Generating an Identity

When working undercover, an investigator often needs to create a sockpuppet, which is a fake online persona created to interact with a person of interest. The investigator may need to create a Gmail or Yahoo! account, and the verification process will require an established email account and telephone number. ProtonMail (protonmail.com) or Tutanota (tutanota.com) are services that will allow you to create disposable email accounts for verification. We will discuss disposable email in more detail in the next section.

Blur (abine.com) is a tool that allows you to obfuscate your email information. You can also create email accounts for use on the Dark Web, using services like Mail2Tor (mail2tor.com or mail2tor2zyjdctd.onion) or Secmail Tor (sigaintevyh2rzvw.onion). Regarding SMS verification, for new online accounts, you can use free services, like TextNow (textnow.com) or Talkatone (talkatone.com), or you could use a burner phone.

Sometimes an investigator will need to use Bitcoin in an investigation and ensure that the Bitcoin address is untraceable or close to being untraceable. Bitcoin Laundry (bitcoin-laundry.com) may be a good solution, if approved by your department. A Bitcoin ATM is another option, and these ATMs can be located at Coin ATM Radar (coinatmradar.com). Another option is to use a prepaid debit card, which does not require that the purchaser provide a name and address. A OneVanilla prepaid Visa card may be an appropriate option (onevanilla.com). This Visa card can then be linked to a PayPal account, if needed.

When interacting online with a suspect, it is important that your identity remains a secret and that your computer is protected against malware. Therefore, you may consider using a paid VPN service. Algo VPN (github.com/trailofbits/algo) allows you to create your own VPN service. There are paid VPN services too, like NordVPN (nordvpn.com) and RSocks (rsocks.net). You might also consider using the Tor browser (www.torproject.org) with the Tails OS (tails.boum.org) to remain anonymous online.

Realistically, it is not difficult for a detective to create an undercover identity. Nevertheless, there is a service that allows the user to quickly generate a false identity. Fake Name Generator (www.fakenamegenerator.com) is a free online service that allows the user to generate an ad hoc identity (see Figure 5.1). Moreover, the service allows the user to select gender (male/female), name set (American, Chinese, Hispanic, etc.), and country (Australia, Italy, United States, etc.). Once these three criteria have been submitted, a phony name, address, email address, telephone number, credit card number, Social Security number, weight, height, and other personal data are generated. Of course, sometimes the investigator may decide to tailor an undercover identity for a specific type of investigation—perhaps posing as a young girl when chatting online with a suspected pedophile. One problem for undercover investigators is the use of photographs to create a fake persona. The website thispersondoesnotexist.com creates realistic-looking computer-generated photos of people.

Generating an Email Account

When working undercover, creating a temporary email account can be necessary to start a new service that will be utilized during an investigation. For example, when creating a new Gmail account, an email address is required to validate the user when setting up a new account. There are several disposable email services that allow the user to create an ad hoc email account with an inbox. Once the browser is closed, the email account is eliminated. Gmail accounts are particularly useful with undercover investigations because Google obfuscates the originating IP address from the email headers.

GuerrillaMail (www.guerrillamail.com) allows a user to create a temporary email address, which does not require any type of registration (see Figure 5.2). Your temporary email address will not have the @guerrillamail.com extension. The GuerrillaMail email address will last for 60 minutes.

Another service, mail expire (www.metafilter.com), allows the user to create a disposable email account that can be set to last up to three months (see Figure 5.3). However, unlike Guerrilla Mail, mail expire does require that you register and enter an existing email address. It should be noted that some disposable email accounts are blocked by some services as a method of verification.

Another disposable email service that does not require any type of registration is Mailinator (mailinator.com; see Figure 5.4). Interestingly, you can select your own username with this service. For example, you could select the email address [email protected].

All of these aforementioned disposable email services are advertised as beneficial to users who wish to avoid spam. Nevertheless, they provide an effective means for detectives to utilize services without providing any (genuine) personally identifiable information.

In summary, an investigator can create a phony profile for an undercover investigation. A Gmail, or other email account, can be created using the phony profile. The email required by the Gmail registration process would be a disposable email created on-the-fly by a service like mailinator. Once a confirmation email appears in the mailinator Inbox, the detective can then click the confirmation link to finalize the Gmail account setup.

Masking Your Identity

Detectives have numerous methods at their disposal to remain anonymous online. Bluffmycall.com is one service that enables the user to (1) change her caller ID to any number, (2) disguise his voice, or (3) record his calls (see Figure 5.5). SpoofCard (www.spoofcard.com) is a similar service, which is also popular.

Spy Dialer (www.spydialer.com) is a free online service that allows a user to contact a cellphone number to hear who answers the telephone, without identifying the number of the caller (see Figure 5.6). The service can also be downloaded as an app to a smartphone.

Law enforcement can use a service called LEAP (Local Number Portability Enhanced Analytical Platform) to track criminals who try to evade investigation by switching telephone carriers. See lawen forcement.numberportability.com for more information about the service. It is also possible to find the carrier name associated with a telephone number by performing a reverse lookup with FoneFinder (fonefinder.net). Neustar (www.home.neustar) can then be used to see if the user of a number has ported it to another carrier.

It is important to note that law enforcement requires a wiretap to record telephone conversations. Laws differ from state to state about whether a recorded telephone conversation can be admitted as evidence; in New York State, only one party is required to consent to being recorded, whereas in California, both parties must consent. In New York State, the interception of a telephone call without consent or permission from a judge is eavesdropping, which is a felony. However, in New York you may record a call with one-party consent, when that party is part of a conversation. In many other states, all parties must consent to being recorded. This was clear in 1999, when Linda Tripp was indicted on charges of wiretapping, under Maryland law, after she recorded Monica’s Lewinsky’s confessions about her relationship with President Clinton. In this case, each wiretap violation carried a maximum penalty of five years in prison, a fine of $10,000, or both.

