periodic outbound TCP connections every 300 seconds to the same external IP. What attack technique does this most likely indicate?

A Port scanning

B C2 beaconing

C ARP poisoning

D DNS zone transfer

02 / 09

// MODULE 03 — TOR, DARKNETS & UNDERGROUND MARKETS

DARK WEB INVESTIGATIONS

Understand the architecture of darknets, safely navigate anonymous networks, and conduct intelligence operations targeting underground markets, forums, and threat actor infrastructure.

TORI2PTHREAT INTEL

Darknet Architecture

🧅

TOR NETWORK

The Onion Router — traffic encrypted in multiple layers through 3 volunteer relays. .onion domains only resolvable inside Tor. Most widely used darknet.

🌿

I2P

Invisible Internet Project — garlic routing for anonymous communication. Primarily used for internal darknet services (eepsites). More resistant to traffic analysis than Tor.

🔒

FREENET

Distributed, censorship-resistant network for file sharing and publishing. Stores encrypted data across participant nodes.

📂

PASTE SITES

PrivateBin, Riseup Paste, and dark web paste services frequently used for data dumps, credential leaks, and threat actor communication.

Safe Investigation Environment

🚨

CRITICAL SECURITY REQUIREMENT

Never access dark web resources from your corporate or personal machine. Always use an air-gapped VM, preferably running Tails OS or a hardened Whonix setup. Assume all .onion sites may serve malicious content.

Setup Isolated VM

Deploy Whonix Gateway + Workstation, or use Tails OS booted from live USB. Disable clipboard sharing and shared folders with host OS.

Establish Cover Identity

Create compartmentalized persona — unique username, ProtonMail address, and Monero wallet. Never reuse identifiers from your real identity.

Monitor & Collect

Use Tor Browser to enumerate forums, markets, and chat channels. Screenshot and hash evidence. Document .onion addresses and timestamps.

Deanonymize Infrastructure

Cross-reference .onion hosting patterns, SSL certificate fingerprints, server timestamps, and clearnet leakage to identify real server locations.

Deanonymization Techniques

// .ONION FINGERPRINTING

# Extract SSL cert from onion service (may reveal real cert info)
cmd: openssl s_client -connect [onion]:443 2>/dev/null | openssl x509 -text

# Check if onion service has clearnet presence (cert transparency)
cmd: curl "https://crt.sh/?q=<cert_fingerprint>&output=json"

# Analyze HTTP headers for server fingerprinting
cmd: torsocks curl -I http://[onion].onion/ 2>/dev/null

# Passive: monitor Tor exit nodes for clearnet callbacks
// Correlation attacks: match timing of Tor entry/exit traffic
// Hostname leaks: PHP errors, error pages revealing real IPs

Intelligence Gathering Targets

Ransomware Leak Sites Credential Markets 0day Forums Malware Repositories RaaS Panels Hacker Forums Data Dump Archives Criminal Chat (Matrix/XMPP)

KNOWLEDGE CHECK — MODULE 03

A threat actor's .onion site returns a PHP error message displaying a server path. What type of vulnerability does this represent for their anonymity?

A Tor circuit weakness

B I2P correlation attack

C Information leakage / clearnet hostname disclosure

D SSL certificate pinning failure

03 / 09

// MODULE 04 — SOCMINT & DIGITAL PERSONA ANALYSIS

SOCIAL MEDIA INVESTIGATION

Social Media Intelligence (SOCMINT) enables investigators to profile individuals, track behavior over time, geolocate activity, and uncover connections between online personas and real identities.

SOCMINTGEOLOCATIONPERSONA ANALYSIS

Investigation Pillars

👤

PERSONA MAPPING

Linking multiple accounts to the same real individual through username patterns, writing style, profile photos, and cross-platform activity.

📍

GEOLOCATION

Extracting location from photo EXIF data, background landmarks, shadows, language patterns, and check-in history.

🕐

ACTIVITY PATTERNS

Analyzing posting times, response rates, and activity windows to determine time zone, daily routine, and behavioral fingerprint.

🔗

NETWORK MAPPING

Visualizing followers, mutual connections, and interaction graphs to identify associates, organizations, and influence networks.

Username Hunting Techniques

// CROSS-PLATFORM USERNAME HUNT

# Sherlock — username across 300+ platforms
cmd: python3 sherlock.py target_username --output results.txt

# WhatsMyName — OSINT username enumeration
cmd: python3 whatsmyname.py -u target_username

# Holehe — check email registration across services
cmd: holehe [email protected] --only-used

# Extract metadata from profile photo
cmd: exiftool profile_photo.jpg | grep -E "GPS|Location|Date"

// Pattern: same username with slight variations (e.g. h4cker → h4cker_, xh4ckerx)

Image Geolocation Workflow

Extract EXIF Metadata

Use ExifTool to pull GPS coordinates, device make/model, and timestamp from images. Many platforms strip EXIF — check if the image was uploaded elsewhere first.

Analyze Visual Landmarks

Signs, storefronts, license plates, building architecture, vegetation, sky conditions, and street layout can narrow location to a city or district.

Shadow Analysis

Shadow angle and length reveal sun position, allowing calculation of approximate time and geographic latitude when combined with timestamp data.

Reverse Image Search

Use Google Images, TinEye, and Yandex (most powerful for facial recognition) to find where else the image or similar images appear online.

Tools

Sherlock

Username OSINT across platforms

Holehe

Email-to-platform correlation

Twint

Twitter/X scraping without API

Instaloader

Instagram profile/metadata dump

ExifTool

Photo/file metadata extraction

GeoSpy

AI-powered image geolocation

Gephi

Social network graph visualization

Wayback CDX API

Historical social media snapshots

KNOWLEDGE CHECK — MODULE 04

An investigator wants to determine whether a suspect's email address was used to register on various online platforms. Which tool is most appropriate?

A Sherlock

B Holehe

C Twint

D ExifTool

04 / 09

// MODULE 05 — STATIC, DYNAMIC & BEHAVIORAL ANALYSIS

MALWARE ANALYSIS

Malware analysis enables investigators to understand attacker tools, extract indicators of compromise, attribute attacks, and develop detection signatures. From triage to full reverse engineering.

REVERSE ENGINEERINGIOC EXTRACTIONBEHAVIORAL ANALYSIS

Analysis Tiers

T1TRIAGE

T2STATIC

T3DYNAMIC

T4REVERSE ENG.

