Digital Investigation FAQ
Prepared by Eoghan Casey, MA


What is the profile of a computer criminal?

Some individuals attempt to make generalizations about criminals who use computers. This is not profiling; it is unsafe speculation. Teaching investigators that future criminals will fit into a static mold can mislead an investigation, potentially delaying or thwarting the apprehension of an offender.

Criminal profiling is the process of examining a crime scene for physical and behavioral evidence that can be used to gain a better understanding of the crime, victim/target and offender. For more information also see Casey, E. "Criminal Profiling, Computers, and the Internet," Journal of Behavioral Profiling, May, 2000, Vol. 1, No. 2


How do I track a criminal on the Internet?

The answer to this question has many parts since you might encounter a criminal on Usenet, IRC, through e-mail, as a result of a computer intrusion, etc. (see the training section below). In some cases, you may find a significant amount of information about the individual in question. However, in the majority of cases you will only have an IP address. Some examples relating to e-mail and Usenet are provided at the Spam Tracking Page (mirror).

Once you have an IP address, you will probably want to contact the Internet Service Provider (ISP) that the criminal connected through. Provided the criminal did not hijack the account or pay using a stolen credit card, the ISP will have billing information for the responsible individual. Most ISP's will require a subpoena before disclosing subscriber information and a search warrant before disclosing stored communications.

How do I figure out who owns an IP address?

Nobody really owns an IP address. Registrars around the world assign blocks of IP addresses to organizations that request them. In turn, an organization is responsible for allocating their block of IP addresses. To determine which organization is responsible for a given IP address, you can search the appropriate Registrar's WHOIS database. For example, ARIN maintains a database of IP addresses assigned to U.S. organizations and RIPE has a similar database for Europe.

Rather than search each Registrars' WHOIS database individually, use a tool like GeekTool Whois Proxy or others described at the SANS Contacting Host Owners page. Additional tools are available at the ad hoc IP tools and SamSpade pages.


How do I collect and examine evidence from a computer?

Before attempting to collect evidence from a computer, it is important to have a solid understanding of how forensic science is applied to computers. It is also critical to follow a standard procedure when collecting evidence to ensure consistency and avoid mistakes or oversights. These basic issues are covered in Digital Evidence and Computer Crime, 2nd Edition.

There are two key issues when it comes to actually collecting digital evidence: authenticity and integrity. You need to be able to demonstrate that the evidence is what you say it is, came from where you say it came from, and has not been modified since you obtained it. How you document evidence to demonstrate that it is authentic and reliable depends heavily on the circumstances and the computer systems you are dealing with.

Software is available to preserve evidence stored on a standalone personal computer. A number of these products are compared in this SC Magazine market survey. Also, The SleuthKit is a free tool for examining digital evidence. Another free tool called The Coroner's Toolkit (TCT) is being developed to collect both static and volatile evidence from a computer.


How do I investigate a computer intrusion?

Even the most basic computer intrusions can be very challenging from a technical and investigative standpoint. Inexperienced intruders can use freely available toolkits that automate very technical tasks that make investigation more difficult. Also, because of the distributed nature of the Internet, a single intrusion often has related evidence in multiple jurisdictions.

Several checklists exist to help system administrators investigate an intrusion but these guidelines do not consider evidentiary issues. For a more details about the process of investigating a computer intrusion see Digital Evidence and Computer Crime, 2nd Edition. Also, read Basic Steps in Forensic Analysis of Unix Systems.

How do I catch a sexual predator on the Internet?

The short answer is, you don't. The most that you should do is present enough information to law enforcement to investigate the situation (see The CyberTipline). If you attempt to take the law into your own hands by engaging a sexual predator, you put yourself in danger and you risk destroying valuable evidence or opportunities to gather evidence.

The same advice applies to members of law enforcement who do not have experience with this type of criminal investigation. If you have something definitive, try to pass it on to the state police where the suspect is located or another agency with requisite experience and jurisdiction. In the long run, this will also save you from devoting time to an investigation that was not approved by your superiors. If you get into a situation where you have to fly to another state you want to be certain that your superiors are on your side from the start.


Where can I get related training / education?

There are a number of organizations that provide related training, including: Be aware that all training providers have a specific focus and some are only open to law enforcement or large corporations. No single course will give you everything that you need.

Universities are starting to offer related training but are still in the early stages of development. For instance:

A more extensive list of higher education institutions with related courses and programs is available on Christine Siedsma's site.


How do I protect my privacy on the Internet?

There are many ways to gather information about an individual on the Internet. There are several measures that can be employed to reduce the amount of personal information that is available to others.

Using free dial-up services that provide you with a dynamic IP address and require a limited amount of personal information makes it more difficult for others on the Internet to determine your identity. Reduce the amount of information that your Web browser gives out (e.g. disable cookies) and the amount of access that your Web browser or e-mail client gives to others (e.g. disable Javascript, don't interpret HTML in e-mail). Keep your Web browser and e-mail client updated (vulnerabilities in Web browsers and e-mail clients can allow a malicious individual to damage or pry into your computer). Minimize the amount of information available in online directories, on the Web, in Usenet, etc.

Additionally, do not run programs or open documents obtained from the Internet. Executables can carry Trojan horse programs like SubSeven and Back Orifice, giving an intruder complete remote control of your computer. Word documents can carry viruses that delete information on your computer. As a precaution, install AntiVirus software, obtain new virus definitions at least once a week, and scan your computer for viruses immediately after obtaining new virus definitions. Also consider installing a personal firewall like Zone Alarm or Norton Internet Security to protect a personal computer by restricting access to it.

Finally, use encryption whenever possible. For instance, use PGP to encrypt e-mail messages before sending them and data on your disks. Make certain that connections to your e-mail server are encrypted to protect your e-mail password. Make certain that connections to commercial Web sites are encrypted to protect any personal information you provide.

Other FS FAQs:


Rape Investigation Handbook
Criminal Profiling, 2nd Ed.
Career Guide to Criminal Profiling
Journal of Behavioral Profiling

This site is designed and produced by Forensic Solutions LLC
 2004 Forensic Solutions LLC; All rights reserved.
Last update: 11/22/04