A user’s identity (more specifically, the IP address) can be masked by use of an online proxy. With an online proxy, a user utilizes another computer to communicate with a third party, with the result that the third party cannot recognize the IP address of the originating communication. Online proxy services include VIP Socks (vip72.com), Megaproxy (megaproxy.com; see Figure 5.7), Ion by Anonymizer (anonymizer.com), and The Cloak (the-cloak.com). In the case of Sarah Palin’s email account being hacked in 2008, David Kernell, using the handle “Rubico”, utilized a proxy service, but investigators were able to quickly identify the originating IP address. Kernell also left his email address ([email protected]) after posting Palin’s emails to 4chan, which is a website for anonymously posting information, including sensitive stolen data.

Many of these anonymizers (online proxies) are used by criminals to carry out their cybercriminal activity. Moreover, many of the computers being used as proxies are being used without the consent of the users and are a part of a botnet. Therefore, these proxy services and their servers generally operate outside the United States, especially in countries where the United States has little or no legal influence—countries like Russia or the Ukraine. Often U.S. investigators also encounter difficulties with accessing data from servers within the European Union because their privacy laws can stifle an investigation.

OSINT Framework

A tremendous resource for finding open source intelligence (OSINT) is OSINT Framework (osintframework.com). This website can, for example, help an investigator search for Dark Web websites of interest. Figure 5.8 displays the type of online resources available related to the Dark Web.

Tor

Tor is free, open source, software and an open network that enables a user to surf the Internet with anonymity. A user can download the Tor Browser Bundle, thereby enabling the user to proxy through numerous host computers on the Tor network, throughout the world, while remaining anonymous. Tor also allows users to publish websites without disclosing their location and which are only available to Tor users. This is often referred to as the Dark Web because these websites are not searchable with a traditional browser, like Microsoft’s Edge. Many of these sites are hosted by criminal actors.

Tor is problematic for investigators because the identities of users on the Tor network are obfuscated, and there are numerous websites with hidden locations. Furthermore, the proprietors of nefarious sites conduct their criminal activities with numerous unknown users. Tor can also be a breeding ground for malware. The Silk Road is one example of a website on the Dark Web. This site, with close to one million registered users, was founded by William Ulbricht, also known as Dread Pirate Roberts, in 2011. The site facilitated criminal transactions: drug trades in LSD, cocaine, heroin, and more. To facilitate anonymity even further, transactions were conducted using Bitcoin. Over the space of 2 ½ years, 9.5 million Bitcoins changed hands (equivalent to $1.3 billion at the time), and Silk Road’s commissions totaled $85 million.

Although it is difficult, or even impossible, to determine the identities of users online, once a user’s computer has been seized, law enforcement can gather some evidence about a user’s activity on Tor, which is derived from the Tor browser bundle. If the suspect’s computer is turned on, then some Tor browser activity can be retrieved from RAM or from the hiberfil.sys file—a file, which is a copy of RAM that is stored on the hard drive when the computer goes into hibernate mode on a PC. When performing a GREP search, the following statement can be used to find Tor sites, which possess a .onion extension:

http.{5,100}.onion

If the user used Tor in conjunction with Tails, the task becomes challenging. Tails (short for TheAmnesicIncognitoLiveSystem) is a live operating system that provides anonymity for the user using virtualized sessions with Tor. It can be run from a USB, SD card, or DVD on virtually any computer. Tor is just one type of Darknet. Another is I2P, which we will discuss next.

Invisible Internet Project

The Invisible Internet Project (I2P) is another tool available for secure communications and anonymous Internet surfing. This network uses public/private key encryption, and, like Tor, websites are hosted anonymously. On the suspect’s computer, the router.config file contains some information about I2P connectivity by the user. The investigator can also search for files with an .i2p extension on the suspect’s computer.

Freenet

Released in 2000, Freenet is a peer-to-peer (P2P) network. Freenet is a networked data store where users on that network can store files in an encrypted format on your computer. The user must be willing to dedicate a minimum of 256MB to the P2P community. The more space that you contribute, the faster your connection on the network (in theory). There are two modes of sharing and communication: “Opennet”, where the user is automatically connected with another host on the network, and “Darknet”, where the user manually selects a specific host on a network that they trust. Like Tor, the goal is to provide anonymity and protect freedom of speech. Like Tor, Freenet attracts pedophiles who wish to share images and videos of abused children.

SecureDrop

Although we sometimes associate Tor and other proxy services with hackers or criminals, there are situations where there is a need for these proxy services. For example, a journalist working with a corporate whistleblower or a political dissident may need to preserve anonymity for fear of death or oppression. Of course, whistleblowers can be tremendously controversial, as seen with Edward Snowden and Chelsea Manning. SecureDrop is an open source submission system, funded by the Freedom of the Press Foundation, which allows whistleblowers to anonymously communicate with journalists.

Dark Web Marketplaces

An investigation of Dark Web marketplaces typically begins with a search on the World Wide Web. One helpful resource for finding these marketplaces is TheDarkWebLInks (thedarkweblinks.com). Websites like pastebin.com can also be used to find these marketplaces. A user could enter the following search, for example:

Click here to view code image

site:pastebin.com ".onion" "hidden wiki"

The user can then limit the search to the previous week.

Dark Web sites can be scraped using Python or AppleScript, and then later analyzed by the investigator. Given that most of the listings on these marketplaces are narcotics, the investigator should have a dictionary of names of each drug or perhaps create one. For example, the drug fentanyl is also referred to as the following:

• Apache

• China Girl

• Goodfellas

• Jackpot

• Tango and Cash

• TNT

Bitcoin

Bitcoin is a crypto-currency, which is a decentralized, peer-to-peer, virtual currency. Bitcoin was invented by Satoshi Nakamoto, which is a pseudonym for an unknown identity. Satoshi means “wisdom” or “reason” and Nakamoto means “central source”. Some say that Bitcoin is a libertarian concept, given its decentralized, non-government system. Crypto-currencies, like Bitcoin, are not illegal in the USA, although they are sometimes used by nefarious actors given its innate anonymity. Bitcoin can be used to book flights, book hotels, order pizza, and buy many other products worldwide.

