Cyber & Digital Investigations

Cyber & Digital Investigations | Cybercrime, Identity Theft, Scams & Online Evidence

Digital matters rarely turn on opinions alone. They turn on facts: what happened, when it happened, what changed, what can be verified, and what evidence still exists. A professional cyber/digital investigation is a lawful, proof-driven effort to identify what is provable, preserve what matters, and package the record in a way that is usable for clients, attorneys, insurers, and decision-makers.

Washington State Investigators provides cyber and digital investigation support serving Seattle, Burien, King County, and communities across Washington. Our work is built for practical use: scope control, evidence preservation, chronology discipline, and reporting designed to withstand scrutiny.

What Cyber & Digital Investigation Support Is (and Isn’t)

A cyber/digital investigation is a structured effort to establish objective digital facts without using shortcuts that create legal risk, credibility problems, or evidentiary damage.

• It is: chronology building, incident fact development, public-content preservation, account or device review with lawful authority, identity and linkage research, business-record mapping, and reporting built for scrutiny.
• It is not: hacking, “getting into” accounts, spyware deployment, unlawful interception, trespass, social-engineering a provider, or any tactic that turns evidence into a liability.

Bottom line: we identify what is provable, preserve what is public or lawfully available, and clearly separate observation from inference.

Why Clients Retain Cyber / Digital Investigation Support

Most clients come to this work for one reason: the facts matter, and the digital record is incomplete, disputed, or disappearing.

• Timeline clarity: organize events, messages, account activity, notices, and records into a usable chronology.
• Preservation control: capture evidence before it is deleted, buried, overwritten, or “cleaned up.”
• Credibility testing: compare claims against what the records, timestamps, and digital trail actually show.
• Identity and linkage work: map people, entities, domains, wallets, listings, profiles, and public-facing indicators.
• Defensible packaging: reporting that is clear enough to support disputes, claims, attorney review, or internal decisions.

Related practice pages: Background Research | For Attorneys | Civil Investigations

Common Matters We Support

• Identity theft documentation and victim-side recovery support coordination.
• Harassment, threats, and online misconduct where preservation and chronology matter.
• Impersonation and spoofing involving individuals, businesses, domains, websites, or communications.
• Crypto-investment fraud: relationship-building scams, fake trading platforms, coached transfers, wallet/address organization, transaction chronology, and a practical trace guide showing what should be preserved, what can be followed, and what evidence is needed for reporting, claims, or attorney review.
• Business email compromise (BEC) and wire-fraud-adjacent documentation.
• Business and workplace incidents requiring lawful fact development and records organization.
• Litigation support involving online evidence, chronology, and preservation discipline.
• Due diligence and affiliation research including digital-footprint review and public-record linkage work.

Identity Theft: What It Is and What to Do First

Identity theft generally involves the unlawful obtaining, possessing, using, or transferring of another person’s identifying or financial information with criminal intent. In Washington, identity theft is addressed under RCW 9.35.020.

What victims should do first

• Start with the official recovery workflow: use IdentityTheft.gov and document each step.
• Protect credit: place fraud alerts or freezes and keep the confirmation details.
• Notify affected institutions: banks, card issuers, lenders, healthcare entities, or agencies involved.
• Build a timeline: note when you discovered the problem, what accounts were affected, what notices arrived, and what action you took.

Where investigation support helps

• Chronology and exhibit control: a clean timeline is often more useful than a large pile of screenshots.
• Identity / affiliation research: lawful linkage work around names, entities, addresses, emails, businesses, and public records.
• Online evidence preservation: preserving posts, profiles, listings, or websites before they change.

Key resources:

• IdentityTheft.gov (FTC recovery workflow)
• FTC: Report Identity Theft
• USA.gov: Identity Theft Guidance
• RCW 9.35.020: Identity Theft

Cybercrime-Related Matters: What’s Investigable

“Cybercrime” is a broad label. In practice, these matters commonly involve unauthorized access, account compromise, spoofing, interference with data or services, online fraud, or digital misconduct tied to a larger dispute. Washington’s cybercrime framework is found in Chapter 9A.90 RCW.

• Timeline reconstruction: identify the sequence of events using verifiable records and preserved content.
• Public-facing linkage research: business filings, domains, public profiles, public listings, and related public indicators.
• Spoofing / impersonation documentation: preserve messages, screenshots with context, account identifiers, and reference points to official accounts.
• Fraud-adjacent documentation: preserve misrepresentations, transfers, communications, and public claims in a usable form.

Boundary line: professional investigators do not “prove attribution” by hacking. Attribution often depends on provider-held data, subscriber records, or other non-public material that usually requires legal process handled through counsel or law enforcement.