T5ATTRIBUTION

Static Analysis

// STATIC TRIAGE WORKFLOW

# Get file hashes (MD5/SHA1/SHA256 for VT lookup)
cmd: sha256sum sample.exe && md5sum sample.exe

# Extract readable strings
cmd: strings -a sample.exe | grep -E "(http|\.exe|cmd|powershell|base64)"

# Identify packer/obfuscation
cmd: die sample.exe # Detect-It-Easy
cmd: PEiD sample.exe

# PE header analysis
cmd: pecheck sample.exe # imports, sections, entropy

// High entropy sections (>7.0) = encrypted/packed payload
// Check imports: CreateRemoteThread, VirtualAlloc = injection

Dynamic Analysis Environment

ℹ️

SANDBOXING REQUIREMENT

Always execute malware in an isolated, snapshotted VM with network monitoring. Use FlareVM (Windows) or REMnux (Linux). Disable internet access or use INetSim to simulate network services. Take VM snapshots before execution.

🖥️

PROCESS MONITORING

Track process creation, injection, and spawning. Key tool: Process Monitor (ProcMon), Process Hacker. Look for unusual parent-child relationships.

📋

REGISTRY MONITORING

Track persistence mechanisms: Run keys, scheduled tasks, service creation. ProcMon with registry filter reveals all changes.

🌐

NETWORK MONITORING

Capture all outbound connections with Wireshark. Look for C2 beaconing, DNS queries, and data exfiltration attempts.

📁

FILE SYSTEM CHANGES

Track file creation, modification, and deletion. Ransomware leaves clear patterns: mass file modifications with new extensions.

IOC Extraction Reference

IOC Type	Where to Find	Example
File Hashes	Static analysis	SHA256: a3f4b2...
C2 Domains/IPs	Dynamic / strings	185.220.101.45
Mutex Names	Dynamic (API monitor)	Global\MutexXYZ
Registry Keys	ProcMon dynamic	HKCU\Run\svchost32
User-Agent Strings	Network capture	Mozilla/4.0 (compatible; MSIE 6.0)
File Paths	ProcMon / strings	%APPDATA%\svcupdate.exe
Encryption Keys	Memory dump / debugger	AES key extracted from heap

KNOWLEDGE CHECK — MODULE 05

During static analysis, a PE section shows entropy of 7.8. What does this most likely indicate?

A Corrupt file structure

B Normal code section

C Packed or encrypted payload

D Debug symbols present

05 / 09

// MODULE 06 — LEGAL BOUNDARIES & PROFESSIONAL ETHICS

LEGAL & ETHICAL FRAMEWORKS

Cyber investigations operate within strict legal boundaries. Understanding jurisdiction, authorization, evidence handling, and ethical obligations is critical to successful prosecution and professional integrity.

LEGAL COMPLIANCEEVIDENCE HANDLINGGDPR / CFAA

Core Legal Frameworks

🇺🇸

CFAA (US)

Computer Fraud and Abuse Act — governs unauthorized access. "Exceeding authorized access" is broadly interpreted. Critical for red team & investigation scope definitions.

🇪🇺

GDPR (EU)

Governs collection and processing of personal data. Investigators must minimize data collection, document lawful basis, and respect data subjects' rights.

🌍

MLAT

Mutual Legal Assistance Treaties — formal process for cross-border evidence collection. Required when gathering evidence from foreign jurisdictions.

📜

ECPA (US)

Electronic Communications Privacy Act — governs interception of electronic communications and access to stored records. Defines when court orders are required.

Chain of Custody Requirements

WHY IT MATTERS

Evidence without a documented chain of custody is inadmissible in court. Every action performed on evidence must be recorded, including who accessed it, when, what tools were used, and any changes made. Hash verification before and after is mandatory.

Identify & Preserve

Immediately hash evidence (MD5 + SHA256). Write-block physical media. Document the acquisition date, time, location, and the person who collected it.

Document Every Action

Log all investigative steps with timestamps. Note tool versions, command parameters, and output. Assume everything will be reviewed in court.

Verify Integrity

Re-hash evidence after analysis. Hashes must match original values. Any discrepancy invalidates the evidence.

Secure Storage

Store in tamper-evident packaging with access logs. Digital evidence on encrypted, write-protected media with restricted access.

Ethical Boundaries in Cyber Investigation

✅

PERMITTED ACTIONS

Passive OSINT on public data · Authorized penetration testing · Honeypot monitoring · Analyzing legally obtained evidence · Coordinating with law enforcement

❌

PROHIBITED ACTIONS

Unauthorized system access ("hacking back") · Deploying offensive tools without written authorization · Collecting data beyond investigation scope · Entrapment or evidence fabrication · Sharing suspect data without legal basis

Authorization Matrix

Activity	Requirement	Jurisdiction
OSINT (public data)	None (ethical guidelines apply)	Universal
Network traffic capture (own network)	Written authorization	Local policy
Penetration testing	Signed scope document	CFAA / local law
Email content access	Court order / warrant	ECPA / GDPR
Cross-border data request	MLAT process	International
Dark web monitoring	Depends on platform interaction level	Varies

KNOWLEDGE CHECK — MODULE 06

An investigator is asked to conduct active reconnaissance on a competitor's systems to gather threat intelligence. This would most likely violate which law?

A GDPR Article 17

B Computer Fraud and Abuse Act (CFAA)

C MLAT requirements

D HIPAA security rule

06 / 09

// MODULE 07 — BLOCKCHAIN FORENSICS & FINANCIAL INVESTIGATION

CRYPTOCURRENCY TRACING

Blockchain's immutable ledger is a goldmine for investigators. Learn to trace transactions, deanonymize wallets, follow illicit fund flows, and link on-chain activity to real-world identities.

BLOCKCHAIN FORENSICSAMLATTRIBUTION

Blockchain Investigation Concepts

🔗

UTXO ANALYSIS

Bitcoin's Unspent Transaction Output model allows tracing exact coin movement. Inputs consumed = outputs created. Follow the UTXO graph to trace funds.

🏷️

WALLET CLUSTERING

Common Input Ownership Heuristic — inputs in same transaction likely controlled by same entity. Multi-input transactions expose wallet clusters.

🔄

MIXING/TUMBLING

Mixing services pool transactions to obscure origin. Look for timing attacks, output amount patterns, and peel chains to break through mixers.

🏦

EXCHANGE ATTRIBUTION

When funds hit a KYC exchange (Binance, Coinbase), investigators can subpoena records to link wallet to real identity.