When a Bitcoin owner sends Bitcoin to another person, the currency is sent from a Bitcoin wallet to another Bitcoin wallet on a computer or on a smart device. A Bitcoin wallet stores a user’s Bitcoin currency. There are numerous Bitcoin wallets to choose from, and this wallet can be encrypted and password-protected. The wallet often uses SHA-256-bit encryption with a public and private key. The public key is displayed on blockchain.info. The wallet address is usually 34 alpha-numeric characters in length. Payment can also be made using a QR code. This QR code can also be used to buy or sell Bitcoin at special Bitcoin ATMs. An investigator will typically search for the wallet.dat file on a suspect’s computer or smartphone to find the Bitcoin wallet. WalletExplorer.com is one website that investigators can use to search for bitcoin addresses, wallet IDs, and other identifiers.

A Bitcoin miner will solve a mathematical problem before forwarding the Bitcoin currency to the recipient. In return, the miner will receive a small percentage of Bitcoin for solving the algorithm. Bitcoin mining requires tremendous computing power, and corporations are now dealing with the issue of some miners using their networks to mine Bitcoin.

The Blockchain (blockchain.info) is an electronic public ledger that keeps track of all Bitcoin transactions or blocks. Anyone can view these blocks in real time. However, determining who is responsible for each transaction is problematic without knowing the date and time of a transaction and knowing the identities of the people. Additionally, each block can be a combination of user transactions. To complicate matters further, a criminal can use a Bitcoin tumbler. A Bitcoin tumbler service is used to mix up Bitcoin transactions and make it ever harder to link Bitcoin to a specific transaction on the Blockchain. Thus, Bitcoin is the currency of choice for criminals on Dark Web marketplaces. Furthermore, many sellers operating on these marketplaces will convert the Bitcoin that they receive and quickly convert this crypto-currency into another crypto-currency, like Monero, Ethereum, or Dash. A criminal may exchange Bitcoin for Monero because Monero, unlike bitcoin, does not have a public ledger, and therefore examining these transactions are more challenging for investigators.

The Genesis Block was the first block in the Blockchain. It was created on or after January 3, 2009, and this Genesis Block can never be used again.

Venmo and Vicemo

There are numerous peer-to-peer payment services. Venmo (venmo.com) is one service that allows users to send money to other people, make deposits to a bank or even make purchases. Vicemo (vicemo.com) is a website that displays users who are allegedly buying drugs, alcohol, and sex on Venmo. Although the actual transactions should be verified, Vicemo is yet another potential source of open source intelligence for law enforcement.

Website Archives

Interestingly, there is a website that allows users to view a website at a particular point in history. At www.archive.org, the user can utilize the WayBackMachine utility (see Figure 5.9) to enter a URL and run a search to view historical snapshots of a website.

Website Statistics

Sometimes an investigator will need to find statistics about a particular website. Netcraft (news.netcraft.com) provides a range of comprehensive statistics about a website, such as the IP address, how long the website has been active, the mailing address for the domain owner, the web server’s operating system, and many other helpful site statistics (see Figure 5.10).

Alexa

Alexa (www.alexa.com/siteinfo) is another website that provides an array of statistics about various websites (see Figure 5.11).

Finding Personal Information

Many websites provide basic information on individuals, like their address and telephone number. Most of these websites make money by selling the site users more extensive personal information under “premium” services, which can include information about an individual’s assets. Employers sometimes utilize the services of the following websites, and detectives also use them. It is important to note that searches by name generally provide multiple results, some of which are duplicates for the same person because old addresses may be listed.

Zaba Search

Zaba Search (www.zabasearch.com) enables the user to conduct a search based on a cellular telephone number (see Figure 5.12). The free service also provides a Google Earth map of the individual’s location.

US SEARCH

US SEARCH (www.ussearch.com) is yet another online resource for finding personal information (see Figure 5.13). The results identify a list of relations, where possible. The value of this website is limited unless the investigator is willing to pay for additional information.

Searchbug

SearchBug (www.searchbug.com) is a free service on the Web that allows text messages to be sent to any cellular telephone free of charge (see Figure 5.14).

Skipease

Skipease (www.skipease.com) allows the user to enter the zip code and a name to search for a person. Search results show additional information from sponsored websites (see Figure 5.15).

Spokeo

Spokeo (www.spokeo.com) allows a user to search for individuals (see Figure 5.16). It also allows individuals to have their information removed from the site’s search engine. In addition, this site can help ascertain membership in social networking sites (although there may be charges associated with such searches).

pipl

The pipl website (www.pipl.com) provides search results for other personal data, which includes websites like Been Verified or White Pages (see Figure 5.17).

Numerous other personal data providers operate online, including PeopleFinders (peoplefinders.com) and Intelius (www.intelius.com), but most of these websites provide very limited information unless you are willing to pay for their premium services.

Personal Interests and User Groups

In June 2009, Swiss police announced that they had identified an Internet child pornography network that spanned 78 countries, involving more than 2,000 IP addresses. The police had received a tip-off from INTERPOL about a supposed hip-hop music website that was actually being used to disseminate videos of children being abused. The investigation led to numerous arrests and convictions. The Internet continually facilitates the dissemination of contraband, including illicit video and images of children. Pedophiles are also found in user groups, sharing images and ideas about how to groom children to succumb to their abhorrent demands. More importantly, once a user group is found, law enforcement can take down an entire network of pedophiles because these criminals are notorious for networking with like-minded deviants. Many of these pedophile networks pose as a legitimate service to disguise their underground activities. In one case, local law enforcement and the FBI uncovered a website that purported to assist abused children but was actually used to lure underage children.

