Cyber & Digital Investigations

Cyber & Digital Investigations | Cybercrime, Identity Theft, Scams & Online Evidence

Digital matters rarely turn on opinions alone. They turn on facts: what happened, when it happened, what changed, what can be verified, and what evidence still exists. A professional cyber/digital investigation is a lawful, proof-driven effort to identify what is provable, preserve what matters, and package the record in a way that is usable for clients, attorneys, insurers, and decision-makers.

Washington State Investigators provides cyber and digital investigation support serving Seattle, Burien, King County, and communities across Washington. Our work is built for practical use: scope control, evidence preservation, chronology discipline, and reporting designed to withstand scrutiny.

What Cyber & Digital Investigation Support Is (and Isn’t)

A cyber/digital investigation is a structured effort to establish objective digital facts without using shortcuts that create legal risk, credibility problems, or evidentiary damage.

• It is: chronology building, incident fact development, public-content preservation, account or device review with lawful authority, identity and linkage research, business-record mapping, and reporting built for scrutiny.
• It is not: hacking, “getting into” accounts, spyware deployment, unlawful interception, trespass, social-engineering a provider, or any tactic that turns evidence into a liability.

Bottom line: we identify what is provable, preserve what is public or lawfully available, and clearly separate observation from inference.

Why Clients Retain Cyber / Digital Investigation Support

Most clients come to this work for one reason: the facts matter, and the digital record is incomplete, disputed, or disappearing.

• Timeline clarity: organize events, messages, account activity, notices, and records into a usable chronology.
• Preservation control: capture evidence before it is deleted, buried, overwritten, or “cleaned up.”
• Credibility testing: compare claims against what the records, timestamps, and digital trail actually show.
• Identity and linkage work: map people, entities, domains, wallets, listings, profiles, and public-facing indicators.
• Defensible packaging: reporting that is clear enough to support disputes, claims, attorney review, or internal decisions.

Related service pages:

• Online OSINT Investigations & Digital Footprint Research
• Background Research
• Business Background Research & Due Diligence Investigations
• For Attorneys
• Civil Investigations

Common Matters We Support

• Identity theft documentation and victim-side recovery support coordination.
• Harassment, threats, and online misconduct where preservation and chronology matter.
• Impersonation and spoofing involving individuals, businesses, domains, websites, or communications.
• Crypto-investment fraud: relationship-building scams, fake trading platforms, coached transfers, wallet/address organization, transaction chronology, and a practical trace guide showing what should be preserved, what can be followed, and what evidence is needed for reporting, claims, or attorney review.
• Business email compromise (BEC) and wire-fraud-adjacent documentation.
• Business and workplace incidents requiring lawful fact development and records organization.
• Litigation support involving online evidence, chronology, and preservation discipline.
• Due diligence and affiliation research including digital-footprint review and public-record linkage work.

Identity Theft: What It Is and What to Do First

Identity theft generally involves the unlawful obtaining, possessing, using, or transferring of another person’s identifying or financial information with criminal intent. In Washington, identity theft is addressed under RCW 9.35.020.

What victims should do first

• Start with the official recovery workflow: use IdentityTheft.gov and document each step.
• Protect credit: place fraud alerts or freezes and keep the confirmation details.
• Notify affected institutions: banks, card issuers, lenders, healthcare entities, or agencies involved.
• Build a timeline: note when you discovered the problem, what accounts were affected, what notices arrived, and what action you took.

Where investigation support helps

• Chronology and exhibit control: a clean timeline is often more useful than a large pile of screenshots.
• Identity / affiliation research: lawful linkage work around names, entities, addresses, emails, businesses, and public records.
• Online evidence preservation: preserving posts, profiles, listings, or websites before they change.

Key resources:

• IdentityTheft.gov (FTC recovery workflow)
• FTC: Report Identity Theft
• USA.gov: Identity Theft Guidance
• RCW 9.35.020: Identity Theft

Cybercrime-Related Matters: What’s Investigable

“Cybercrime” is a broad label. In practice, these matters commonly involve unauthorized access, account compromise, spoofing, interference with data or services, online fraud, or digital misconduct tied to a larger dispute. Washington’s cybercrime framework is found in Chapter 9A.90 RCW.

