Collecting Internet Evidence, Part 2
Cloud services, social media, and other developments create their own sets of issues when pursuing Internet-based criminals.
Cybercrime is among the fastest growing types of illegal behavior, as more offenders seek to exploit the speed, convenience, and anonymity that the Internet provides to commit a diverse range of illegal activities.
Collecting information to pursue Internet attackers is part of the IT security staff's function. Knowing how to collect and use the information is a growing concern, with many new personnel entering the field. Todd Shipley and Art Bowker co-authored "Investigating Internet Crimes: An Introduction to Solving Crimes in Cyberspace," which was just released this December. I contacted Todd to interview him about collecting Internet evidence, and this blog post is the second part of that interview. (See here if you missed Part 1.)
What are the differences in these investigations between an enterprise-owned environment and the same services offered in a cloud? Todd Shipley: From an investigative point of view, it is all about access and control of the data. If the investigator can access the network or the contracted cloud services, he has greater control over the outcome of the data and the ability to collect the data in its original form.
We often cannot collect original data from a server, unless it is downloadable such as a photograph or document. Any data interpreted by a browser is just that, a representation of the data sent to your computer that is then interpreted and displayed to you by that specific browser. Wholly owned data in control of the enterprise can be accessed and collected forensically. Browser-based data on a server cannot be collected through the Internet in the same manner.
Are there different issues when investigating social media?
TS: There are definitely issues when collecting social media data. It's not just the existence of the visual representation of the data; it is that the data is in motion and that the data can constantly change.
Additionally, depending on the social media site, there is more data than the simple post made by the target. There can be other "meta-data," [a term] which describes other information found in the social media posts. Even on some of the image sharing sites, the original images' "meta-data," referred to as Exif (Exchangeable image file format) data, can be collected. This can include even the latitude and longitude of where an image was taken if the smartphone camera uses that capability. Sometimes this data can also be obtained with legal processes on the Internet Service Provider.
How does information collection help or limit the prosecution of criminals?
TS: I think in today's connected world, almost everyone has a smartphone of some type. This allows us, along with our laptops and desktop computers, to stay connected 24/7. Add the near-constant use of social media and you have a recipe for huge amounts of information to be collected. The National Security Agency (NSA) has been criticized for its use of this data, but the fact is that every user freely offers the information up to these sites, and even a large percentage is publically available.
From an investigative point of view, this is a huge source of information that can be translated into actionable intelligence if timely, or uniquely specific historical data for time can tie a person to an event. All of this data, either publically available or contained on a service provider's network, obtainable by legal service (search warrant, subpoena, etc.), can and is being used daily in investigations and prosecutions.
The problem investigators have is that most are not looking for the evidence hidden in plain sight on the Internet. I coined the phrase "Make the Internet your regular beat" years ago in an attempt to raise awareness about the Internet's investigative potential. Whether it is direct investigation of an incident in a chat room, or the collection and identification of intelligence on a case, the Internet will in almost every case have some informational value to the investigator.
How do forensic investigators protect themselves while performing investigations?
TS: Digital officer safety is a great consideration for the Internet investigator. Working on the Internet can cause considerable damage to agency or company computers if due consideration is not taken prior to going online.
A segregated computer is the best start to considering the threats posed by Internet-based investigations. Art Bowker and I detail in our new book how investigators should prepare their system prior to actually starting an investigation. Some of the tips include adding a firewall to their system, ensuring up-to-date anti-virus programs are running, and numerous other thoughts on protecting the officer during the investigative process.
I am sure there are tools to help. Are there free tools? Can you provide examples of tools that are for purchase?
TS: Free tools for collecting evidence can include anything that can document the data observed by the investigator. Old school chat investigations were just a video camera over the shoulder of the investigator recording his chat with the suspect. Today, there are many free video recording and snapshot programs available for this purpose.
As for purchasing tools, a longtime favorite in the evidence collection field has been TechSmith's SnagIt and Camtasia. There is our own product WebCase that was designed from the ground up as an Internet evidence collection tool and holds the only U.S. patent for collecting Internet data as evidence.
There are other considerations for tools such as Hashing tools to uniquely fingerprint the collected data. Hashing tools can be found as freeware too. WebCase has the Hashing of collected data built into the suite of tools.
Would you describe your recently published book and how it addresses these issues?
TS: Our book was designed to provide that fundamental knowledge, including how to properly collect and document online evidence, trace IP addresses, and work undercover.
* It helps by providing step-by-step instructions on how to investigate Internet crimes.
* It covers how software tools can assist during their Internet investigations with the collection and documentation of online data.
* We discuss how to track down, interpret, and understand Internet electronic evidence to the benefit of an investigation.
* We also detail guidelines for collecting and documenting online evidence that can be successfully presented in court.
Todd G. Shipley has more than 25 years of experience in law enforcement: from investigating financial and computer crimes to overseeing the training of high-tech crimes investigators. Between 2004 and 2007, he was the Director of Systems Security and High Tech Crime Prevention Training--and manager of the National Criminal Justice Computer Laboratory and Training Center--for SEARCH, The National Consortium for Justice Information and Statistics.