Chapter 4

Technical Investigations

Information in this chapter

ent Digital investigative techniques

ent Who? What? When? Why? Where? and How?

ent “Other” device forensics

ent Online social networking

ent User activity

ent Digital authorship

ent Profiling

ent Biological forensic evidence

ent Triage and previews

Introduction

This chapter gives principles of extracting and interpreting digital evidence that can help place the suspect behind the keyboard. Although the information described will be based on the Windows Operating System, it will be the principles and concepts that are most beneficial to the investigator. Keep in mind that this single chapter cannot replace entire texts on forensic analysis, nor will this chapter go into great detail on any one specific topic.

A continuing concept, as with the preceding chapters, is building a timeline of the suspect’s activity. So far, we have collected information through interviews and conducting physical surveillance. Now we will dive into the electronic crime scene to create a timeline of data with the end goal to merge both into a comprehensive investigation.

As you read through this chapter, keep in mind you are not only building a timeline of the suspect’s activity, but also looking for evidence that shows intention and knowledge of the incident under investigation. An incident discovered without having evidence proving guilt is simply just a discovered incident and not a resolved investigation. All incidents still have a basic foundation that a person or persons cause the incidents or commit the crimes, no matter how the high, or low, tech method they may use.

This chapter is not a ‘how to do forensics’ chapter. There are plenty of resources that go much further in detail in specific areas than can be fit into one chapter. This chapter gathers various troves of digital evidence relating to suspect attribution with the expectation the examiner can either conduct the forensic analysis work already or learn methods using available resources.

All references to specific software are solely for demonstrative purposes, not instructive in the use of any software. Whether commercial, open source, freeware, or personally developed software is used depends upon the individual situation of each examiner. That also includes personal validation of the tools and appropriate use of software licenses.

Furthermore, not all aspects of recovering digital artifacts are described in this chapter, only a selection of those artifacts used to tying a specific person or persons to a specific device and activity. The verbiage of using the terms ‘suspect’ and ‘crime’ not only pertains to criminal investigations but also civil or internal investigations. Substitute ‘suspect’ with ‘custodian’ and ‘crime’ with ‘allegation’ as it fits your situation.

Digital Investigative Techniques

An investigator may be an expert in a physical crime scene, just as a forensic examiner may be an expert in an electronic crime scene, but both need to be aware of how the physical and electronic crime scenes interact with each other. A basic premise of any crime scene is that evidence exists. Dr. Edmond Locard surmised that every contact between objects leaves some trace of that contact, usually as material exchanged between the objects (Bisbing R., 2006). Whether it is a strand hair, a drop of blood, tool mark, or even DNA, there is some trace of evidence to be found when two objects touch. This is what became to be known as Locard’s Exchange Principle.

In the electronic world, the traces of evidence may include modification or creation of files, or logs that document other user activity. Merely turning on a computer leaves traces that not only was the computer turned on, but the exact files that were changed while the computer was on. Locard’s Exchange Principle also applies to the electronic world as electronic files are touched when accessed, modified, or created.

Most forensic examiners have been asked at least once if they can prove a specific person was at the keyboard at a specific time. The common, and correct, answer is that without corroborating evidence, it is virtually impossible to place a person at the keyboard. Corroborating evidence may be a single item, such as security camera footage of the suspect and computer together. Or it may be a multitude of circumstantial evidence that, when examined in a totality of the circumstances, shows that no one but the suspect could have been at the keyboard.

What is a person?

An IP address is not a person. An IP address is simply a numerical designation of a device that uses the Internet Protocol. This IP address can usually be traced to a physical location; however, sometimes, it may not even be tied to an accurate location. An IP address is a clue as to where a device may have physically existed while connected to the Internet. There are also other problems associated with IP addresses such as dynamic addressing where at a given point, the IP address may be reassigned after the commission of an incident.

As an IP address can be used by any person with access rights, such as a home wireless network, identifying an IP address does not identify an individual person. Using a home wireless as an example, persons outside the home can access the wireless network either by permission of the owner or through bypassing security measures for access. Therefore, even the physical location to which an IP address is listed may not be the physical location where a person accessed the network. Potentially, a person can access an open and unprotected wireless network or even bypass security of the wireless network from the street or hundreds of feet away from the physical location. An IP address by itself means that additional investigative methods are necessary to ensure proper identification of the suspect.