• Timeline reconstruction: identify the sequence of events using verifiable records and preserved content.
• Public-facing linkage research: business filings, domains, public profiles, public listings, and related public indicators.
• Spoofing / impersonation documentation: preserve messages, screenshots with context, account identifiers, and reference points to official accounts.
• Fraud-adjacent documentation: preserve misrepresentations, transfers, communications, and public claims in a usable form.

Boundary line: professional investigators do not “prove attribution” by hacking. Attribution often depends on provider-held data, subscriber records, or other non-public material that usually requires legal process handled through counsel or law enforcement.

Official Washington reference:

• Chapter 9A.90 RCW: Washington Cybercrime Act

Scams, Phishing, BEC & Crypto-Fraud Documentation

Fraud matters usually move fast and degrade fast. Emails are deleted, chats disappear, wallet addresses get buried, and victims often begin changing accounts before the record is preserved. The investigative value is in documenting what happened, how the approach was made, what identifiers were used, and what money or access changed hands.

Common patterns

• Phishing: fake login pages, urgent prompts, reset links, malicious attachments, and credential capture.
• Business email compromise (BEC): invoice fraud, executive impersonation, payroll changes, or vendor-payment diversion.
• Crypto-investment fraud: relationship-building, fake trading platforms, coached transfers, and fake “recovery” follow-on scams.
• Tech-support or “security” scams: remote-access demands, fake warnings, and pressure to move money or install software.

What should be preserved immediately

• Messages and headers: emails, texts, platform chats, and account alerts.
• Identifiers: URLs, handles, email addresses, wallet addresses, transaction hashes, domain names, and account names.
• Chronology: dates, times, calls, transfers, account changes, and what the victim was told to do.
• Financial trail: wire details, exchange receipts, screenshots, and institution reference numbers.

Why fast organization matters

• Claims and disputes: banks, exchanges, insurers, and counsel often need a coherent timeline, not scattered pieces.
• Reporting quality: law enforcement and institutional reporting is more useful when key identifiers are documented cleanly.
• Evidence integrity: early preservation reduces the risk of missing context or accidental alteration.

Useful reporting / context sources:

• FBI IC3: Internet Crime Complaint Center
• FBI: Common Frauds and Scams
• FTC: What To Know About Cryptocurrency Scams
• CISA: Malware, Phishing, and Ransomware
• Proofpoint: Business Email Compromise Overview
• Chainalysis: 2026 Crypto Scams Report

Practical rule: preserve first, speculate later. Organized evidence is usually more valuable than a rushed theory about who is behind the event.

Crypto Trace Guide: What to Preserve and What Can Be Followed

In crypto-fraud matters, the most useful early step is not guessing who the scammer is. It is building a clean trace guide: a working record showing what moved, when it moved, what addresses were used, what platform or wallet was involved, and what evidence exists for reporting, claims, or attorney review.

What a practical trace guide should include

• Wallet addresses: sending and receiving addresses exactly as used.
• Transaction hashes: the on-chain identifiers for each transfer.
• Platform details: exchange names, wallet apps, websites, account emails, usernames, and any support tickets.
• Chronology: dates, times, transfer amounts, instructions received, and what happened immediately before and after each transfer.
• Communications record: chats, emails, texts, profile links, and screenshots with context.

What can often be followed

• On-chain movements: movement from one wallet to another can often be documented publicly.
• Clustering and exchange touchpoints: some wallet activity may appear to interact with known services or exchanges.
• Pattern development: repeated addresses, reuse of domains, reused communications, or linked public-facing infrastructure may help clarify the fraud pattern.

What usually requires caution

• Attribution: a wallet path is not the same as identifying a real-world actor.
• Recovery promises: tracing activity does not guarantee recovery.
• “Recovery” services: many secondary scams target victims after the original fraud.

PC, Mobile & Account Security for Clients

This section is written for non-technical clients. The goal is straightforward: reduce avoidable risk and avoid destroying evidence if something already went wrong.

