Vol. 79, No. 3Cover stories

Four police officers carrying computer equipment down a street.

Many skills, one goal

New investigative team takes on cybercrime

The Cybercrime Investigative Team is dedicated to combating pure cybercrime that impacts Canada's government and critical infrastructure. Credit: Serge Gouin, RCMP


It's crunch time for the RCMP's Cybercrime Investigative Team (CIT). It's Friday and the last working day before the team travels out of town to execute a search warrant and arrest a suspect in their latest investigation.

*Cst. Falardeau drops in to see

*Sgt. Beaulieu, the CIT's operations non-commissioned officer (NCO), to collect any specific instructions for the courthouse. Falardeau is the affiant responsible for writing the search warrant for the investigation.

"We need to get this search warrant signed by a judge today," Falardeau says. "This is a critical piece of the puzzle."

Members of the team have been stopping by Beaulieu's desk in a steady stream all morning to ask last-minute questions relating to the case.

"This is the exciting part," says Beaulieu. "For three months we've been doing our due diligence, gathering evidence against the suspect. Now we're ready to arrest him."

New strategy, new team

For years, the RCMP has been actively prioritizing cybercrime threats, investigating and interrupting cybercrime activities and handling digital evidence in support of investigations, but the CIT is the first team dedicated to investigating pure cybercrime in Canada.

Located at the RCMP's National Division in Ottawa, this highly specialized team was created in 2015 to investigate crimes where the computer or the technology is the target.

Its creation was a key step in the RCMP's cybercrime strategy to reduce the threat, impact and victimization of cybercrime through enforcement.

"They're the sharp end of the strategy," says Supt. Denis Desnoyers, the criminal operations officer for National Division.

While many countries have had similar dedicated investigative teams for several years, Canada is in a good position to benefit from the lessons learned.

"You might not go through the growing pains that other units have gone through because you don't have to reinvent the wheel," Desnoyers says. "As a result, our team has quickly gotten up to speed."

Traditionally, the RCMP's Technological Crime Units (TCUs), which are located across the country, have had the responsibility of investigating cybercrime. However, because of the workload of most of TCUs, this was rarely the case. Their priority has been supporting investigations conducting digital forensics.

With the creation of the CIT, the team has taken over the most serious cybercrime files. The nature of the files they handle lend themselves to high-profile cases that have an international component, are sensitive in nature, affect critical infrastructure or target federal government infrastructure.

S/Sgt. Maurizio Rosa is the NCO for the Technological Crime Unit at National Division. The CIT falls under the umbrella of the TCU, which also holds the Digital Forensics Team.

Rosa has been instrumental in building the team from the ground up. From the beginning, he had a clear idea about what he wanted it to look like based on his experience working general investigations and as a digital forensics investigator.

His goal was to get a good mix of technically knowledgeable investigators as well as sound traditional investigators.

With that in mind, he selected applicants based on their backgrounds, evaluated them and built a team with complementing skillsets.

There are two sides of the team: the investigative side that does the traditional police work related to cyber offences, and the digital forensics side that processes digital data in support of the charges.

"It's been a successful model," says Rosa. "The team that's being built right now has a very strong morale, has a very good work ethic and has dedicated and initiative-prone members."

Now in its third and final year of implementation, the team has reached a point of critical mass. For this new team, the current investigation is one of the first in which charges are imminent.


Just before 10 a.m., Beaulieu heads down to the boardroom for the final briefing in Ottawa and takes a seat at the conference table.

The pressure might be on, but the atmosphere in the room is relaxed as members of the investigative team wait for the briefing to begin.

The lead investigator on the case,

*Cst. Veilleux, walks in and captures the room's attention.

He goes over the project details, listing the activities the suspect has been under investigation for, who he's known to associate with and where he's been known to go for dinner, urging members to avoid those places.

Every detail has been dissected.

"There's no room for error in an investigation like this," says Veilleux.

Not only is cybercrime investigation a newer area for the RCMP, it's a relatively new area in jurisprudence and case law. There are few cases that have met the test of the courts.

"We have a big responsibility," says Rosa. "We have to be confident in the investigative techniques that we employ but still mindful of doing it in such a way that will withstand the scrutiny of the courts."

Veilleux goes over a long list of items to seize, including computers, laptops and cellphones, as well as bank statements and documents related to specific websites.

He can't say for sure how many computers and cellphones the suspect has. He does know that the suspect posted a device online to sell.

"Did we try to buy it?" someone asks, getting a laugh from the room.

Finally, Veilleux tells the team that their safety is his number one priority. "We're all going in together. We're all coming out together."

It's a reminder that there's always a risk involved, even with cyber operations.