Even more troublesome when solely focusing on an IP address to identify an address is the existence of methods to obscure IP addresses. Examples include virtual private networks (VPN) and the The Onion Router, also known as Tor Project. A suspect using any one of these methods may not only be effectively hiding their actual IP address but also placing other persons at risk of being wrongfully identified. Relying upon IP addresses in which a VPN or Tor was used will most likely result in following inaccurate investigative leads.

A MAC address, on the other hand, is the number assignment given to network interface cards which usually can be traced back to a physical machine. The MAC address is much like a serial number imprinted on a physical device, but like IP addresses, it is also possible to change MAC addresses to obscure tracking methods. So, a MAC address is also not a person.

Tor is free software that uses a network of virtual tunnels by which a Tor user’s IP address is effectively hidden through many anonymous relays. Figure 4.1 shows a visual example of how Tor works. As can been seen, relying upon an IP address that is a Tor exit relay will not be the suspect’s IP address but only the last relay that was used.

image

Figure 4.1 Tor exit relays, last exit relay is not encrypted.

An unfortunate Tor exit relay case example occurred during the spring of 2011. Immigration and Customs Enforcement agents served a search warrant and seized six computers in a child pornography investigation in which the suspect and location was identified by an IP address (Hofmann, 2011). The IP address was a Tor exit relay, which as can be seen in Figure 4.1, is just the last computer in which traffic goes through before reaching its destination. In this case, the alleged suspect allowed his computers to be used as a Tor exit relay for other Tor users. However, the alleged suspect had no knowledge or control of the data exiting his Tor relay and accordingly, was not involved in child pornography.

Investigators relying upon IP addresses are advised to check the Tor Project website (http://www.torproject.org) to compare a suspect’s IP addresses with a list of known Tor exit relays. This will reduce the risk of focusing on an IP address and person that is of no relation to the actual suspect, other than being the last exit relay in a long chain of relays.

A computer user account is also not a person. User accounts are simply a convenient method where multiple users can have their data confined and protected from other users of the same computer. Or it may be to give different users of a system different access rights. Either way, it is only a convenience and not a surefire method to allow only authorized users to access their own account.

In a residence where multiple persons have access to a computer, it is possible that all residents use a single user account or that they may share all of the accounts. In a business location, users may inadvertently leave their computer open to access by any passerby. Any of these situations allows for a user account to be considered a clue as to the actual computer user, but not affirmatively tied to any person without corroborating evidence.

So what is a person? A person is a human, not a number such as an IP address, MAC address, or name on a user account. As an investigator, remember that you are working toward identifying the person that committed violations in question and placing that person at the keyboard.

Who? What? When? Why? Where? and How?

A key factor in placing any person at the scene of a crime is obtaining evidence that can place an identified suspect as it relates to the scene of the crime. Previously discussed methods of physical surveillance and obtaining records are usually the best evidence of placing a suspect at a specific place and at a specific time, but as most investigations involve reacting to incidents, this may not be always possible.

Second best evidence is the examination of an electronic device that had been possessed by a suspect. The only reason why this is not as good as physically placing a person at a scene is because unless there is additional corroborating information, a forensic examination of electronic media by itself cannot place a person to that device.

Investigations need to establish where the electronic device has existed by date, time, and location based on the device’s activity. As there will be a multitude of dates and locations collected, our ever–growing timeline of suspect activity comes into play to keep track of the evidence chronologically. In a case where several electronic devices have been used by a suspect, the amount of data expands exponentially.

With our goal of placing devices in the hands of the suspect, the more devices we have to examine, the more likely we will be able to accomplish this task using all available information. By obtaining the likely physical location of an electronic device through forensic analysis and also obtaining the physical locations of a suspect through means other than a forensic analysis, inferences can be made as to the likelihood the suspect controlled the device. Not a certainty, but definitely a piece of circumstantial evidence to build upon.

Location

Physical surveillance methods easily determine physical locations by visually watching suspects travel to different locations. Dates, times, and the physical addresses are documented for each instance of surveillance observing the suspect. In addition to physical surveillance of persons, geolocation is used to track electronic devices, not persons. Through the means of GPS coordinates, Radio Frequency Identification (RFID) scanning, Wi-Fi connections, and a myriad of other electronically stored location information, geolocation refers to either the process of assessing a location or the actual physical location.