Al-Qaeda has effectively used the Internet—and user groups in particular—to share its message of hatred and recruit new members. Law enforcement frequently visits these user groups to identify who they should be monitoring and ascertain whether there is any impending danger to the community at large. In 2011, it was claimed that 10,000 jihadist groups were using vBulletin, a group discussion platform. Today, these jihadist groups and numerous right-wing paramilitary groups spread their propaganda across thousands of channels on Telegram. Telegram is an application that allows users to communicate on a channel as a group, via a cellphone or via a web browser. Telegram can also be used to directly message individuals. It has become extremely popular with extremist groups because of its strong, proprietary encryption and the fact that the company does not facilitate law enforcement investigations. SocialNet and OIMonitor, from ShadowDragon (shadowdragon.io) are tools that can be used to copy data from Telegram.

User groups are generally a great source of personal data when it comes to profiling an individual’s behavior. There are many excellent resources that can speed up the work of an investigator.

The HootSuite social media management site (hootsuite.com) is an integration system that collates a variety of social media sites and is a valuable tool for investigators (see Figure 5.18).

Social Searcher (social-searcher.com) is another helpful website for searching for social media accounts, using identifiers like usernames. Another similar website is knowem? (knowem.com).

Searching for Stolen Property

The Internet has made it easier for thieves to profit from their crimes, but the Internet has also made it easier to search for stolen goods. SearchTempest (www.searchtempest.com) is a website that allows the user to search for goods listed in classifieds from multiple websites, including eBay and Amazon. Of course, investigators also should check eBay and Craigslist directly. Searching these websites for stolen property is challenging, but a search can be effective for unique items.

LeadsOnline (leadsonline.com) is a service for law enforcement, eBay, and other resellers that provide a searchable database of stolen property.

Sometimes an investigator will want to establish ongoing surveillance for a suspect, which may include an associated telephone number or email address. Monster Crawler (www.monstercrawler.com), Search.com, and Google Alerts (www.google.com/alert) are effective for searching across multiple search engines and alerting an investigator to online activity by a suspect. It is also possible to use RSS feeds on eBay to be alerted to certain telephone numbers. This is especially important when seeking to identify drug dealers. Investigators can also use keywords to find drug users and dealers, with terms like 420YNOT, PIFF, and MJ. When searching for gang activity, there are keywords, like blood, crip, and cokeboys, that will assist the investigator.

Instant Messaging (IM)

Instant messaging has been transformed recently from merely providing text messaging to including more advanced video, VoIP, and video communications. Most computers come with an integrated webcam as standard, and data transfer rates have dramatically increased with improvements in broadband communications, thereby making video a more viable option. Therefore, applications like Skype, FaceTime, and Google Hangouts have become more prominent.

Internet Relay Chat (IRC) is a text-to-talk tool for communicating with other people online, and it is synonymous with instant messaging. IRC can be used for one-to-one communication or to chat with a group of people in a chat room. IRC can also be used to share files. In addition, the IRC protocol can be used maliciously to send commands to another computer, making it a zombie computer. Port 6667 is often associated with malware being sent to IRC users.

Mibbit is a website (see Figure 5.19) that provides a search engine for chat groups. The website monitors more than 6,000 IRC networks, and users can search these networks based on category.

IRC is extremely important to law enforcement because many criminals use it to communicate with other criminals, co-conspirators, or potential victims. Terrorists, pedophiles, credit card thieves, and cyberbullies have all frequented chat rooms. From a computer forensics perspective, the most important source of information are the IRC servers, more than the computers using the service. However, investigators must act quickly because companies do not maintain their users’ chat logs for very long—perhaps seven days, at most, in many cases.

The importance of instant messaging evidence can be seen in the cyberbullying case of Ryan Halligan. On October 7, 2007, the middle school student committed suicide after being bullied online. Halligan and his friends conversed using AIM (AOL Instant Messenger). The boy’s conversations were inadvertently recorded and archived because Halligan had installed DeadAIM. DeadAIM was a freeware program, created by JDennis, to disable advertising and enable tabbed browsing. Ryan’s father discovered archived folders that DeadAIM had created on Ryan’s computer. The archived folders contained transcripts of conversations from AIM that revealed that a girl called Ashley pretended to like Ryan but later called him a loser. She pretended that she liked Ryan so that she could obtain personal information about him to later share and to embarrass him in front of his friends.

One issue that investigators have to deal with when investigating chat logs is the use of slang and acronyms. Table 5.1 defines some acronyms often used on IM and in cellphone text messages. Naturally, I have chosen to eliminate many acronyms that are inappropriate to print here, but those are readily available online.

Chat Acronym	Meaning
BF	Best friend/boyfriend
BFF	Best friends forever
BG	Be good
CUL8R	See you later
def	Definitely
GF	Girlfriends
GGN	Gotta go now
huh	What?
K	OK
KPC	Keeping parents clueless
LOL	Laughing out loud
MOS	Mom over shoulder
NP	No problem
OMG	Oh my God
peeps	People
PIR	Parent in room
PLZ	Please
POMS	Parent over my shoulder
pron	Pornography
PRW	Parents are watching
pw	Password
r	Are
R U there?	Are you there?
RBTL	Read between the lines
RN	Right now
S2U	Same to you
sec	Wait a second
shhh	Quiet
srsly	Seriously
sup	What is up?
SWF	Single white female
TOM	Tomorrow
TOY	Thinking of you
TTFN	Tata for now
W8	Wait
WD	Well done!
XLNT	Excellent
XOXO	Hugs and kisses
XTC	Ecstasy

Note

Urban Dictionary (www.urbandictionary.com) is a great resource for acronyms and terms young people use today when communicating on social media.