Account security that matters

• Use passkeys where available: passkeys are generally stronger than traditional passwords because they are resistant to common phishing and credential-reuse attacks.
• Use an authenticator app for MFA: app-based authentication is typically stronger than SMS alone for important accounts.
• Use long, unique passwords when passkeys are not available: if a site still requires passwords, store them in a reputable password manager rather than reusing or memorizing weak credentials.
• Protect email first: compromised email often becomes the reset path to everything else.
• Review connected apps and permissions: some compromises come through approved third-party access, not only stolen passwords.

Device basics

• Install updates promptly: operating-system and app security patches matter.
• Use reputable endpoint protection and keep it current.
• Maintain backups: at least one separate or offline backup can limit damage.
• Remove software you do not need: especially remote-access or remote-control tools.

If compromise is suspected

• Do not wipe or reset immediately if evidence may matter.
• Take screenshots with context including visible URLs, names, and timestamps when available.
• Save original emails or files when possible, not just screenshots.
• Write a short timeline of what happened, when you noticed, and what you did next.

Privacy, VPNs, and Anonymity Tools: What They Help With

VPNs, privacy tools, and anonymity-focused software are part of the broader cyber and privacy landscape. They can be useful, but they need to be understood realistically. Good tools can reduce exposure, protect traffic on untrusted networks, and improve privacy posture. They do not make a user invisible, and they do not replace sound account security, updates, or careful evidence preservation.

Where VPNs can help

• Public or untrusted networks: a reputable VPN can add encrypted transport when using public Wi-Fi or other networks you do not control.
• Privacy from local network observers: a VPN may limit what an ISP, hotspot operator, or local network observer can see about your browsing path.
• Travel and mobility: some users rely on VPNs when working remotely or moving between networks.

Where VPNs do not solve the problem

• Account compromise: a VPN does not stop phishing if a user still gives away credentials or approves a bad login.
• Malware or spyware: a VPN does not clean an infected device.
• Identity exposure: logging into personal accounts still ties activity back to the user in many situations.

Other privacy / anonymity tools visitors may hear about

• Private browsers and privacy-focused search engines: useful for reducing tracking, but not a substitute for security hygiene.
• Secure messaging apps: good for protecting communications in transit, but device compromise still matters.
• Alias emails or compartmented accounts: useful in some threat models for reducing cross-linkage.
• Tor and anonymity networks: relevant in some privacy scenarios, but they are not a cure-all and can complicate usability, attribution, and user expectations.

Practical takeaway: use privacy tools as part of a layered approach, not as a magic shield. Strong accounts, careful browsing, updates, endpoint protection, and evidence-preservation discipline still matter more in most real-world cases.

Endpoint Protection, Antivirus & Live Security Monitoring

Endpoint protection still matters. The key is not whether a product uses the word “antivirus.” The real question is whether it provides useful real-time protection against malware, malicious websites, exploit attempts, suspicious behavior, and known threat activity.

What visitors should look for

• Real-time protection: on-access scanning and live monitoring, not just manual scans.
• Web protection: blocking of known malicious domains, phishing pages, and dangerous downloads.
• Exploit and behavior monitoring: modern threats do not always announce themselves like older viruses did.
• Frequent updates: stale protection quickly loses value.

Examples visitors may recognize

• Microsoft Defender: built into many Windows systems and far better than older generations.
• Malwarebytes: well-known for malware cleanup and real-time protection options.
• Bitdefender, ESET, Norton, Sophos, and similar products: examples of mainstream endpoint-security vendors with various protection stacks.

Practical point: one product alone is not enough. Endpoint protection works best alongside passkeys/MFA, current software updates, careful browsing, and disciplined handling of suspicious messages, files, and links.

OSINT & Online Evidence Preservation

Publicly available information can matter in many digital cases: admissions, timelines, business ties, impersonation indicators, side-work evidence, credibility issues, and public-facing fraud signals. The standard is straightforward: preserve what is public and do not cross into unauthorized access.

• Lawful OSINT: public posts, public profiles, public filings, public listings, websites, and open records captured with source/date/time notes.
• Not lawful: password use without authorization, non-public account access, spyware, interception, or “helping” someone get into an account they do not control.
• Preservation discipline: keep originals, avoid edits, and document how the capture was made.