Tracing Workflow

// BITCOIN TRANSACTION TRACING

# Query transaction details (BlockCypher API)
cmd: curl https://api.blockcypher.com/v1/btc/main/txs/[TX_HASH]

# Trace wallet balance and transaction history
cmd: curl https://blockchain.info/rawaddr/[WALLET_ADDRESS]

# Python: build transaction graph using networkx
python: import networkx as nx
G = nx.DiGraph()
G.add_edge(input_addr, output_addr, amount=btc_value)

// Blockchain explorers: Blockchair, OXT.me, Breadcrumbs, GraphSense
// Commercial tools: Chainalysis Reactor, Elliptic, CipherTrace

Privacy Coins Challenge

⚠️

MONERO & PRIVACY COINS

Monero (XMR) uses ring signatures, stealth addresses, and RingCT to obscure sender, receiver, and amount. Tracing is significantly harder. Focus on on/off-ramp analysis — where funds enter and exit the Monero ecosystem via exchanges.

💫

RING SIGNATURES

Each Monero transaction mixes real inputs with decoys, making it impossible to determine the actual sender with certainty.

🔭

ON-RAMP ANALYSIS

Trace BTC → XMR conversion events at exchanges. Timing correlation between fiat withdrawal and XMR acquisition can identify actors.

Tools

Chainalysis Reactor

Enterprise blockchain analytics

Breadcrumbs

Free visual crypto tracing

OXT.me

Bitcoin UTXO visual explorer

Blockchair

Multi-chain block explorer

Elliptic Navigator

Risk scoring for wallets

GraphSense

Open-source graph analytics

KNOWLEDGE CHECK — MODULE 07

When multiple Bitcoin inputs are combined in a single transaction, what investigative heuristic can be applied?

A Change address detection

B Peel chain analysis

C Common Input Ownership Heuristic

D Zero-value transaction filter

07 / 09

// MODULE 08 — IR LIFECYCLE & THREAT CONTAINMENT

INCIDENT RESPONSE

Structured incident response minimizes damage, enables forensic evidence preservation, and drives systemic improvement. This module covers the full IR lifecycle from detection to lessons learned.

DFIRTRIAGECONTAINMENT

IR Lifecycle (NIST SP 800-61)

①PREPARE

②DETECT

③CONTAIN

④ERADICATE

⑤RECOVER

⑥LESSONS

Initial Triage — First 60 Minutes

// LIVE TRIAGE COMMANDS (WINDOWS)

# List active network connections
cmd: netstat -anob | findstr ESTABLISHED

# List running processes with parent PIDs
cmd: wmic process get name,processid,parentprocessid,commandline

# Recently modified files (last 24h)
PS: Get-ChildItem C:\ -Recurse | Where-Object {$_.LastWriteTime -gt (Get-Date).AddHours(-24)}

# Scheduled tasks (common persistence)
cmd: schtasks /query /fo LIST /v | findstr "Task Name\|Status\|Run"

# Export event logs (Security, System, PowerShell)
PS: wevtutil epl Security C:\ir\security.evtx
// Always capture volatile data FIRST: RAM > Processes > Network > Disk

Evidence Collection Order (Volatility Principle)

Memory (RAM)

Most volatile. Contains running processes, network connections, encryption keys, and in-memory malware. Capture with WinPmem or Magnet RAM Capture immediately.

Process & Network State

Running processes, network connections, ARP cache, routing table. Changes within seconds of system reboot.

Log Files

Windows Event Logs, Sysmon, EDR logs, application logs. May be cleared by attacker — export immediately.

Disk Image

Full forensic image using FTK Imager or dd. Hash before and after. Analyze on copy — never work on original evidence.

Tools

Volatility 3

Memory forensics framework

FTK Imager

Disk & memory acquisition

Autopsy

Open-source DFIR platform

Velociraptor

Enterprise DFIR at scale

TheHive

IR case management platform

Cortex

Automated IOC analysis

MISP

Threat intel sharing platform

KAPE

Rapid artifact collection

KNOWLEDGE CHECK — MODULE 08

According to the Volatility Principle, what data source should be captured FIRST during incident response?

A Disk image

B Log files

C RAM (memory dump)

D Network packet capture

08 / 09

// MODULE 09 — LATERAL MOVEMENT & INVESTIGATIVE PIVOTING

PIVOTING TECHNIQUES

Pivoting is the art of using a discovered data point — an IP, domain, email, hash, or account — to jump to new, connected intelligence. The core skill that separates good investigators from great ones.

INVESTIGATIVE PIVOTINGINFRASTRUCTURE MAPPINGTHREAT HUNTING

Pivot Types

🌐

IP → DOMAIN PIVOT

From a known malicious IP, find all domains hosted on that IP — historically and currently. Passive DNS databases reveal attacker infrastructure patterns.

📧

EMAIL → INFRA PIVOT

WHOIS registrant email links domains together. Even when private WHOIS is used, historical records and SSL certificates reveal connections.

🔏

SSL CERT PIVOT

Same SSL certificate deployed across multiple C2 servers. Certificate fingerprints tracked via Shodan and Censys reveal full attacker infrastructure.

🖥️

PORT/BANNER PIVOT

Unique port combinations, HTTP response headers, and JA3 fingerprints identify the same threat actor's servers even when IP addresses change.

Infrastructure Pivoting Workflow

// ATTACKER INFRASTRUCTURE MAPPING

# From known C2 IP: find all domains hosted historically
api: https://api.passivetotal.org/v2/pdns/passive?query=185.220.x.x

# Find all IPs using same SSL certificate (pivot on cert fingerprint)
shodan: ssl.cert.fingerprint:"aa:bb:cc:dd..."

# Find servers with identical Cobalt Strike configs
shodan: product:"Cobalt Strike" port:443,80,50050

# JA3 fingerprint pivot (same malware TLS fingerprint)
cmd: ja3 -j capture.pcap | grep "bd0bf25947d4a37404f0424edf4db9ad"

# Domain registration pattern (same WHOIS data)
cmd: whois attacker.domain | grep "Registrant Email"
api: https://api.domaintools.com/v1/reverse-whois/?terms=[email]

// Build graph: IP → Cert → Domains → Registrant → More Domains → More IPs

Pivot Matrix

Starting Point	Pivot To	Tool / Source
IP Address	Hosted domains, ASN, geo, history	Shodan, PassiveTotal, Censys
Domain Name	IP history, WHOIS registrant, subdomains	DomainTools, crt.sh, SecurityTrails
SSL Certificate	All IPs/domains using that cert	Shodan, Censys, crt.sh
Email Address	Registered domains, personas, breaches	DomainTools reverse-WHOIS, HaveIBeenPwned
File Hash	Related malware family, C2, campaigns	VirusTotal, MalwareBazaar, ANY.RUN
Username	Cross-platform accounts, email, real ID	Sherlock, WhatsMyName, Maltego
Bitcoin Address	Transaction history, linked wallets, exchanges	Chainalysis, OXT.me, Breadcrumbs
JA3 Fingerprint	All hosts with same TLS fingerprint	Shodan, ja3er.com

Threat Actor Infrastructure Graph

A real investigation starts with one indicator and expands outward. Example: A single phishing domain → passive DNS reveals 12 IPs → Shodan reveals 3 share the same SSL cert → cert search reveals 40 more domains → WHOIS reveals a registrant email → reverse-WHOIS reveals 200+ domains → pattern analysis reveals the campaign.