<root>:Documents and Settings[Username]AppDataRoamingSkype[Skype Username].

%localappdata%PackagesMicrosoft.SkypeApp_*LocalState<SkypeUserName>skype.db

~/Library/Application Support/Skype/<SkypeUserName>/main.db

Usenet Groups

Whether a detective is looking for a pedophile or a terrorist suspect, usenets are a good place to begin. Binsearch is a website (see Figure 5.20) that can assist investigators in locating particular groups or suspects on usenets. A usenet is an online distributed discussion board that allows users to post messages and read postings. Usenets, sometimes called newsgroups, first appeared in 1980 and are similar to bulletin board systems or Internet forums. Usenets groups are notorious for attracting pedophiles, political dissidents, terrorists, and others because there is no central host web server—thus, anyone can set up a web server for their own purposes.

Google Groups

Another way to search for a suspect on a usenet is by using Google Groups (see Figure 5.21). The website allows users to search the archives of millions of usenet postings over a number of years.

Blogs

Monitoring blogs and accumulating information about a suspect on blogs is important. Moreover, there are some types of crimes that have a particular attraction for certain kinds of criminals. Pedophiles are notorious for their use of blogs and chat rooms as they seek to network with their own kind. Terrorists also frequent blogs and share their hatred and conviction to a particular cause with like-minded individuals.

In the wake of the Norwegian killing spree in 2011, police searched blogs to find out if there had been any postings by the murderer, Anders Behring Breivik. It is customary for police to search blogs after a serious crime has been committed, especially after a killing spree, to assess the motivation for an attack and, more important, ascertain whether the perpetrator had an accomplice.

You can use the Blog Search Engine (www.blogsearchengine.org, see Figure 5.22) to search for blog content.

Militant Jihadists, especially Al-Qaeda and Islamic State (IS), have successfully used blogs to recruit and motivate sympathetic individuals. For example, Samir Khan was a prolific radical pro-Al-Qaeda blogger while he was a student at a community college in Charlotte, North Carolina. He was later killed, along with the notorious Al-Qaeda leader Anwar al-Awlaki, by a U.S. drone attack in Yemen.

Social Networking Websites

The proliferation of social networking websites means that they are a tremendous source of information to investigators. Access to sites like Facebook is ubiquitous. Moreover, users can quickly take photos with smartphones, like a Samsung Galaxy, and upload them within seconds. Those with a tablet or iPad can also quickly upload images or post comments.

Geodata

Geolocational data, available from websites like Facebook, Twitter, and Foursquare, has grown in importance. In other words, users of these services provide a tremendous amount of information about their location, either intentionally or unintentionally. For example, geographical positioning is often available by default from devices, like an iPhone. Today, this geographical positioning information is not enabled on the device by default. Smartphones running on the Android operating system also capture geographic positioning data.

Photographs taken with certain cameras, and also photographs taken with smartphones, like an iPhone, will contain a geotag if Location Services are enabled. A geotag is digital image metadata containing the latitude and longitude of the geographic location where the picture was captured.

Geolocational data can be associated with numerous applications, including Instagram, YouTube, Facebook, and Twitter. It is possible to subpoena MapQuest for the IP address associated with searches on its website.

Although geotags and geographic locational data can help law enforcement locate and apprehend wanted suspects and convicted criminals, criminals can also use geographic data to identify where individuals are located in order to stalk them or rob their homes. For example, a user posting tweets to Twitter or checking in to locations with Facebook can make it simple for a criminal to learn the routine of the individual and determine when the person has left home. Websites like Please Rob Me (pleaserobme.com) use social networking data to reveal where a person has been and where he or she currently is. Geofencing, which enables investigators to subpoena Google to determine users who have been in a specific area, is also an extremely important source of geolocation information that can narrow a pool of suspects.

Creepy (geocreepy.com) allows an investigator to find the location of a user based on geolocation data culled from Twitter, Facebook, and other social networking websites. While the tool is still available, it is not maintained with new updates.

Facebook

Facebook has more than 2.6 billion active users. A large number of these users access their profiles from mobile devices. Facebook has been used by identity theft criminals to profile their victims. Additionally, Facebook has been used by investigators to find and apprehend criminals on the lam and even by victims who post photos of home invaders. Conversely, it has been used by thieves to target homes, as a result of people posting status updates, like “I’m on vacation”.

Facebook can be used as a search engine for user profiles and content. For example, a search on Facebook could begin “Photos of people who live in…” or “People who live in <location> who like drugs”.

As mentioned, photos today contain geolocation information, so an investigator may be able to determine where a photograph was taken. In recent times, fugitives have been caught because photographs they posted on Facebook contained geolocation information (geotag) that ultimately led police to their place of hiding. Although Facebook now strips out geotag data from images that its users upload, prior to making the pictures available online, the company does keep a record of location data. Law enforcement can generally gain access to this geotag data with an appropriate search warrant.

Facebook also has thousands of groups in existence. Law enforcement has embraced Facebook groups, especially in Canada. A group called Canada’s Most Wanted Criminals can be found on Facebook and is dedicated to making the public aware of known criminals who are wanted by the law. The Royal Canadian Mounted Police (RCMP) uses Facebook extensively to raise public awareness of its initiatives and crime in general. The RCMP on Prince Edward Island (PEI), Canada’s smallest province, has used Facebook to keep track of where kids are having parties during prom season and to prevent kids from drinking and driving. PEI RCMP also maintains an AMBER Alert Facebook profile to help in quickly locating abducted children. AMBER is the acronym for America’s Missing: Broadcasting Emergency Response, although the name is in memory of Amber Hagerman, a 9-year-old who was abducted and murdered in Texas.

Incidentally, an organization called Wireless AMBER Alerts enables users to sign up and assist with missing children (https://amberalert.ojp.gov/resources/wireless-emergency-alert). The FBI has also developed the Child ID app, where guardians can register information about their children and promptly send those details to law enforcement in time of emergency.