Related service pages:

• Online OSINT Investigations & Digital Footprint Research
• Background Research
• Business Background Research & Due Diligence Investigations

Accounts, Devices, and Authorization: The Boundary Line

Many cyber-investigation requests are actually requests for unlawful access. Professional work stays inside strict boundaries to protect the client and keep the evidence usable.

• Typically not lawful: unauthorized access to email, cloud, device, social-media, or employer systems; intercepting private communications; deploying spyware or keyloggers without lawful authority.
• Common lawful paths: public-information preservation, consent-based review by the lawful owner or controller, and attorney-led legal process where provider-held records are actually needed.
• Best practice: define authorization and scope in writing before reviewing client-held accounts, devices, or records.

Key Washington references:

• RCW 9.73.030: Recording Private Communications
• Chapter 9A.90 RCW: Washington Cybercrime Act

Business and Workplace Incidents

Business matters generally come down to two things: facts and documentation that survive scrutiny by insurers, counsel, regulators, or internal decision-makers.

• BEC / payment-diversion matters: preserve emails, approvals, invoices, banking changes, and timing.
• Employee or contractor matters: build a clean chronology and preserve relevant records before they are lost or altered.
• Vendor or transaction disputes: preserve representations, domain use, platform identities, and communications.
• Breach-adjacent response support: evidence preservation and reporting discipline before the environment changes.

Related service pages:

• Business Background Research & Due Diligence Investigations
• Fraud, Employee Theft & Corporate Investigations
• Civil Investigations
• For Attorneys

Documentation Standards: What Makes Evidence Usable

• Chronology first: build a clean timeline with support points.
• Source control: identify where each fact came from and how it was obtained.
• Integrity: preserve originals and keep working copies separate.
• Context: preserve surrounding content so meaning remains clear.
• Neutral writing: describe what was observed and what was verified; avoid overstatement.

Strong documentation is often the difference between a confusing complaint and a usable case file.

Standards & Best Practices

Good digital work product is not flashy. It is traceable, understandable, and built to survive scrutiny. The goal is not to imitate a government lab. The goal is to follow disciplined methods that preserve value, reduce noise, and keep the record usable later.

• Preserve source and context: what was found, where it was found, and when it was observed.
• Maintain originals: avoid changing source material unnecessarily.
• Document handling: show sequence, continuity, and what changed over time.
• Separate fact from inference: report what is observed before drawing conclusions.

Reference materials:

• NIST SP 800-61 Rev. 3
• SWGDE: Best Practices for Digital Evidence Collection
• SWGDE: Remote Collection of Digital Evidence from an Endpoint

Data Breach Basics (Business Requirements)

Washington’s private-sector breach-notification rules are addressed in Chapter 19.255 RCW. In general, notice must be provided in the most expedient time possible and no later than 30 days after discovery of the breach, subject to limited delay for law-enforcement needs or measures necessary to determine scope and restore system integrity.

Why customers often feel notice came too late

• Scope takes time to verify: businesses often spend time determining what systems were affected, what data was involved, and who is actually impacted.
• Containment and restoration happen in parallel: organizations may be trying to stop ongoing damage while also investigating what happened.
• Some organizations simply handle incidents poorly: delay is not always justified, and weak internal response can leave affected people without timely information.

From a customer-protection standpoint, the frustration is understandable. People want fast notice so they can protect accounts, credit, and identity. The legal timeline sets an outside limit, but it does not erase the practical harm caused by slow, weak, or incomplete breach communication.

Key references:

• RCW 19.255: Washington Data Breach Law
• WA Attorney General: Washington’s Data Breach Notification Laws

Commercial Spyware: Risk, Reality, and Practical Takeaways

Commercial spyware receives attention because it is associated with advanced surveillance capabilities, legal controversy, and civil-liberties concerns. For most clients, the practical issue is simpler: maintain strong device hygiene, secure primary accounts, preserve potential evidence early, and avoid panic-driven actions that destroy the record.