1 Domain → 12 IPs → 1 SSL Cert → 40 Domains → Registrant Email → 200+ Domains → Full Campaign Map

Tools

Shodan

Internet-wide port/banner scanning

Censys

Certificate & host intelligence

PassiveTotal (RiskIQ)

Passive DNS & WHOIS history

DomainTools

WHOIS history & reverse-WHOIS

SecurityTrails

DNS & subdomain history

VirusTotal Graph

IOC relationship visualization

Maltego

Visual link analysis

crt.sh

Certificate transparency logs

KNOWLEDGE CHECK — MODULE 09

A threat actor reuses the same SSL certificate across multiple C2 servers. As an investigator, which action best leverages this as a pivot point?

A Block the certificate at the firewall

B Submit the hash to VirusTotal

C Search Shodan/Censys for all hosts using that certificate fingerprint

D Revoke the certificate via a CA request

⚡ CORE MODULES COMPLETE

Continue to the Extended Curriculum for legislation, forensics fundamentals, fraud investigation, and bibliography.

09 / 14

// MODULE 10 — LEGAL LANDSCAPE & INTERNATIONAL FRAMEWORKS

CYBERCRIME LEGISLATION

Cyber investigators must navigate a complex web of national and international laws. This module covers key statutes that define what constitutes a crime, how evidence must be handled, and how cross-border cooperation works.

BRAZILIAN LAWINTERNATIONALGDPR / LGPD

Brazilian Legal Framework

👩‍⚖️

Lei Carolina Dieckmann (12.737/2012)

Brazil's first dedicated cybercrime law. Criminalizes unauthorized access to computer devices, interception of digital communications, and adulteration of identification data. Penalties: 3 months–1 year imprisonment, increasing if data is sold or published. Named after the actress who had private photos leaked. Practical impact: this law covers most account takeovers, phishing attacks, and unauthorized data access in Brazil.

🌐

Marco Civil da Internet (12.965/2014)

Brazil's "Internet Bill of Rights." Establishes net neutrality, privacy of communications, and data retention obligations. ISPs must retain connection logs for 1 year and application providers for 6 months. Law enforcement can request these logs only via court order. Critical for investigators: defines when and how ISPs must disclose subscriber data.

🔐

LGPD — Lei Geral de Proteção de Dados (13.709/2018)

Brazil's equivalent of GDPR. Governs processing of personal data. Investigators must have lawful basis to collect and process personal data (e.g., legitimate interest, legal obligation). Data minimization applies — collect only what is necessary for the investigation. Enforced by ANPD (Autoridade Nacional de Proteção de Dados).

🏛️

Lei 14.155/2021 — Fraud Enhancement

Significantly increased penalties for cybercrimes in Brazil. Fraud via digital device: 4–8 years + fine. Bank fraud via electronics: 4–8 years. Invasion of device with intent to obtain data: up to 4 years. This law responded to explosive growth in online banking fraud (Pix scams, boleto fraud, SIM swap attacks).

International Legal Instruments

🌍

Budapest Convention (2001)

The Council of Europe Convention on Cybercrime — the primary international treaty on cybercrime. Standardizes definitions of offenses (illegal access, data interference, fraud), mandates procedural tools (expedited data preservation, real-time interception), and enables cross-border cooperation between 68+ signatory nations. Brazil acceded in 2021, becoming the first non-CoE nation to ratify in the Americas.

🇺🇸

CLOUD Act (2018)

US Clarifying Lawful Overseas Use of Data Act. Allows US law enforcement to compel US-based tech companies (Google, Microsoft, Meta) to produce data stored abroad. Executive agreements with partner countries allow bilateral access. Critical for investigators working cross-border cases involving US platforms.

🇪🇺

GDPR (EU) — Enforcement Extraterritoriality

Applies to any organization processing EU residents' data, regardless of location. Investigators processing data of EU persons must comply even if based in Brazil. Right to erasure, access, and portability. Data transfers outside EU require adequacy decisions or Standard Contractual Clauses.

Practical Application: Legal Framework Matrix

Scenario	Applicable Law(s)	Required Action
Unauthorized access to corporate email system	Lei 12.737/2012, Art. 154-A CP	File police report (boletim de ocorrência), preserve logs
Request for subscriber data from Brazilian ISP	Marco Civil da Internet, Art. 22	Court order required — judicial request (ofício judicial)
Bank fraud via Pix/boleto	Lei 14.155/2021, Art. 171 §2-A CP	Report to BACEN, law enforcement; preserve transaction logs
Data breach exposing Brazilian personal data	LGPD Art. 48	Notify ANPD within 72h, notify affected subjects
Evidence needed from US-based platform	MLAT Brazil-US / Budapest Convention	Request via MJ (Ministério da Justiça) international channel
Sextortion involving minor	ECA (8.069/90), CP Art. 241-A	Priority prosecution, CiberLab / NCMEC reporting

Practical Example — Lei Carolina Dieckmann Case

REAL-WORLD CASE SCENARIO

Scenario: A corporate employee's Gmail account is accessed by an unauthorized third party who copies confidential documents and sends them to a competitor.

Identify the Offense

Art. 154-A CP (Lei 12.737): invasão de dispositivo informático. The unauthorized access + data extraction constitutes the base offense. If data is published: penalty increases to 2 years.

Preserve Evidence

Export Gmail account activity log (last sign-in, IP addresses, session data). Hash all exported data. Request Google records via legal process (MLAT if US-based, or via Brazilian court order through Marco Civil).

Identify the Actor

IP from Google login logs → request subscriber data from ISP via judicial order → correlate with suspect's known devices and accounts via OSINT.

Report & Prosecution

File criminal complaint at Delegacia de Crimes Cibernéticos (DEIC/DRCI). Provide technical report + chain of custody documentation.