More electronic devices are being outfitted with geolocation capability which pinpoints the location of the device through GPS or cell tower triangulation. Triangulation uses two known geolocation points to identify a third unknown location. Wi-Fi network connections can also be used to provide geolocation to a device. In particular, smartphones may rely on a combination of geolocation sources to provide accurate location identification. Geotagged information can be embedded in photos, videos, text messages, emails, and even websites.

Forensic analysis of electronic devices can result in extensive historical records of geolocation points along with the dates and times of each point. Tying these locations of devices to specific persons gives a clear picture of activity and the identity of the suspect in control of the device.

Time

All forensic examinations commonly include determining the date and time of the evidence system. Dates and times play one of the most critical parts of a forensic analysis as it is the basis of a timeline analysis. Extracting data and activity is also important, but the activity needs to be attributed to specific and accurate dates and times. Where numerous persons may have access to a specific computer, a process of elimination of suspects helps to narrow the potential number of suspects. This elimination hinges on having accurate information on the dates and times of the evidence system.

Determining the time zone of the evidence system aids in location in that at least the evidence system is configured for a time zone relevant to an investigation. Obtaining the date and time from the physical system can be done by accessing the BIOS, as seen in Figure 4.2. In this example, the time zone is not available, only the date and time. If this information matches the local time, then you can assume the time zone to be the same as the local time zone.

image

Figure 4.2 BIOS.

Many computer users are aware of their computer clock since it is usually displayed on the task bar unless intentionally hidden. Adjusting the computer date and time has been made extremely simple for even the most beginning computer user by easily double-clicking the displayed time and changing the date and time with a popup dialog box as seen in Figure 4.3.

image

Figure 4.3 Windows date and time dialog.

Since the ability to change the date and time is easily made, examination of the other information from the system to corroborate dates and times is necessary. As Locard’s Exchange Principle shows, every contact leaves a trace. By changing the system date and time, traces of this activity may be found through analysis of the UserAssist key and possibly the Windows Event Log. This further corroboration can include examining the headers of emails as the headers will have server dates listed which can be compared to the received dates in the email programs. Internet records, such as cookies, can be checked as some cookies may also have server time listed in the cookies.

Recovering the Windows clock settings forensically involves extracting this information from the registry using any number of forensic software applications. RegRipper is an open source application aptly suited for extracting this information. As seen in Figure 4.4, the output of RegRipper is a text file which shows the TimeZoneInformation key. The information extracted is in UTC/GMT time, but can be converted to a time zone by adding the ActiveTimeBias to the displayed UTC time.

image

Figure 4.4 RegRipper output of time zone information from the registry key, ControlSet001ControlTimeZoneInformation.

Other applications may not use UTC/GMT time, so it is solely up to the examiner to make sure any references to dates and times are consistent and correct based on the tool used. There are many unintentional methods to completely confuse a courtroom when explaining computer technology, but do not let the confusion of time be one of those unintentional methods. Sometimes the simplest method to communicate complicated technology is to show the validated output of an application that clearly shows the court that which may be obvious to the examiner but not to a layperson. An example of showing the time zone setting of a computer system can be seen in Figure 4.5.

image

Figure 4.5 Windows Registry File Viewer, http://www.mitec.cz/.

Obviously, having shown that a suspect computer is configured to the same time zone compared to an incident may not be much in the way of clear evidence, but the point is gathering tidbits of evidence to paint an entire picture. Once a precise basis of time has been established on the electronic systems, an accurate timeline can be created. An excellent utility to help maintain consistent time values throughout an investigation is the Time Lord Utility by Paul Tew, as seen in Figure 4.6.

image

Figure 4.6 The Time Lord utility allows easy comparing and conversion of various time related tasks. http://computerforensics.parsonage.co.uk/timelord/timelord.htm.

Wireless connections

Computer users having wireless capabilities in their systems can selectively choose the wireless networks of choice, given they have access rights to the network. This is done simply through an interface in Windows. An example of a computer user’s view of wireless and wired networks through an icon in the task is shown in Figure 4.7.

image

Figure 4.7 Windows wireless connections as seen by the computer user.

Recovering this information from the registry can be accomplished through most forensic application suites or standalone registry applications such as RegRipper.