• Keep mobile devices updated: operating-system and app updates matter.
• Protect primary accounts: email and cloud accounts often matter more than one app on one device.
• Reduce unnecessary exposure: remove unused apps, review permissions, and be cautious with unexpected links, files, and prompts.
• Preserve before changing: if compromise is suspected, document first and avoid wiping or replacing devices before the relevant information is preserved.

Useful public guidance:

• CISA: Secure Our World
• CISA: Malware, Phishing, and Ransomware
• Google Threat Intelligence: Current Mobile Threat Research

Where to Follow Current Tech, Scam & Security News

This page is designed to be an evergreen practical reference. If you want to stay current on new scams, phishing campaigns, malware, major breaches, privacy issues, mobile threats, and other fast-moving cyber developments, the sources below are worth monitoring regularly.

• Malwarebytes Labs – consumer-friendly coverage of scams, phishing, malware, privacy issues, VPN topics, and practical security guidance.
• BleepingComputer – Security News – broad daily cybersecurity reporting covering breaches, ransomware, phishing, vulnerabilities, and major incident updates.
• KrebsOnSecurity – strong investigative reporting on cybercrime, fraud operations, phishing infrastructure, identity-related threats, and scam tactics.
• FTC Consumer Alerts – current scam alerts, fraud warnings, and practical consumer-protection guidance.
• FTC Scams – practical scam education, reporting guidance, and current fraud patterns affecting everyday consumers.
• CISA: Malware, Phishing, and Ransomware – official public guidance on major cyber threats and protective actions.

Practical note: use these sources to stay current, but in an active matter, evidence preservation still comes first. Clean documentation, chronology, and original records are usually more valuable than chasing every new headline.

Washington & Federal Legal Framework

• RCW 9.35.020 (Identity Theft)
• Chapter 9.35 RCW (Identity Crimes)
• Chapter 9A.90 RCW (Cybercrime Act)
• RCW 9.73.030 (Recording Private Communications)
• Chapter 19.255 RCW (Data Breach / Disclosure)
• IdentityTheft.gov (FTC)
• FBI IC3

Deliverables and Work Product

• Incident timeline with dates, times, and support points.
• Evidence-preservation packet for public content or client-held materials.
• Research findings summary tied to identifiable sources.
• Final investigative report with exhibits, scope notes, and chronology.

Related: Service Fees

Related Pages

• Online OSINT Investigations & Digital Footprint Research
• Background Research
• Business Background Research & Due Diligence Investigations
• Witness Locate & Skip Trace Investigations
• Fraud, Employee Theft & Corporate Investigations
• Civil Investigations
• For Attorneys
• Surveillance Investigators
• Contact Us

Cyber & Digital Investigations FAQ

1) What is a cyber/digital investigation in a private investigation context?

A cyber/digital investigation is a lawful, proof-driven effort to establish digital facts, preserve usable evidence, organize the timeline, and document what is actually verifiable. It may involve public online evidence, account or device review with lawful authority, digital-footprint research, scam documentation, identity-theft support, business incident documentation, or attorney-directed evidence preservation.

2) What types of cyber and digital matters do you support?

Common matters include identity-theft documentation, online impersonation, spoofing, harassment documentation, public social-media preservation, scam evidence organization, crypto-fraud transaction timelines, business email compromise documentation, digital-footprint research, and online evidence support for attorneys or civil disputes.

3) Do you hack accounts, retrieve private messages, or bypass passwords?

No. Washington State Investigators does not hack accounts, bypass passwords, install spyware, intercept private communications, access private messages without lawful authority, or use unauthorized account access. Professional work stays focused on lawful public information, client-authorized materials, preservation, reporting, and attorney-directed legal process where needed.

4) What should I preserve first in a cyber, scam, or identity-theft matter?

Preserve emails, headers when available, texts, platform messages, screenshots with visible context, URLs, usernames, phone numbers, domains, wallet addresses, transaction hashes, account notices, support tickets, bank or exchange records, and a simple timeline showing what happened and when. Avoid wiping devices, deleting accounts, or resetting everything before the evidence is documented.

5) Can you preserve public social-media, website, or online content before it disappears?