Official Washington reference:

• Chapter 9A.90 RCW: Washington Cybercrime Act

Scams, Phishing, BEC & Crypto-Fraud Documentation

Fraud matters usually move fast and degrade fast. Emails are deleted, chats disappear, wallet addresses get buried, and victims often begin changing accounts before the record is preserved. The investigative value is in documenting what happened, how the approach was made, what identifiers were used, and what money or access changed hands.

Common patterns

• Phishing: fake login pages, urgent prompts, reset links, malicious attachments, and credential capture.
• Business email compromise (BEC): invoice fraud, executive impersonation, payroll changes, or vendor-payment diversion.
• Crypto-investment fraud: relationship-building, fake trading platforms, coached transfers, and fake “recovery” follow-on scams.
• Tech-support or “security” scams: remote-access demands, fake warnings, and pressure to move money or install software.

What should be preserved immediately

• Messages and headers: emails, texts, platform chats, and account alerts.
• Identifiers: URLs, handles, email addresses, wallet addresses, transaction hashes, domain names, and account names.
• Chronology: dates, times, calls, transfers, account changes, and what the victim was told to do.
• Financial trail: wire details, exchange receipts, screenshots, and institution reference numbers.

Why fast organization matters

• Claims and disputes: banks, exchanges, insurers, and counsel often need a coherent timeline, not scattered pieces.
• Reporting quality: law enforcement and institutional reporting is more useful when key identifiers are documented cleanly.
• Evidence integrity: early preservation reduces the risk of missing context or accidental alteration.

Useful reporting / context sources:

• FBI IC3: Internet Crime Complaint Center
• FBI: Common Frauds and Scams
• FTC: What To Know About Cryptocurrency Scams
• CISA: Malware, Phishing, and Ransomware
• Proofpoint: Business Email Compromise Overview
• Chainalysis: 2026 Crypto Scams Report

Practical rule: preserve first, speculate later. Organized evidence is usually more valuable than a rushed theory about who is behind the event.

Crypto Trace Guide: What to Preserve and What Can Be Followed

In crypto-fraud matters, the most useful early step is not guessing who the scammer is. It is building a clean trace guide: a working record showing what moved, when it moved, what addresses were used, what platform or wallet was involved, and what evidence exists for reporting, claims, or attorney review.

What a practical trace guide should include

• Wallet addresses: sending and receiving addresses exactly as used.
• Transaction hashes: the on-chain identifiers for each transfer.
• Platform details: exchange names, wallet apps, websites, account emails, usernames, and any support tickets.
• Chronology: dates, times, transfer amounts, instructions received, and what happened immediately before and after each transfer.
• Communications record: chats, emails, texts, profile links, and screenshots with context.

What can often be followed

• On-chain movements: movement from one wallet to another can often be documented publicly.
• Clustering and exchange touchpoints: some wallet activity may appear to interact with known services or exchanges.
• Pattern development: repeated addresses, reuse of domains, reused communications, or linked public-facing infrastructure may help clarify the fraud pattern.

What usually requires caution

• Attribution: a wallet path is not the same as identifying a real-world actor.
• Recovery promises: tracing activity does not guarantee recovery.
• “Recovery” services: many secondary scams target victims after the original fraud.

PC, Mobile & Account Security for Clients

This section is written for non-technical clients. The goal is straightforward: reduce avoidable risk and avoid destroying evidence if something already went wrong.

Account security that matters

• Use passkeys where available: passkeys are generally stronger than traditional passwords because they are resistant to common phishing and credential-reuse attacks.
• Use an authenticator app for MFA: app-based authentication is typically stronger than SMS alone for important accounts.
• Use long, unique passwords when passkeys are not available: if a site still requires passwords, store them in a reputable password manager rather than reusing or memorizing weak credentials.
• Protect email first: compromised email often becomes the reset path to everything else.
• Review connected apps and permissions: some compromises come through approved third-party access, not only stolen passwords.

Device basics

• Install updates promptly: operating-system and app security patches matter.
• Use reputable endpoint protection and keep it current.
• Maintain backups: at least one separate or offline backup can limit damage.
• Remove software you do not need: especially remote-access or remote-control tools.

If compromise is suspected

• Do not wipe or reset immediately if evidence may matter.
• Take screenshots with context including visible URLs, names, and timestamps when available.
• Save original emails or files when possible, not just screenshots.
• Write a short timeline of what happened, when you noticed, and what you did next.