The FBI has also used Facebook to try to apprehend wanted criminals and has even developed an iPhone application called FBI Wanted. The FBI has used Facebook, Twitter, and YouTube to raise public awareness about its most wanted criminals, and some credit can be attributed to social media in the apprehension of James “Whitey” Bulger, the Bostonian mobster on the lam for 16 years. A YouTube video was posted by the FBI, who targeted Bulger’s girlfriend—Catherine Greig (see Figure 5.23).

Twitter

Twitter can be a marvelous resource for helping an investigator re-create the events that led up to a crime or the behavior of the criminal. The site enables users to tweet (upload a message) to show where they are and what they are doing. Some Twitter accounts also have been used to evade law enforcement; drivers in California were using Twitter to alert other drivers about sobriety checkpoints.

The URL twitter.com/explore will enable an investigator to find out which users are discussing a particular topic on Twitter. A search can be specific to a location: “near:boston lego”.

There are a number of Twitter analytics tools that use Twitter’s APIs. An Application Programming Interface (API) is a computer program that facilitates the interaction between two computer applications or programs.

Foller.me is a tremendous tool for Twitter analytics. It details a user’s connections, topics, and URLs, as well as the mode of posting tweets; for example, postings were performed using an iPad. Foller.me provides information about a user and when he or she joined. This tool also provides highlights of topics discussed by that user. The number of tweets and retweets are noted for a user. The website followerwonk.com allows a user to log into his Twitter account and analyze his followers, getting information about where they are located and when they tweet. Another tool, TweetDeck (tweetdeck.twitter.com), facilitates real-time tracking of Twitter accounts in a convenient manner.

MySpace

MySpace is a social networking website that is very similar to Facebook but that has many fewer users. A user can create a profile and befriend individuals and groups. The average user tends to be younger than a Facebook user, and music is an important part of the site.

Professional Networks

Investigators often think about using social networking websites to profile a suspect or apprehend a criminal. However, they should also consider searching through professional networking websites.

LinkedIn

More than 460 million professionals use LinkedIn (www.linkedin.com; see Figure 5.24). Information about a user’s network of friends and professional colleagues can also be gleaned by searching the site. An investigator can also determine an individual’s interests, based upon their membership of the many professional groups and organizations available. LinkedIn facilitates the use of other social networking services, like Twitter, as well. A user can link a LinkedIn account to a Twitter account and can post tweets through LinkedIn. When searching for user profiles, it is important to remember that a user can identify who has viewed a profile. Therefore, a search can be conducted through google.com and it is preferable to search using a sockpuppet profile.

In addition, these websites can also provide information about professionals and the organizations that they are associated with:

• Xing (www.xing.com)

• Spoke (www.spoke.com)

• D&B Hoovers (www.dnb.com)

Public Records

Many different public records containing personal information are available on the Web. Some of these records involve legal actions and are profiled here.

BRB Publications, Inc.

BRB Publications (www.brbpub.com; see Figure 5.25) provides detailed background information on individuals for a fee. The requested report includes information like criminal offenses, bankruptcies, liens, real estate records, and business ownership.

Identity Theft

In terms of gathering personal information, a criminal can use a variety of the online websites, noted earlier, to determine someone’s telephone number, address, and net worth by paying for an in-depth search. Moreover, a criminal can view a person’s residence (using a site like Zillow, www.zillow.com) and quickly decide on a plan to rob that house, if necessary, through the use of Google Earth.

Hackers do not even need to work out a user’s password today but can simply reset a password by answering challenge questions from the email service provider. For example, a challenge question might be to enter the city where you were born or to enter your pet’s name. The answers to these questions are frequently available from a person’s profile on Facebook or similar social networking website. Alaska Governor Sarah Palin had her Yahoo! email account hacked, and her personal emails were subsequently posted online. Apparently, the email account hack did not require much technical skill; the password was reset using Palin’s date of birth, zip code, and information about where she met her husband—questions easily found through Google searches. Two-factor authentication (2FA) has helped to mitigate some of these vulnerabilities. For example, an authorization code may be texted to the user’s smartphone before a password can be reset.

Access to user accounts, like online banking and email accounts, frequently occurs through keystroke loggers. Law enforcement officials also can use these keystroke loggers to capture criminals. An example of this was the capture of Alexey Ivanov and Vasily Gorshkov, notorious hackers who plied their trade in extortion. The FBI ultimately brought down the hackers through the use of a keystroke logger. Chapter 13, “Case Studies”, provides more details about this case.

Credit Cards for Sale

Credit card theft is a huge problem worldwide. The Internet has enabled credit card theft to grow. Crime in some areas has moved from the streets to the Web. Simply type the word “fullz” into any search engine, and you can see a list of websites that offer stolen credit card numbers for sale, including the CVV number that so many believe provides security to the user. A stolen credit card number can cost as little as $1.50. Many credit cards have been stolen from individuals because of malware like Zeus. Zeus was a Trojan horse virus that used a keystroke logger to steal bank and credit card information.

Electronic Medical Records

In August 2014, Community Health Systems, a general hospital healthcare provider, reported that 4.5 million healthcare records were stolen. Mandiant (now called FireEye) believed that Chinese hackers were responsible. The Health Information Technology for Economic and Clinical Health Act (HITECH Act) was enacted as part of the American Recovery and Reinvestment Act. This act mandated the move from paper records to electronic health records (EHR). Although this act was designed to increase efficiency in the healthcare industry, moving so many records to a digital format and storing them on a network has enticed hackers to attack healthcare providers. This mandate required the movement of all medical records to an electronic format by January 2015. The act cost billions of dollars, and, unfortunately, compliance was often the primary focus rather than computer security.