Yes, when the material is publicly available and can be preserved lawfully. Useful preservation documents the source, date, time, URL, surrounding context, and what was visible at the time of capture. Public online evidence is often more useful when organized into a clean timeline instead of scattered screenshots.

6) What is OSINT in a cyber or digital investigation?

OSINT means open-source intelligence: lawful research using publicly available information. In cyber and digital matters, OSINT may include public profiles, business listings, websites, domains, public filings, posts, handles, usernames, public records, and other open-source indicators that help establish identity, linkage, timeline, credibility, or pattern evidence.

7) Can you identify who owns a website, account, business presence, or online operation?

Sometimes. We can often develop ownership indicators and linkage evidence through lawful sources such as domains, public business records, websites, listings, social profiles, archived pages, addresses, emails, phone numbers, and related public records. Not every matter produces definitive attribution, and provider-held subscriber data often requires legal process through counsel or law enforcement.

8) Can you trace a hacker or prove who is behind an online attack?

Attribution is often limited without provider-held data, subscriber records, logs, or legal process. A private investigation can help preserve evidence, organize the timeline, identify public-facing indicators, document accounts or domains, and support attorney or law-enforcement review. It cannot lawfully “trace the hacker” by hacking back or accessing private systems.

9) Do you handle crypto-investment-fraud documentation?

Yes, case-dependent. Crypto-fraud support usually focuses on preserving wallet addresses, transaction hashes, exchange information, platform details, communications, screenshots, profile links, and a transfer timeline. A practical trace guide can help organize what moved, when it moved, and what evidence exists for reporting, claims, attorney review, or law-enforcement submission.

10) Do you guarantee recovery of stolen funds or cryptocurrency?

No. Evidence preservation and transaction organization do not guarantee recovery. Recovery depends on timing, banks, exchanges, wallet movement, platform cooperation, insurance or claims processes, legal action, and law-enforcement involvement. Be cautious of “recovery” services that promise guaranteed results after a scam.

11) Can you review an account, device, or records if I own or control them?

Yes, when authorization is clear and the scope is defined. Client-authorized review may help organize account notices, device-related evidence, screenshots, messages, files, logs, or other records. If deeper forensic examination or remediation is needed, that may require a qualified digital-forensics or IT security specialist.

12) Can you help businesses with business email compromise, payment diversion, or vendor fraud documentation?

Yes. Business incident support may include timeline building, email and invoice preservation, domain and sender review, vendor or business-affiliation research, payment-change chronology, record organization, and reporting support for counsel, insurers, banks, internal decision-makers, or law enforcement.

13) Do you work with attorneys on cyber, digital, and online evidence issues?

Yes. Attorney coordination can improve scope control, privilege/work-product handling, preservation strategy, contact boundaries, and evidentiary usefulness. Counsel should control legal strategy, subpoenas, discovery, provider records, represented-party issues, and procedural decisions.

14) What deliverables can I expect from a cyber/digital investigation?

Deliverables are case-dependent, but commonly include an incident timeline, evidence-preservation packet, OSINT findings summary, crypto trace guide, source-backed research notes, screenshots or exhibits with context, and a written investigative report that separates verified facts, reasonable inferences, and unresolved questions.

15) Where should identity theft, cyber fraud, or online scam matters be reported?

Depending on the facts, common reporting paths include IdentityTheft.gov for identity theft and the FBI’s IC3 for internet-enabled fraud. Banks, exchanges, payment platforms, insurers, local law enforcement, counsel, or affected businesses may also need timely notice. Reporting is stronger when the evidence is organized into a clear timeline with key identifiers preserved.

Confidential Review

If you are dealing with identity theft, online impersonation, scam-related losses, suspicious account activity, an email compromise issue, or another digital matter where facts need to be preserved before they disappear, a confidential review can help clarify what is provable, what evidence should be preserved first, and what next steps make practical sense.

Helpful information for an initial review: affected email addresses, usernames, domains, wallet addresses, transaction hashes, screenshots with context, relevant dates and times, known account changes, platform notices, and a short summary of what happened and when you first discovered it.