Privacy, VPNs, and Anonymity Tools: What They Help With

VPNs, privacy tools, and anonymity-focused software are part of the broader cyber and privacy landscape. They can be useful, but they need to be understood realistically. Good tools can reduce exposure, protect traffic on untrusted networks, and improve privacy posture. They do not make a user invisible, and they do not replace sound account security, updates, or careful evidence preservation.

Where VPNs can help

• Public or untrusted networks: a reputable VPN can add encrypted transport when using public Wi-Fi or other networks you do not control.
• Privacy from local network observers: a VPN may limit what an ISP, hotspot operator, or local network observer can see about your browsing path.
• Travel and mobility: some users rely on VPNs when working remotely or moving between networks.

Where VPNs do not solve the problem

• Account compromise: a VPN does not stop phishing if a user still gives away credentials or approves a bad login.
• Malware or spyware: a VPN does not clean an infected device.
• Identity exposure: logging into personal accounts still ties activity back to the user in many situations.

Other privacy / anonymity tools visitors may hear about

• Private browsers and privacy-focused search engines: useful for reducing tracking, but not a substitute for security hygiene.
• Secure messaging apps: good for protecting communications in transit, but device compromise still matters.
• Alias emails or compartmented accounts: useful in some threat models for reducing cross-linkage.
• Tor and anonymity networks: relevant in some privacy scenarios, but they are not a cure-all and can complicate usability, attribution, and user expectations.

Practical takeaway: use privacy tools as part of a layered approach, not as a magic shield. Strong accounts, careful browsing, updates, endpoint protection, and evidence-preservation discipline still matter more in most real-world cases.

Endpoint Protection, Antivirus & Live Security Monitoring

Endpoint protection still matters. The key is not whether a product uses the word “antivirus.” The real question is whether it provides useful real-time protection against malware, malicious websites, exploit attempts, suspicious behavior, and known threat activity.

What visitors should look for

• Real-time protection: on-access scanning and live monitoring, not just manual scans.
• Web protection: blocking of known malicious domains, phishing pages, and dangerous downloads.
• Exploit and behavior monitoring: modern threats do not always announce themselves like older viruses did.
• Frequent updates: stale protection quickly loses value.

Examples visitors may recognize

• Microsoft Defender: built into many Windows systems and far better than older generations.
• Malwarebytes: well-known for malware cleanup and real-time protection options.
• Bitdefender, ESET, Norton, Sophos, and similar products: examples of mainstream endpoint-security vendors with various protection stacks.

Practical point: one product alone is not enough. Endpoint protection works best alongside passkeys/MFA, current software updates, careful browsing, and disciplined handling of suspicious messages, files, and links.

OSINT & Online Evidence Preservation

Publicly available information can matter in many digital cases: admissions, timelines, business ties, impersonation indicators, side-work evidence, credibility issues, and public-facing fraud signals. The standard is straightforward: preserve what is public and do not cross into unauthorized access.

• Lawful OSINT: public posts, public profiles, public filings, public listings, websites, and open records captured with source/date/time notes.
• Not lawful: password use without authorization, non-public account access, spyware, interception, or “helping” someone get into an account they do not control.
• Preservation discipline: keep originals, avoid edits, and document how the capture was made.

Related: Background Research

Accounts, Devices, and Authorization: The Boundary Line

Many cyber-investigation requests are actually requests for unlawful access. Professional work stays inside strict boundaries to protect the client and keep the evidence usable.

• Typically not lawful: unauthorized access to email, cloud, device, social-media, or employer systems; intercepting private communications; deploying spyware or keyloggers without lawful authority.
• Common lawful paths: public-information preservation, consent-based review by the lawful owner or controller, and attorney-led legal process where provider-held records are actually needed.
• Best practice: define authorization and scope in writing before reviewing client-held accounts, devices, or records.

Key Washington references:

• RCW 9.73.030: Recording Private Communications
• Chapter 9A.90 RCW: Washington Cybercrime Act

Business and Workplace Incidents

Business matters generally come down to two things: facts and documentation that survive scrutiny by insurers, counsel, regulators, or internal decision-makers.

• BEC / payment-diversion matters: preserve emails, approvals, invoices, banking changes, and timing.
• Employee or contractor matters: build a clean chronology and preserve relevant records before they are lost or altered.
• Vendor or transaction disputes: preserve representations, domain use, platform identities, and communications.
• Breach-adjacent response support: evidence preservation and reporting discipline before the environment changes.

Related: Civil Investigations | For Attorneys

Documentation Standards: What Makes Evidence Usable

• Chronology first: build a clean timeline with support points.
• Source control: identify where each fact came from and how it was obtained.
• Integrity: preserve originals and keep working copies separate.
• Context: preserve surrounding content so meaning remains clear.
• Neutral writing: describe what was observed and what was verified; avoid overstatement.