The growth in this type of crime has been phenomenal—for one clear reason: while a stolen Social Security or credit card number can sell for as little as $1, a patient EHR can sell for $20 or more on the black market. An EHR can fetch a larger sum of money because it contains more personally identifiable information (PII), which criminals can then use for a whole range of fraudulent activity.

Counterfeit and Counter-proliferation Investigations (CPI)

The are many types of investigations that can involve examining shipping information. For example, trade in counterfeit goods or counter-proliferation investigations (CPI) can benefit from this type of information. Counter-proliferation refers to efforts to prevent the export of weapons and proprietary technologies to foreign nations or terrorist groups. Port Examiner (portexaminer.com) is an online resource that allows an investigator to examine U.S. Customs records. VesselFinder (vesselfinder.com) is a website that allows you to track shipping vessels just about anywhere across the globe. Marine-Traffic (marinetraffic.com) allows an investigator to track active and decommissioned marine vessels across the globe. Google Street View and Google Earth could be used to take a closer view of shipping ports and warehouses to gather reconnaissance. When investigating counterfeit goods on a website, many unauthorized websites and counterfeit listings use photos of real products and images taken from legitimate websites. There are websites, like TinEye (tineye.com), that can perform a reverse image lookup to show where that photo image appears on other websites.

Cyberbullying

Cyberbullying continues to be a problem worldwide and has received a great deal of media attention, particularly in the high-profile cases of Ryan Halligan, Phoebe Prince, Megan Meier, and Tyler Clementi. Prosecutors must rely heavily on digital evidence from online sources from the victim’s computer, suspects’ machines, and Web service providers. Unfortunately, the laws in many jurisdictions have yet to be updated to criminalize cyberbullying.

Social Networking

As discussed earlier in this chapter, law enforcement, criminals, and companies can use social networking to find out about individuals. Social networking websites have also been a hotbed of criminal activity. Facebook, for example, has been used to launch phishing apps (applications). One example is a fraudulent notification about a comment to a user’s post. The hyperlink in the notification may then lead to a phishing website.

Another case highlights the problems associated with social networking websites. Recently, a college resource company posted phony high school class profiles on Facebook. The phony profiles showed a high school student from a class looking to connect with other students from the same graduating class. A marketing company was setting up the profile so it could use the connections to market colleges to high school students.

The U.S. Department of Defense has been of two minds about whether to permit military personnel access to social networking sites. On one hand, social networking can boost troop morale, enabling those stationed abroad to maintain contact with family and friends. On the other hand, military secrets could potentially be leaked to the public. In Israel, a military raid was scrubbed after an Israeli soldier posted information about the raid on Facebook.

The social networking site Twitter has also been in the news. In 2010, the Twitter accounts of U.K. cabinet ministers were hacked. Similarly, during the Russia–Georgia conflict over Ossetia in 2008, Twitter accounts were hacked and the website of the Georgian president was subjected to a distributed denial-of-service attack (DDoS).

Online criminal activity is no longer simply motivated by money or just a challenge of wits. Online criminal activity has changed in recent times to include religious propaganda by groups, like Al-Qaeda and Islamic State, and is also politically charged with the emergence of hacktivists like Anonymous, AntiSec, and LulzSec. Junaid Hussein, a British-born hacker, rose to the highest ranks of the Islamic State and carried out a global cyber-attack that compromised the identity of U.S. military personnel.

Using Screen Captures

Many different types of screen capture software are available. Whether you are using a personal computer or an Apple Mac, capturing what is displayed onscreen is relatively simple. On a PC, there is a Print Screen button. On a Mac, this is a little more involved.

Windows 10 now includes the Snipping Tool, which can easily capture an entire screen, a smaller window, or a small portion of a screen. In the Search bar, on your Windows Desktop, simply type snip and then press Enter to open the application.

Using Video

Investigators will often come into contact with video content on the Internet. It is important to possess a tool that can capture that video content.

Investigators today do not need to view videos in their entirety to understand the content, especially if the video is particularly graphic and disturbing. Autopsy Video Triage enables an investigator to view thumbnail images instead of streaming the video. The investigator can predetermine the intervals for creating thumbnails. An additional advantage of creating thumbnails is that the images can simply be copied to the report instead of having to create DVDs of the video for the defense and prosecution.

SaveVid.org is yet another tool to capture online video from YouTube and other hosts in a variety of video file formats.

Real Player is available for free from real.com. What sets it apart from other tools is how user-friendly it is. When viewing a video, you do not have to open the application; you can simply move the mouse over the right top corner to find the button Download This Video.

A number of other video recording tools are available, including WM Recorder (wmrecorder.com).

Viewing Cookies

A cookie is a text file sent from a web server to a client computer for the purposes of identification and authentication. A persistent cookie is a text file identifying an Internet user that is sent to the browser and then stored on a client computer until the expiration date stored in the cookie is reached. Generally, persistent cookies are used to record websites that a user visits and are spyware. Nevertheless, cookies are not malware. A session cookie is a text file sent to a browser that is stored on a computer and used to identify and authenticate an Internet user; it is removed when the user’s browser is closed. Online banks use session cookies to authenticate users during a browser session, when requests are made, to prevent man-in-the-middle attacks. If a hacker attempts to take over an online session, the web server should be able to know that the intruder is impersonating the legitimate user because the intruder does not have a cookie issued by the bank. An analogy is an adult paying to enter a county fair and receiving a green wristband, the equivalent of a cookie. If a teenager attempts to buy beer (equivalent to a hacker) and has a yellow wristband, the vendor (equivalent to a web server) would deny service to the individual. Yet another type of cookie is a flash cookie. A flash cookie, also referred to as a Local Shared Object (LSO), stores data on a user’s system and is pushed out by websites running Adobe Flash. These cookies can be used to track a user online.