Borderless crime

Traditional crime, such as a bank robbery, often presents an element of danger. These physical and violent offences pose a high risk to the public, to police officers and even to the criminals themselves.

In cyberspace, an actor can hide behind anonymity.

"Crime on the Internet and cybercrime is on the rise," says Rosa. "When there's ever an opportunity for a criminal to reduce their risk and increase their reward, they are going to take it."

While they may not know their victims personally, the scope and impact of their actions can be detrimental at the individual level as well as at the national or even global level.

"When you look at computer data and cybercrime, it doesn't see borders," says Beaulieu. "It can travel just about anywhere."

Combating cybercrime often requires collaboration between multiple police agencies, both domestic and international.

Criminals have the luxury of not having to deal with judicial authorizations or within the confines of the law. Nor do they have the same budgetary restraints and resource restraints as police agencies.

"We're dealing with concepts that are extra-jurisdictional, where we may have to get evidence from another country, where the criminal may be located in another country or where a Canadian criminal may be attacking another country," says Rosa. "So we often work with our partners to share information and on joint investigations."

The RCMP takes an intelligence-led approach to policing, which includes intelligence gathered by domestic and international partners. In this case, the suspect gained the attention of a policing partner, who brought the case to the RCMP.

After spending three months investigating the suspect, the CIT had enough evidence to demonstrate to a judge there was reasonable grounds to obtain and execute a search warrant.

On the road

And with that in hand, they are ready to make their move. While the team is based out of Ottawa, the crimes it investigates are scattered across Canada.

"I wonder what he [the suspect] is going to think tomorrow when we knock on his door?" says Veilleux.

There are still several details to go over when they arrive at their destination, such as how they'll enter the residence.

As carefully thought-out as their plan is, there are still things they can't control, including whether the suspect will even be at home. The suspect isn't currently under surveillance.

"He has to be at home," says Veilleux. "He always sleeps in his own bed … if he's not there, we'll deal with it and still do the search."

When everyone has reached the hotel, the team meets once again. The 10 people who make up the RCMP contingent plus a few others from partner agencies crowd into a small hotel room.

They confirm their plan for entry — to knock and wait for the suspect to answer, and only do a forced entry if necessary.

"We're going to have to be flexible tomorrow," says Veilleux. "I can run through a whole bunch of scenarios, but we'll have to go with the flow. See you in the morning."


All the work they've done so far has led toward this moment. The operation is the culmination of meticulous research, good investigative techniques and persistence.

"Building concrete evidence in these types of cases is particularly challenging," says Rosa. "We can't just decide tomorrow that we're going to go execute a search warrant somewhere. Just being able to get to that threshold is quite hard."

The team has gathered in a parking lot a short drive from the site. With most dressed in plainclothes, with their soft body armour and firearms under their jackets, the only thing that identifies them as police are the two officers with them dressed in uniform.

After one final huddle, they get into their vehicles and drive to the suspect's residence.

The two civilian digital forensics analysts remain behind. They won't enter the home until the suspect has been arrested and the house has been cleared.

"We're usually the last ones in and the last ones out," says an *analyst with the TCU. He's technically on the Digital Forensics Team, but often members from the two teams cross-pollinate.

As computers, cellphones, USB keys, even burnt CDs are found, the digital forensics investigator and analysts will process the data on site to determine if it needs to be seized.

Processing it on site can save them time later on. Everything that's taken must meet the criteria of the warrant and becomes the responsibility of the RCMP.

About an hour later, the analyst and his partner receive word: the suspect has been arrested. It's the best case scenario — everything went smoothly.

The suspect is detained and brought to a local RCMP detachment. He is later interviewed.

The investigator conducting the interview, *Cst. Poulin, has a specific approach in mind.

"I've done the research as to what evidence we have against the suspect," says Poulin. "I think any interviewer, no matter the type of file, will do their research beforehand if they can. If you know the suspect's interests and background, you can draw a bit more from them. In this case, we had a lot of background information on the suspect."

With the suspect seated at the table, Poulin puts his strategy in motion. Over the next few hours, he establishes a friendly rapport with idle chit chat. Then he starts asking the suspect some basic questions about what he does.

Poulin builds on every answer, applying pressure and easing off when he needs to keep the conversation going.

In the end, the strategy worked — Poulin obtained a confession.

Back at the house, the search warrant also went well. They didn't encounter any digital roadblocks and were able to collect what they needed.

It's been a long day, but a good one.

One step closer

Beaulieu is pleased with his team and the results that their careful planning has yielded.

"We got everything we were hoping for and then some," he says. "Our ultimate goal is to identify crime, investigate and then hopefully we're successful in identifying the perpetrator and bringing him to justice. We're one step closer to that now."

*Some names are being withheld for security reasons.

Date modified: