Digital Investigation FAQ
Prepared by Eoghan Casey, MA
Some individuals attempt to make generalizations about criminals who use computers. This is not profiling; it is unsafe speculation. Teaching investigators that future criminals will fit into a static mold can mislead an investigation, potentially delaying or thwarting the apprehension of an offender.
Criminal profiling is the process of examining a crime scene for physical and behavioral evidence that can be used to gain a better understanding of the crime, victim/target and offender. For more information also see Casey, E. "Criminal Profiling, Computers, and the Internet," Journal of Behavioral Profiling, May, 2000, Vol. 1, No. 2
The answer to this question has many parts since you might encounter a criminal on Usenet, IRC, through e-mail, as a result of a computer intrusion, etc. (see the training section below). In some cases, you may find a significant amount of information about the individual in question. However, in the majority of cases you will only have an IP address. Some examples relating to e-mail and Usenet are provided at the Spam Tracking Page (mirror).
Once you have an IP address, you will probably want to contact the Internet Service Provider (ISP) that the criminal connected through. Provided the criminal did not hijack the account or pay using a stolen credit card, the ISP will have billing information for the responsible individual. Most ISP's will require a subpoena before disclosing subscriber information and a search warrant before disclosing stored communications.
Nobody really owns an IP address. Registrars around the world assign blocks of IP addresses to organizations that request them. In turn, an organization is responsible for allocating their block of IP addresses. To determine which organization is responsible for a given IP address, you can search the appropriate Registrar's WHOIS database. For example, ARIN maintains a database of IP addresses assigned to U.S. organizations and RIPE has a similar database for Europe.
Rather than search each Registrars' WHOIS database individually, use a tool like GeekTool Whois Proxy or others described at the SANS Contacting Host Owners page. Additional tools are available at the ad hoc IP tools and SamSpade pages.
Before attempting to collect evidence from a computer, it is important to have a solid understanding of how forensic science is applied to computers. It is also critical to follow a standard procedure when collecting evidence to ensure consistency and avoid mistakes or oversights. These basic issues are covered in Digital Evidence and Computer Crime, 2nd Edition.
There are two key issues when it comes to actually collecting digital evidence: authenticity and integrity. You need to be able to demonstrate that the evidence is what you say it is, came from where you say it came from, and has not been modified since you obtained it. How you document evidence to demonstrate that it is authentic and reliable depends heavily on the circumstances and the computer systems you are dealing with.
Software is available to preserve evidence stored on a standalone personal computer. A number of these products are compared in this SC Magazine market survey. Also, The SleuthKit is a free tool for examining digital evidence. Another free tool called The Coroner's Toolkit (TCT) is being developed to collect both static and volatile evidence from a computer.
Even the most basic computer intrusions can be very challenging from a technical and investigative standpoint. Inexperienced intruders can use freely available toolkits that automate very technical tasks that make investigation more difficult. Also, because of the distributed nature of the Internet, a single intrusion often has related evidence in multiple jurisdictions.
Several checklists exist to help system administrators investigate an intrusion but these guidelines do not consider evidentiary issues. For a more details about the process of investigating a computer intrusion see Digital Evidence and Computer Crime, 2nd Edition. Also, read Basic Steps in Forensic Analysis of Unix Systems.
The short answer is, you don't. The most that you should do is present enough information to law enforcement to investigate the situation (see The CyberTipline). If you attempt to take the law into your own hands by engaging a sexual predator, you put yourself in danger and you risk destroying valuable evidence or opportunities to gather evidence.
The same advice applies to members of law enforcement who do not have experience with this type of criminal investigation. If you have something definitive, try to pass it on to the state police where the suspect is located or another agency with requisite experience and jurisdiction. In the long run, this will also save you from devoting time to an investigation that was not approved by your superiors. If you get into a situation where you have to fly to another state you want to be certain that your superiors are on your side from the start.
Universities are starting to offer related training but are still in the early stages of development. For instance:
A more extensive list of higher education institutions with related courses and programs is available on Christine Siedsma's site.
There are many ways to gather information about an individual on the Internet. There are several measures that can be employed to reduce the amount of personal information that is available to others.
Additionally, do not run programs or open documents obtained from the Internet. Executables can carry Trojan horse programs like SubSeven and Back Orifice, giving an intruder complete remote control of your computer. Word documents can carry viruses that delete information on your computer. As a precaution, install AntiVirus software, obtain new virus definitions at least once a week, and scan your computer for viruses immediately after obtaining new virus definitions. Also consider installing a personal firewall like Zone Alarm or Norton Internet Security to protect a personal computer by restricting access to it.
Finally, use encryption whenever possible. For instance, use PGP to encrypt e-mail messages before sending them and data on your disks. Make certain that connections to your e-mail server are encrypted to protect your e-mail password. Make certain that connections to commercial Web sites are encrypted to protect any personal information you provide.
Other FS FAQs:
This site is
designed and produced by Forensic
© 2004 Forensic Solutions LLC; All rights reserved.
Last update: 11/22/04