Microsoft Edge stores cookies randomly in a variety of folders, in an effort to fend off hackers. Examiners working with systems running Microsoft Vista, Windows 7/8/10 can find cookies in <root>Users<username>AppDataRoamingMicrosoftWindowsCookies

The cookie text file clearly identifies the website(s) that the user has visited, as shown in this example:

Click here to view code image

__qca P0-170859135-1366509561547 livefyre.com/ 2147484752 559795968 30403767
3611057200 30293555 * __utma 218713990.303107170.1366509562.1366509562.13665095
62.1 livefyre.com/ 2147484752 3363037824 30440406 3612307241 30293555 * __utmb
218713990.1.10.1366509562 livefyre.com/ 2147484752 130586240 30293560 3612307241
30293555*__utmz 218713990.1366509562.1.1.utmcsr=msn.foxsports.com|utmccn=(referral)
|utmcmd=referral|utmcct=/nhl/story/new-york-islanders-beat-florida-panthers-041613
livefyre.com/ 2147484752 2471084672 30330268 3612307241 30293555*

In a move to improve system security further, Internet Explorer 9.0.2 randomly assigned an alphanumeric name to each cookie text file. The contents of the cookie files remained the same, although investigators could no longer associate the cookie filename with websites.

Using Windows Registry

An investigator can determine the websites a user has visited by accessing Windows Registry. The following Registry location displays websites that the user has visited:

HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerTypedURLs

From here, the investigator can export the registries as a text file and then open the entries with an application like Notepad. Of course, other applications, like AccessData’s Registry Viewer application, provide a comprehensive way to access file registries.

A history of websites visited can also be retried from a hidden file called index.dat. The file index.dat is a collection of files created by Microsoft Internet Explorer and contains websites visited and Internet searches. The file also includes cookies and cache saved on a user’s computer. The file actually contains a large amount of historical Internet information, and the good news for investigators is that the file is linked to the user who has logged in; the user has very little control over how the file stores information. According to the Microsoft website, the file never increases in size, even when the user deletes Internet history and clears the browser cache, and it is never deleted.

The index.dat database of files is not readable without the use of a special viewer. The following exercise introduces you to a free application that enables you to view the contents of index.dat.

Classroom Discussions

1. In this chapter, you have learned that numerous online resources can assist investigators in gathering personal information about a suspect. Conversely, the abundance of personal information available online may be providing criminals with information that can assist them with identity theft, burglary, and other serious crimes. Some countries have sought to provide greater protection for consumers and limit the amount of personal information available online. Is there enough protection for consumers and their personal information?

2. Say that you are a detective, who has been asked to investigate a website suspected of selling counterfeit Microsoft and Adobe applications. What would you do to find out about the website and document the content and website statistics for your investigation report?

3. There is a benefit to investigators to have access to geotags and other geolocational information to locate and apprehend suspects and convicted criminals. Conversely, the availability of this information puts many individuals in danger of being stalked or robbed. Is greater public awareness more important than the digital evidence that it provides investigators?

Multiple-Choice Questions

1. Which of the following can be used to share large files with other Internet users?

1. BitTorrent

2. XOR

3. TALON

4. Zeus

2. IRC is the acronym for which of the following?

1. Internet Recipient Chat

2. Instant Response Communication

3. Internet Response Communication

4. Internet Relay Chat

3. Jabber is the old name for an instant messaging protocol that is now called what?

1. DeadAIM

2. iChat

3. XMPP

4. XML

4. Which of the following is an operating system developed by Google for use on mobile devices?

1. Linux

2. Android

3. iOS

4. Windows

5. Which of the following includes the longitude and latitude of where a digital photograph was taken?

1. Geotag

2. LatLongTag

3. Metatag

4. Cookie

6. AMBER is the acronym for which of the following?

1. Alert Motorists Broadcast Emergency Relay

2. America’s Missing: Broadcast Electronic Relay

3. Automatic Monitoring: Broadcasting Emergency Response

4. America’s Missing: Broadcasting Emergency Response

7. What is the name of the unique identifier assigned by an internet service provider (ISP) each time one of its clients connects to the Internet?

1. Session cookie

2. Persistent cookie

3. Dynamic IP address

4. Router

8. Which of the following is the name of the Trojan horse virus that uses a keystroke logger to steal bank and credit card information?

1. Poseidon

2. Zeus

3. Apollo

4. Hermes

9. Which of the following could be considered spyware?

1. Persistent cookie

2. Session cookie

3. Cache

4. Dynamic IP address

10. Which of the following is a file that contains a history of websites visited using Microsoft Edge on a Windows 10 personal computer?

1. WebCacheV01.dat

2. IE.dat

3. Index.dat

4. WebCache.dat

Fill in the Blanks

1. A(n) __________ is the process used to acquire information without the individual or suspect knowing the true identity of the investigator.

2. __________ (short for theamnesicincognitolivesystem) is a live operating system that provides anonymity for the user using virtualized sessions with Tor.

3. __________ currency is legal tender that is backed by a government or governments.

4. Sometimes referred to as newsgroups, a(n) __________ is an online distributed discussion board that allows users to post messages and read postings.

5. The Real Time __________ is a data warehouse developed and used by the New York Police Department’s more than 35,000 police officers to track and apprehend known and suspected criminals.

6. The __________ Security Data Network is a network developed by Northrup Grumman that contains top-secret, classified, and unclassified information.

7. A __________ cookie is also referred to as a local shared object (LSO). It stores data on a user’s system and is pushed out by websites running Adobe Flash.

8. A(n) __________ Programming Interface is a computer program that facilitates the interaction between two computer applications or programs.

9. A(n) __________ address is a 32-bit or 128-bit number that uniquely identifies a host on the Internet.

10. A(n) __________ cookie is a text file sent to a browser that is stored on a computer and used to identify and authenticate an Internet user; it is removed when the user’s browser is closed.

Projects