Strong documentation is often the difference between a confusing complaint and a usable case file.

Standards & Best Practices

Good digital work product is not flashy. It is traceable, understandable, and built to survive scrutiny. The goal is not to imitate a government lab. The goal is to follow disciplined methods that preserve value, reduce noise, and keep the record usable later.

• Preserve source and context: what was found, where it was found, and when it was observed.
• Maintain originals: avoid changing source material unnecessarily.
• Document handling: show sequence, continuity, and what changed over time.
• Separate fact from inference: report what is observed before drawing conclusions.

Reference materials:

• NIST SP 800-61 Rev. 3
• SWGDE: Best Practices for Digital Evidence Collection
• SWGDE: Remote Collection of Digital Evidence from an Endpoint

Data Breach Basics (Business Requirements)

Washington’s private-sector breach-notification rules are addressed in Chapter 19.255 RCW. In general, notice must be provided in the most expedient time possible and no later than 30 days after discovery of the breach, subject to limited delay for law-enforcement needs or measures necessary to determine scope and restore system integrity.

Why customers often feel notice came too late

• Scope takes time to verify: businesses often spend time determining what systems were affected, what data was involved, and who is actually impacted.
• Containment and restoration happen in parallel: organizations may be trying to stop ongoing damage while also investigating what happened.
• Some organizations simply handle incidents poorly: delay is not always justified, and weak internal response can leave affected people without timely information.

From a customer-protection standpoint, the frustration is understandable. People want fast notice so they can protect accounts, credit, and identity. The legal timeline sets an outside limit, but it does not erase the practical harm caused by slow, weak, or incomplete breach communication.

Key references:

• RCW 19.255: Washington Data Breach Law
• WA Attorney General: Washington’s Data Breach Notification Laws

Commercial Spyware: Risk, Reality, and Practical Takeaways

Commercial spyware receives attention because it is associated with advanced surveillance capabilities, legal controversy, and civil-liberties concerns. For most clients, the practical issue is simpler: maintain strong device hygiene, secure primary accounts, preserve potential evidence early, and avoid panic-driven actions that destroy the record.

• Keep mobile devices updated: operating-system and app updates matter.
• Protect primary accounts: email and cloud accounts often matter more than one app on one device.
• Reduce unnecessary exposure: remove unused apps, review permissions, and be cautious with unexpected links, files, and prompts.
• Preserve before changing: if compromise is suspected, document first and avoid wiping or replacing devices before the relevant information is preserved.

Useful public guidance:

• CISA: Secure Our World
• CISA: Malware, Phishing, and Ransomware
• Google Threat Intelligence: Current Mobile Threat Research

Where to Follow Current Tech, Scam & Security News

This page is designed to be an evergreen practical reference. If you want to stay current on new scams, phishing campaigns, malware, major breaches, privacy issues, mobile threats, and other fast-moving cyber developments, the sources below are worth monitoring regularly.

• Malwarebytes Labs – consumer-friendly coverage of scams, phishing, malware, privacy issues, VPN topics, and practical security guidance.
• BleepingComputer – Security News – broad daily cybersecurity reporting covering breaches, ransomware, phishing, vulnerabilities, and major incident updates.
• KrebsOnSecurity – strong investigative reporting on cybercrime, fraud operations, phishing infrastructure, identity-related threats, and scam tactics.
• FTC Consumer Alerts – current scam alerts, fraud warnings, and practical consumer-protection guidance.
• FTC Scams – practical scam education, reporting guidance, and current fraud patterns affecting everyday consumers.
• CISA: Malware, Phishing, and Ransomware – official public guidance on major cyber threats and protective actions.

Practical note: use these sources to stay current, but in an active matter, evidence preservation still comes first. Clean documentation, chronology, and original records are usually more valuable than chasing every new headline.

Washington & Federal Legal Framework

• RCW 9.35.020 (Identity Theft)
• Chapter 9.35 RCW (Identity Crimes)
• Chapter 9A.90 RCW (Cybercrime Act)
• RCW 9.73.030 (Recording Private Communications)
• Chapter 19.255 RCW (Data Breach / Disclosure)
• IdentityTheft.gov (FTC)
• FBI IC3

Deliverables and Work Product

• Incident timeline with dates, times, and support points.
• Evidence-preservation packet for public content or client-held materials.
• Research findings summary tied to identifiable sources.
• Final investigative report with exhibits, scope notes, and chronology.