KNOWLEDGE CHECK — MODULE 10

Under Brazil's Marco Civil da Internet, for how long must ISPs retain connection logs, and what is required to access them?

A 6 months — no authorization needed

B 1 year — court order required

C 5 years — police request sufficient

D 3 months — administrative request

10 / 14

// MODULE 11 — FORENSIC METHODOLOGY & EVIDENCE HANDLING

DIGITAL FORENSICS FUNDAMENTALS

Digital forensics is the science of collecting, preserving, analyzing, and presenting digital evidence in a legally defensible manner. Every step — from seizure to court — must be documented and reproducible.

CHAIN OF CUSTODYEMAIL HEADERSFORENSIC METHODOLOGY

Digital Evidence Categories

💾

STORED DATA

Hard drives, SSDs, USB devices, optical media, memory cards. Non-volatile — persists without power. Includes deleted files recoverable via carving, unallocated space analysis, and file system artifacts.

📡

TRANSMITTED DATA

Network traffic, emails, chat messages, VoIP recordings. Captured in transit via taps, mirrors, or provider records. Time-sensitive — requires monitoring authority.

🧠

VOLATILE DATA

RAM, CPU registers, process tables, open network connections, running services. Disappears when power is removed. Must be captured before any shutdown. Gold mine for malware investigators.

☁️

CLOUD DATA

Data stored in third-party cloud services (Google Drive, iCloud, OneDrive, Dropbox). Requires legal process to obtain from providers. Metadata often more valuable than content.

Chain of Custody — Detailed Procedure

ℹ️

DEFINITION

Chain of custody (cadeia de custódia in Brazil, formalized under Art. 158-A to 158-F of the Brazilian Code of Criminal Procedure — Lei 13.964/2019 "Pacote Anticrime") is the chronological documentation of evidence from seizure to court presentation, proving it was not altered or contaminated.

Recognition (Reconhecimento)

Identify potential digital evidence at the scene. Do not power on devices. Photograph in situ — device state, screen, connected cables, environment. Note serial numbers, make, and model.

Isolation (Isolamento)

Prevent remote wiping: enable airplane mode or use Faraday bag for mobile devices. Do not allow suspect access. Preserve volatile data if device is on — only authorized examiner should operate.

Collection (Coleta)

Use write-blockers for physical acquisition. Compute cryptographic hashes (MD5 + SHA-256) before touching evidence. Document acquisition tool, version, and operator. Create bit-for-bit forensic image.

Packaging & Sealing (Acondicionamento)

Place in anti-static, tamper-evident bags. Label with: case number, date/time, examiner name, description, hash values. Store in access-controlled evidence room.

Transfer & Verification (Transferência)

Every transfer must be logged — from/to whom, date, reason. Verify hashes upon transfer. Any discrepancy must be flagged immediately. Courts will scrutinize every link in the chain.

Email Header Analysis — Practical Guide

Email headers are a critical forensic artifact. They contain the full routing path, originating IP, mail server identifiers, and authentication results. Learning to read them reveals the true origin of phishing, fraud, and threat emails.

// EMAIL HEADER ANALYSIS

# Key fields to analyze in a suspicious email header:

Received: from mail.attacker.ru [185.220.101.45]
→ Originating server IP — look up in Shodan, AbuseIPDB, VirusTotal

From: "PayPal Support" <support@paypa1.com>
→ Display name spoofing — note 'paypa1' vs 'paypal'

Reply-To: harvester@tempmail.xyz
→ Different from From: — credential harvesting indicator

Authentication-Results: spf=fail; dkim=none; dmarc=fail
→ SPF/DKIM/DMARC failures = spoofed sender domain

X-Originating-IP: 177.39.45.102
→ True client IP — geolocate and cross-reference

# Tools: MXToolbox Header Analyzer, Google Admin Toolbox, emlAnalyzer
cmd: python3 emlAnalyzer.py -i suspect_email.eml --headers --links --extract

Digital Trace Types (Vestígios Digitais)

Trace Type	Location	Forensic Value
Browser History	%APPDATA%\...\History	Timeline of web activity, searches, downloads
Prefetch Files	C:\Windows\Prefetch\	Proof of program execution (up to 128 entries)
LNK Files	%APPDATA%\Roaming\Microsoft\Windows\Recent\	Recently accessed files — persist after deletion
Registry Hives	NTUSER.DAT, SAM, SYSTEM	USB history, installed software, last accessed paths
Event Logs	C:\Windows\System32\winevt\Logs\	Logon events, process creation, service installation
Swap / Pagefile	C:\pagefile.sys	Fragments of RAM — can contain passwords, keys
Shellbags	Registry: USRCLASS.DAT	Folders browsed — proves user explored specific paths
EXIF Metadata	Image files (JPEG, PNG, HEIC)	GPS location, device ID, timestamp of photo

Practical Example — Mobile Device Forensics

Scenario: A suspect's iPhone is seized at a crime scene. It is locked with Face ID and a 6-digit PIN. The device has mobile data enabled.

Immediate Action: Faraday Isolation

Place immediately in Faraday bag to prevent remote wipe (MDM command or iCloud "Erase iPhone"). Do NOT attempt to unlock — multiple failed biometric attempts may trigger security lockout.

Acquisition Options

If unlocked: logical acquisition via Cellebrite UFED or Oxygen Forensic. If locked: GrayKey or UFED Premium for physical acquisition (jurisdiction-dependent). iCloud backup extraction via court order to Apple (MLAT/US legal process).

Key Artifacts

SMS/iMessage (even deleted), call logs, location history (Significant Locations, GPS tracks), installed apps, WiFi connection history, browser history, photos with EXIF, keychain (encrypted passwords).

Tools

Autopsy

Open-source disk forensics

FTK Imager

Forensic image acquisition

Cellebrite UFED

Mobile device extraction

Volatility 3

Memory forensics

Registry Explorer

Windows registry analysis

MXToolbox

Email header analysis

ExifTool

File metadata extraction

Hindsight

Chrome browser forensics

KNOWLEDGE CHECK — MODULE 11

During email header analysis, you find: "Authentication-Results: spf=fail; dkim=none; dmarc=fail". What does this indicate about the email?

A The email was encrypted end-to-end

B The sender domain was spoofed — all authentication checks failed

C The email was delayed in transit

D The recipient's mail server is misconfigured

11 / 14

// MODULE 12 — ADVANCED TECHNIQUES & COVERT OPERATIONS

ADVANCED INVESTIGATION & UNDERCOVER

Advanced cyber investigations require going beyond passive OSINT — into covert persona operations, deep web navigation, and active infrastructure monitoring. This module covers high-risk, high-reward investigative techniques used by law enforcement and corporate threat intelligence teams.

