It used to be enough to sweep the tracks and disappear. But today we leave digital prints almost everywhere. In emails, metadata, network traffic as well as cryptocurrency transactions. And digital forensics — a field on the border between IT and detective work — is now helping to unravel the biggest cybercrimes and years-old murders.
In the following five real-life cases, she played a key role, from unraveling a ransomware attack on a hospital to catching a serial killer thanks to a floppy disk. Each one shows that even one unobtrusive detail can decide between anonymity and life imprisonment.
In April 2025, Marks & Spencer customers began to hear back en masse that online orders were not working for them. It soon became clear that this was not an ordinary blackout, but a one of the biggest cyber attacks on UK retail ever.
The attackers got into the system through a third party -- the consulting firm Tata. Using sophisticated social engineering, they gained access to internal infrastructure. There they deployed ransomware, encrypted key servers and downloaded sensitive customer data. M&S has virtually lost the ability to operate online from day to day.
Experts in Digital Forensics analyzed network logs, traced the movement of attackers in the system and found clues leading to four young hackers aged 17—20. Metadata from ransomware and forensic investigations during the crackdown also helped. The case was resolved quickly, but the price was high. The firm estimated losses at up to £300m.
Silk Road was one of the biggest black markets on the darknet. It operated anonymously via TOR, enabling the trafficking of drugs, weapons and hacking services. Its creator was practically untouchable for a long time. But in the meantime, dozens of investigators, digital forensics and blockchain specialists were already working in the background, painstakingly piecing together clues.
The turning point came when agents reverted to old posts from when Silk Road was just taking off. On one of them, someone promoted the site and listed his e-mail as a contact: rossulbricht@gmail.com. It was this tiny mistake that later became a key clue.
For years, investigators tracked bitcoin transactions, the administrator's communication style, mapped IP address movements and created a digital profile of the suspect. It all came down to one name: Ross Ulbricht.
The decisive moment came in October 2013. Ulbricht worked regularly on his laptop at the New York library. Two FBI agents staged an altercation near his desk, and the moment Ulbricht lifted his eyes away from the screen, another snatched his laptop from behind him. The computer was open, logged on and still running the Silk Road admin panel at that point.
Digital forensics immediately created a copy of both the disk and RAM and recovered access keys, store logos, encryption scripts, and a diary where Ulbricht detailed the building of the Silk Road empire. After years of anonymous crime, one old message and a few minutes of inattention caught up with him.
In 2015, Ross Ulbricht was sentenced to life sentence without possibility of parole.
In May 2017, the world experienced an attack that definitively demonstrated how vulnerable modern digital infrastructure can be. WannaCry ransomware in a matter of days infected more than 300,000 devices in more than 150 countries — from British hospitals and transport systems to factories in Japan and Russia. Computers were locked, files encrypted, and a ransom demand in bitcoins appeared on screens.
While the public panicked, teams of digital forensics immediately began analyzing the damage. They managed to analyze malware samples and identify the vulnerability exploited in the attack — exploit EternalBluewhich was originally developed by the US NSA and which was later leaked to the public. Forensics also identified malware-driven servers and monitored how it spread across networks.
In addition, they conducted Reverse engineering ransomware that managed to find weaknesses and create data decryption tools for some versions of the attack. The rapid response of security teams has helped many institutions recover systems from backups and minimize impacts.
The FBI and other agencies later identified the hacking group Lazarus, linked to the North Korean regime, as the perpetrators of the attack, based on digital evidence and analysis of network infrastructure.
Dennis Rader, known as the BTK Killer (short for Bind, Torture, Kill), terrorized Kansas from the 1970s to the early 1990s. He committed ten brutal murders, sending taunting letters to the police after each one. He then went silent for more than a decade. It wasn't until 2004, as if craving renewed attention, that he heard back again -- this time digitally.
He sent police a floppy disk with an anonymous document in which he claimed to be the real BTK. He believed that this medium would leave no traces. But the digital forensics focused on something he had overlooked — metadata.
In their analysis, they discovered two key pieces of information: the name “Dennis” and the name Christ Lutheran Church. Both leads led to the same person, Dennis Rader, an active member of the church in question. Ironically, a serial killer who had been on the run for years managed to get caught because of one overlooked digital trail.
In 2024, one of America's major hospitals became the target of a sophisticated ransomware attack. Attackers using the so-called SIM swap they took control of the phone number of one of the administrators and thus gained access to two-factor authentication. It didn't take long for the hospital's entire IT system to be locked down: medical documentation, access to test results, planning operations. It was literally about life.
Using network analysis, a team of digital forensics identified ransomware communication infrastructure, that is, the servers through which the malware received instructions and sent data. A key role was played by a technique called sinkholing: the malicious traffic was redirected to the specialists' own servers, giving them insight into how the attack works and being able to block it in a controlled manner.
Thanks to early intervention, we succeeded isolate the affected parts of the system, restore operations from security backups and prevent the payment of ransoms. The hospital remained running, although it operated in a significantly restricted mode for several days.
The attackers have not yet been caught, but the case has shown how important it is to have a team of experts ready who can Stop even a critical cyber attack within hours before irreversible damage occurs.
Author: Kateřina Slezáková
ID: 22417079
InstantIT s.r.o.
Rybná 716/24, Staré Mesto, 11000 Prague 1