Related: Service Fees

Related Pages

• Background Research
• Civil Investigations
• For Attorneys
• Surveillance Investigators
• Contact Us

Cyber & Digital Investigations FAQ (30 Questions & Answers)

1) What is a cyber/digital investigation in a private investigation context?

A lawful, proof-driven effort to establish digital facts, preserve usable evidence, and document what is actually verifiable.

2) Do you hack accounts to get evidence?

No. We do not hack, intercept private communications, or access non-public accounts or devices without lawful authority.

3) What is the best first step if I’m a victim of identity theft?

Use IdentityTheft.gov, protect credit, notify affected institutions, and start documenting the timeline immediately.

4) Can you preserve public social-media content before it disappears?

Yes, when it is publicly available and preserved with proper context.

5) Can you retrieve private messages from a platform?

Generally not without consent or legal process handled through counsel or the appropriate authority.

6) What is OSINT?

Open-source intelligence: lawful research using publicly available information.

7) Can you “trace the hacker”?

Attribution often requires provider-held data and legal process. Our role is lawful preservation, documentation, chronology, and research support.

8) What do you deliver to clients?

Case-dependent timelines, preservation packets, research summaries, and defensible reports with exhibits.

9) What is the biggest mistake people make?

Destroying or contaminating the record by wiping devices, resetting accounts, or chasing illegal shortcuts.

10) Do you work with attorneys?

Yes. Coordination with counsel often improves scope control and evidentiary usefulness.

11) Can you review an account or device if I own it?

Yes, with clear authorization and defined scope.

12) How do you keep evidence usable?

Preserve originals, document source and timing, maintain context, and write neutral reports.

13) Can you help businesses with incident documentation?

Yes. Timeline building, message preservation, records organization, and reporting are common needs.

14) Are you a managed IT provider or remediation vendor?

No. We provide investigation and documentation support. Technical remediation is often handled by IT or security vendors.

15) Where do Washington breach rules live?

Chapter 19.255 RCW and Washington Attorney General guidance.

16) How do I start?

Bring a short factual summary, key dates, affected accounts or systems, and any notices, messages, or transaction records you have.

17) Do you guarantee recovery of stolen funds?

No. We help document facts and preserve evidence. Recovery depends on timing, institutions, platforms, claims processes, and legal options.

18) Is more screenshots always better?

No. A clean timeline with good exhibits is usually more useful than a large pile of random captures.

19) Can you help with impersonation or spoofing documentation?

Yes. Preservation of communications, context, and lawful linkage research are common parts of that work.

20) Can you help with online harassment documentation?

Yes, provided the work stays lawful and evidence-focused. Immediate danger should go to law enforcement first.

21) Do you provide prevention advice?

Yes, in a practical sense: account security, documentation discipline, and common risk-reduction steps.

22) How do you protect confidentiality?

Scope discipline, private intake, controlled handling of records, and professional reporting practices.

23) Can you identify who owns a website or business presence?

Sometimes. We can often develop ownership indicators and linkage evidence through lawful sources, but not every case ends with definitive attribution.

24) Do you handle crypto-investment-fraud documentation?

Yes, case-dependent. Evidence preservation, transaction organization, and a usable trace guide are critical in those matters.

25) Where do I report identity theft or cyber fraud?

IdentityTheft.gov and the FBI’s IC3 are common official starting points, depending on the facts.

26) Are passkeys better than passwords?

In many cases, yes. Passkeys are generally more resistant to phishing and credential-reuse problems than traditional passwords alone.

27) Should I use a VPN?

A VPN can help protect traffic on untrusted networks and improve privacy, but it does not prevent phishing, account compromise, or malware by itself.

28) What should I preserve first in a crypto-fraud case?

Wallet addresses, transaction hashes, exchange or platform details, communications, screenshots with context, and a clear transfer timeline.

29) What kind of antivirus or endpoint protection should I use?

Use a reputable product with real-time protection, web protection, frequent updates, and behavior or exploit monitoring. One tool alone is not enough.

30) Why do breach notices often seem late?

Organizations often spend time verifying scope, containing damage, and restoring systems, but some delays also reflect weak incident handling rather than good customer protection.

Confidential Review

If you are dealing with identity theft, online impersonation, scam-related losses, suspicious account activity, an email compromise issue, or another digital matter where facts need to be preserved before they disappear, a confidential review can help clarify what is provable, what evidence should be preserved first, and what next steps make practical sense.

Helpful information for an initial review: affected email addresses, usernames, domains, wallet addresses, transaction hashes, screenshots with context, relevant dates and times, known account changes, platform notices, and a short summary of what happened and when you first discovered it.