UNDERCOVER OPSDEEP WEBACTIVE RECON

Deep Web vs. Dark Web — Clarification

🌊

SURFACE WEB

Indexed by search engines. Represents ~5% of all web content. Public websites, news, social media. Fully accessible and searchable.

🌑

DEEP WEB

Not indexed — behind authentication, paywalls, or private databases. Examples: webmail, banking portals, medical records, university databases, private forums. Legal, but requires credentials.

💀

DARK WEB

Overlay networks requiring special software (Tor, I2P). .onion domains. Contains both legitimate privacy tools AND criminal marketplaces. Not illegal to access, but much content is.

🔑

INVESTIGATOR FOCUS

Most actionable intelligence comes from the Dark Web (criminal activity) and Deep Web (breached databases, private forums, paste sites with leaked data).

Tor Network Investigation Architecture

// TOR CIRCUIT & HIDDEN SERVICE ANALYSIS

# Tor circuit: Client → Guard → Middle → Exit → Destination
# Hidden services (.onion): Client → Guard → Middle → Rendezvous → HS

# Enumerate .onion from Tor consensus (known HSDir nodes)
cmd: torsocks curl -s http://msydqstlz2kzerdg.onion/ 2>/dev/null

# Monitor Tor exit nodes for specific traffic patterns
api: https://check.torproject.org/torbulkexitlist

# Identify .onion → clearnet leakage via HTTP errors
cmd: torsocks curl -v http://target.onion 2>&1 | grep -E "(Location|Server|X-Powered)"

# OPSEC: check your own Tor circuit before operating
cmd: torsocks curl https://check.torproject.org/api/ip

// HS v3 (.onion 56 chars) are cryptographically stronger than v2
// Use Ahmia.fi and Torch as dark web search indexes

Undercover Digital Operations

⚠️

LEGAL AUTHORITY REQUIRED

In Brazil, undercover operations (infiltração de agentes) in digital environments are authorized under Lei 12.850/2013 (Organized Crime Law), Art. 10-A. Requires prior judicial authorization. Evidence obtained without authorization may be inadmissible and expose the investigator to criminal liability.

🎭

PERSONA CREATION

Build a credible cover identity: aged social media accounts, backstory, activity history. Use dedicated devices. Never reuse real-world identifiers. Persona must be believable to threat actors who vet new members.

🕸️

FORUM INFILTRATION

Join criminal forums with low-value initial posts to build reputation. Never initiate illegal activity. Observe and document. Log all interactions with timestamps. Do not entrap.

📸

EVIDENCE COLLECTION

Screenshot with metadata preservation. Use tools like Hunchly for automatic web evidence logging with hash verification. Timestamp all captures with external time authority.

🔓

EXFILTRATION DETECTION

Monitor underground markets for your organization's data. Set up automated alerts for corporate email patterns, domain names, and credential formats on paste sites and dark web leak forums.

Operational Security (OPSEC) for Investigators

Device Compartmentalization

Dedicated investigation laptop — never used for personal email, banking, or social media. Boot from Tails OS for high-risk sessions. Separate phones for undercover SIM cards.

Network Isolation

Investigation traffic through dedicated VPN + Tor. Never mix investigation traffic with corporate network. Mobile data on burner SIM for dark web sessions. Consider VPS as jump host.

Identity Hygiene

Unique usernames per platform, never reused. Separate ProtonMail / Tutanota addresses per persona. No cross-contamination between real identity and cover identity — ever.

Counter-Surveillance

Assume targets may be running counter-intelligence. Vary login times and patterns. Use Tor Browser's security level "Safest." Disable JavaScript for .onion sites handling sensitive operations.

Practical Example — Dark Web Market Intelligence

Scenario: A financial institution detects that customer credentials appear to be circulating on criminal forums. You are tasked with determining the scope, source, and threat actors involved.

Monitor Automated Leak Sites

Deploy SpiderFoot + custom scripts to monitor Dehashed, Have I Been Pwned API, IntelX, and dark web paste sites for your organization's email domains and credential patterns.

Identify the Forum Post

Navigate to the identified forum using Tor (Whonix setup). Screenshot the post, capture seller's username, posting history, and PGP key if available. Do not create an account if not authorized.

Pivot on the Actor

Username → reverse search across dark web forums (Torch, Dread, RAMP archives) → PGP key fingerprint → Bitcoin wallet → transaction history → exchange on/off-ramp.

Determine Breach Source

Analyze sample credentials — are they current? From which service? Cross-reference with known breached databases. Canary token analysis — did honeypot accounts appear in the dump?

KNOWLEDGE CHECK — MODULE 12

In Brazil, what law authorizes undercover digital agent infiltration, and what is required before the operation begins?

A Lei 12.737/2012 — police chief authorization

B Marco Civil da Internet — prosecutor approval

C Lei 12.850/2013 (Art. 10-A) — prior judicial authorization

D LGPD Art. 7 — ANPD notification

12 / 14

// MODULE 13 — CYBERCRIME INVESTIGATION: FRAUD, ATTACKS & SOCIAL ENGINEERING

FRAUD & ATTACK INVESTIGATION

The most prevalent cybercrime categories investigated by law enforcement and corporate security teams. This module covers practical investigation methodologies for bank fraud, sextortion, system attacks, social engineering campaigns, and malware incidents.

BANK FRAUDSEXTORTIONSOCIAL ENGINEERING

Banking Fraud Investigation

🏦

PIX FRAUD (Brazil)

Brazil's instant payment system (Pix) is the primary target. Attack types: account takeover via SIM swap, social engineering to transfer funds, "Pix errado" scam (fake wrong payment), and malware intercepting Pix keys. First response: preserve transaction logs, Pix keys, and device forensics.

📄

BOLETO FRAUD

Manipulation of payment barcodes — either via browser malware changing the barcode at payment time, or fraudulent boletos sent by email. Investigation: compare original boleto metadata with the paid version; trace beneficiary bank account (Conta de Passagem).

📱

SIM SWAP

Criminal convinces telecom to transfer victim's phone number to attacker's SIM, bypassing SMS-based 2FA. Indicators: victim loses mobile signal, receives unexpected account change alerts. Investigation: telecom records, carrier employee access logs, identity document fraud.

💳

CARD FRAUD

Card cloning (skimming), CNP (Card Not Present) fraud, and BIN attacks. Investigation: merchant POS terminal analysis, ATM tamper evidence, dark web card shops (track cardholder data to compromise source).

Banking Fraud Investigation Workflow

// FRAUD INVESTIGATION — STEP BY STEP

# Step 1: Preserve financial transaction records
→ Pix/TED/DOC transaction ID, timestamp, originating account, IP, device fingerprint
→ Beneficiary account (Conta de Destino) — trace ownership via BACEN MED system

# Step 2: Device forensics on victim's phone/computer
→ Check for RAT/banking trojan (Grandoreiro, Mekotio, BRATA family common in BR)
→ Accessibility service abuse (overlays, screen readers used by Android banking malware)

# Step 3: Telecom records (if SIM swap suspected)
→ SIM change log with timestamp, location of requesting store, employee ID
→ Cross with victim's SMS 2FA bypass window

# Step 4: Follow the money
→ Laranjas (money mule accounts) — trace withdrawal patterns (ATM + location data)
// BACEN MED: Mecanismo Especial de Devolução — key tool for fraud chargebacks

Sextortion Investigation

🚨

SENSITIVE INVESTIGATION AREA

Sextortion cases, especially involving minors, require specialized trauma-informed protocols. In Brazil: report to SaferNet Brasil, Childhood Brasil, and DEAM/delegacias especializadas. When minors are involved: ECA (Lei 8.069/90) Arts. 241-A to 241-E apply — no exceptions.

😈

ATTACK PATTERN

Attacker initiates online relationship (catfishing), obtains intimate images via deception or hacking, then threatens to publish unless paid or more content is provided. Also: mass email campaigns claiming to have webcam footage (most are bluffs).

🔍

INVESTIGATION STEPS

1. Preserve all communications. 2. Reverse image search attacker's profile photos (likely stolen). 3. Trace contact method — email headers, phone number OSINT. 4. Cryptocurrency wallet analysis if ransom demanded. 5. Platform report + preservation request.

📧

MASS SEXTORTION EMAILS

Header analysis reveals bulk email infrastructure. Attacker often includes a real leaked password (from breached database) to appear credible. Cross-reference password with HIBP to identify breach source. Bitcoin wallet tracing often reveals large-scale criminal operation.

⚖️

LEGAL FRAMEWORK (BR)

Art. 147-B CP: sextortion (coação sexual). Art. 216-B CP: registro não autorizado de nudez. Art. 218-C CP: divulgação de cena de sexo ou nudez sem consentimento. Penalties range from 1 to 5 years, increased when involving minors.

Social Engineering Investigation

Social engineering attacks manipulate human psychology rather than exploiting technical vulnerabilities. Investigation requires both technical forensics and behavioral analysis.

Attack Type	Indicators	Investigation Approach
Spear Phishing	Targeted email with personalized content, urgent request, spoofed domain	Email header analysis, domain registration check, OSINT on target to understand what data attacker had access to
Vishing (Voice)	Unexpected call claiming to be bank/IT support, requesting OTP or credentials	Caller ID spoofing analysis, telecom records, script analysis to identify campaign breadth
Pretexting	Elaborate false scenario to extract information over time	Document all interactions, map the false persona using OSINT, identify data exfiltrated
BEC (Business Email Compromise)	Email from "CEO/CFO" requesting urgent wire transfer	Email header analysis (spoofed or compromised account?), financial transaction trace, MLAT if funds sent abroad
QR Code Phishing (Quishing)	Malicious QR code in email/document redirecting to credential harvest page	Decode QR, analyze URL, check hosting infrastructure, trace registration data

Malware Incident Investigation — Practical Workflow

Scenario: An employee reports their computer is behaving strangely — slow performance, unexpected pop-ups, and suspicious outbound network traffic detected by the firewall. Suspected banking trojan (Grandoreiro family — prevalent in Brazil and Latin America).

Immediate Isolation

Disconnect from network (do NOT turn off — preserve volatile data). Capture RAM with WinPmem. Photograph screen showing active processes and network connections.

Network IOC Extraction

Review firewall logs for the host's IP. Identify C2 IPs — Grandoreiro typically uses DGA (Domain Generation Algorithm) or hard-coded C2s in Brazil-registered domains. Submit IPs to VirusTotal and AbuseIPDB.

Malware Sample Analysis

Extract the dropper from %TEMP% or %APPDATA%\Roaming. Grandoreiro typically uses Delphi, large file size (~300MB with padding), and overlay data. Submit to ANY.RUN sandbox for behavioral analysis.

Attribution & Reporting

Cross-reference C2 infrastructure with known Grandoreiro campaign IOCs (ESET, Kaspersky TI). File report with CERT.br (cert.br) and affected financial institutions' security teams.

Brazilian-Specific Threat Landscape

Grandoreiro Banking Trojan BRATA Android Malware Golpe do Motoboy Pix Scams (Engenharia Social) Mekotio Boleto Malware Golpe da Central de Atendimento Ghost RAT (via WhatsApp)

ℹ️

BRAZIL THREAT CONTEXT

Brazil is consistently among the top 5 countries targeted by cybercrime globally, primarily due to the large unbanked population, rapid Pix adoption, and high smartphone penetration. Brazilian banking trojans are now expanding internationally (Spain, Portugal, Mexico). Key resource: CERT.br (cert.br) — monitors and coordinates incident response at national level.

KNOWLEDGE CHECK — MODULE 13

A victim receives a mass email claiming the attacker has webcam footage, and includes the victim's real password. The most effective first investigative step is to:

A Pay the ransom to obtain attacker's Bitcoin wallet for tracing

B Cross-reference the leaked password with breach databases to identify the original data source

C Scan the victim's webcam driver for malware

D Report directly to BACEN without further analysis

13 / 14

// MODULE 14 — BIBLIOGRAPHY, RESOURCES & FURTHER READING

BIBLIOGRAPHY & REFERENCES

A curated, professional bibliography for cyber investigators. Organized by topic area, covering foundational texts, technical references, legal documents, and continuously updated online resources.

BOOKSLEGISLATIONONLINE RESOURCES

Foundational Books — Technical

Title	Author(s)	Relevance
The Art of Invisibility	Kevin Mitnick	OPSEC, digital privacy, investigator mindset — understanding attacker perspective on anonymity
Open Source Intelligence Techniques (9th Ed.)	Michael Bazzell	The definitive OSINT manual. Updated annually. Covers every major platform and tool. Essential reading.
Practical Malware Analysis	Sikorski & Honig	Static and dynamic malware analysis. IDA Pro, OllyDbg, sandbox techniques. The malware analyst's bible.
The Hacker Playbook 3	Peter Kim	Red team operations, pivoting, lateral movement. Valuable for understanding attacker TTPs from defender's view.
Intelligence-Driven Incident Response	Rebekah Brown & Scott Roberts	Threat intelligence integration into IR. Diamond Model, kill chain, F3EAD framework.
Digital Forensics and Incident Response (3rd Ed.)	Gerard Johansen	Comprehensive DFIR methodology. Evidence acquisition, memory forensics, log analysis.
Rtfm: Red Team Field Manual	Ben Clark	Quick-reference commands for network recon, pivoting, and post-exploitation — useful for understanding attack paths.
Applied Cryptography	Bruce Schneier	Understanding encryption — essential for cryptocurrency tracing and secure communication analysis.

Brazilian Legal References

Document	Source	Key Articles
Lei 12.737/2012 — Lei Carolina Dieckmann	planalto.gov.br	Art. 154-A (invasão de dispositivo informático)
Lei 12.965/2014 — Marco Civil da Internet	planalto.gov.br	Arts. 13, 15 (data retention); Art. 22 (judicial access)
Lei 13.709/2018 — LGPD	planalto.gov.br	Arts. 7, 11 (lawful basis); Art. 48 (breach notification)
Lei 14.155/2021 — Cyberfraud Enhancement	planalto.gov.br	Arts. 171 §2-A, 154-A §4-A (enhanced penalties)
Lei 12.850/2013 — Organized Crime	planalto.gov.br	Art. 10-A (digital undercover agent)
Lei 13.964/2019 — Pacote Anticrime	planalto.gov.br	Arts. 158-A to 158-F (chain of custody)
Decreto 11.491/2023 — Budapest Convention	planalto.gov.br	Brazil's accession to Budapest Convention framework
Resolução BCB 6/2020 — Pix Regulation	bcb.gov.br	MED (fraud return mechanism), data retention obligations

International Frameworks & Standards

Document	Organization	Key Application
Budapest Convention on Cybercrime (ETS 185)	Council of Europe	International cooperation, mutual legal assistance, definitions of offenses
NIST SP 800-61 Rev. 2 — Incident Handling Guide	NIST (US)	IR lifecycle methodology — prepare, detect, contain, eradicate, recover
NIST SP 800-86 — Forensic Techniques Integration	NIST (US)	Forensic methodology integration into incident response
ISO/IEC 27037:2012 — Digital Evidence	ISO	International standard for identification, collection, and preservation of digital evidence
MITRE ATT&CK Framework	MITRE	Adversary TTPs taxonomy — maps attacker behavior for detection and investigation
FATF Guidance on Virtual Assets	FATF	Cryptocurrency AML/CFT guidance — critical for crypto tracing investigations
RFC 3227 — Evidence Collection Guidelines	IETF	Technical guidelines for network evidence collection and handling

Online Resources & Continuous Learning

CERT.br

cert.br — Brazilian national CSIRT, incident reports, statistics, guides

SaferNet Brasil

safernet.org.br — cybercrime reporting, victim support resources

SANS Internet Storm Center

isc.sans.edu — daily threat intel, malware analysis, incident diaries

Krebs on Security

krebsonsecurity.com — in-depth cybercrime journalism and investigation

MITRE ATT&CK

attack.mitre.org — adversary TTP knowledge base

IntelTechniques

inteltechniques.com — Michael Bazzell's OSINT resources and tools

Bellingcat Guides

bellingcat.com/resources — open-source investigation methodologies

ANY.RUN Sandbox

any.run — interactive malware sandbox with public reports

MalwareBazaar

bazaar.abuse.ch — malware sample repository

CyberCrime Magazine

cybercrimemagazine.com — industry statistics and reports

ANPD

gov.br/anpd — Brazilian DPA, LGPD guidance documents

Council of Europe CyberCrime

coe.int/cybercrime — Budapest Convention resources

Certifications — Recommended Path

Certification	Body	Focus Area
CompTIA Security+	CompTIA	Security fundamentals — good baseline before specialization
GCFE (GIAC Certified Forensic Examiner)	GIAC/SANS	Windows forensics, timeline analysis, artifact analysis
GCFA (GIAC Certified Forensic Analyst)	GIAC/SANS	Advanced forensic analysis, memory forensics, IR
OSCP (Offensive Security Certified Professional)	OffSec	Penetration testing — understanding attacker methodology
CCE (Certified Computer Examiner)	ISFCE	Digital forensics and legal admissibility
CISA (Certified Information Systems Auditor)	ISACA	IT audit and control — useful for regulatory compliance
CTIA (Certified Threat Intelligence Analyst)	EC-Council	Threat intelligence lifecycle, OSINT, dark web monitoring
Perito em Informática Forense	ABEINFO (BR)	Brazilian forensic examiner certification — recognized by courts

Brazilian Academic & Institutional References

🎓

ACADEMIA

Key Brazilian academic programs: UNICAMP (Ciência da Computação), USP (Engenharia de Computação), UFPR (Segurança da Informação). Research groups: GTA/UFRJ, LASIC/UFMG, CyberLab UFSC.

👮

LAW ENFORCEMENT UNITS

DRCI (Delegacia de Repressão a Crimes de Informática) — various states. GAECO Cibernético. PF — DICOR (Diretoria de Crimes Organizados) with cyber capabilities. ANATEL — telecom regulatory enforcement.

📖

RECOMMENDED BR BOOKS

"Crimes Cibernéticos" — Alexandre Atheniense; "Perícia Forense Digital" — Antonio Marcelo Jackson; "Manual de Investigação Cibernética" — Carlos Eduardo Sobral; "LGPD: Lei Geral de Proteção de Dados" — Bruno Bioni.

🏛️

JUDICIAL RESOURCES

STJ — Superior Tribunal de Justiça cyber jurisprudence. ENCCLA — national strategy against corruption and cyber laundering. Turmas Criminais Especializadas em Crimes Cibernéticos — São Paulo and Rio de Janeiro TJs.

🎯 COURSE COMPLETE — ALL 14 MODULES

You have completed the full Cyber Investigation Course. Apply these skills through CTF challenges (HackTheBox, TryHackMe), Bellingcat's open investigations, and CERT.br community programs. Stay current — this field evolves daily.

OSINT Network Forensics Dark Web SOCMINT Malware Analysis Legal Frameworks Crypto Tracing Incident Response Pivoting BR Legislation Digital Forensics Advanced Investigation Fraud Investigation Bibliography

14 / 14