In Windows 7, the following registry keys are relevant to network connections. The first contains the networks accessed with timestamps. The second maintains the MAC addresses, SSID name, and additional information for each accessed network. The remainder keys store duplicative network settings of specific connections. This information can be used in geolocation efforts to physical place the system at a specific place.

 1. HKLMSOFTWAREMicrosoftWindowsNTCurrentVersionNetworkListProfiles(GUID)

 2. HKLMSOFTWAREMicrosoftWindowsNTCurrentVersionNetworkListSignaturesUnmanaged

 3. HKLMSYSTEMControlSet001servicesTcpipParametersInterfaces(GUID)

 4. HKLMSYSTEMControlSet002servicesTcpipParametersInterfaces(GUID)

 5. HKLMSYSTEMCurrentControlSetservicesTcpipParametersInterfaces(GUID)

Figure 4.8 shows extracted registry information from wireless connections which includes the dates and times of last connections using the open source program Registry Decoder. Obtaining this type of information showing wireless connections greatly enhances placing your suspect at different locations.

The authoritative reference on registry forensics

Windows Registry Forensics

Windows Registry Forensics: The Advanced Digital Forensic Analysis of the Windows Registry by Harlan Carvey describes these settings and the analysis of the Windows registry in greater detail.

image

Figure 4.8 Registry Decoder display of wireless networks from a software registry hive; http://www.digitalforensicssolutions.com/registrydecoder/.

Network (cloud) connections

An abundant source of evidence documenting the location, date, and time of an electronic device is from third parties, such as from the suspect’s Internet Service Provider. Third parties typically will maintain records of customer logins and connection information for a certain period of time. With court orders or administrative subpoenas, this information can be had with a simple fax to the provider where a listing of IP addresses from which the customer used will be available.

One example of a cloud connection that may go unnoticed by a computer user is that of automated online backup services. A service such as Dropbox provides free and paid accounts of automated, full backups of folders without requiring user intervention. Other online storage providers offer similar free and paid storage amounts and almost all are set by default installation of the programs to automatically backup complete folders or make incremental uploads as files are created or modified on the local machine. Many of these automated online cloud storage systems are also mobile phone capable.

Even without a subpoena, logging into a Dropbox account shows the number of linked systems and the information regarding the last connection of each device with the relevant IP address. Linked systems displayed by in the user’s Dropbox account refer to individual computer systems with access to the account, which may be additional sources of electronic evidence to seek for examination. Figure 4.9 shows a screen capture of a Dropbox user’s view of this record. In this example, there are three computers listed that have the Dropbox application installed and linked to this one Dropbox account.

image

Figure 4.9 Dropbox most recent computer connections as seen by the account owner. http://www.getdropbox.com.

Providers of these online services will most likely maintain more than just the last connection. Suspects that use Internet connections in public locations to commit any acts using their computer or other mobile device will be logged by any automated online file backup service. The examiner can place the suspect’s computer at a location, date, and time with the inference that the suspect controlled the device given the service provider’s connection logs. Secondary evidence may be obtained from the security video footage from those locations to affirmatively identify the suspect.

Obtaining server provider logs of all existing connections may be able to offer investigators locations where the laptop is commonly used outside the home or work environment through obtaining IP address subscriber information. A side benefit of this automated connection is in the assistance of stolen device recovery. If the thief starts the device and connects in any manner to the Internet, the IP address will be logged by the service provider under the owner’s account.

Photos and videos

Photos and videos can be both evidence of an incident, such as the photo being a crime in and of itself, or photos evidence. Photos of child pornography would be actual physical evidence and photos of suspects posing with the proceeds of a crime would be an example of photos taken of evidence. Photos and videos can corroborate evidence that places a suspect at an exact location at an exact time, which may not be relevant to an incident, but could be important in placing the suspect in the area of an incident close to the time of the incident.

Automated file search software programs can help identify objects in photos based on comparisons of other known photos. A great example of such a program is the Google program, “Bedspread Detector”, which detects elements in photos to different photos having the same elements. This program was created in response to a child pornography analyst who recognized a similar bedspread in different child pornography photos. The recognition of one object, the bedspread, resulted in the identification of more victims and offenders and subsequently, the name of the program, “Bedspread Detector” (Allen, 2010).

Beyond the content of a photo or video, there exists additional information about the actual electronic files known as EXIF data (Exchangeable Image File Format). This additional information, or metadata, provides evidence to investigators that is specific to each file. The type of camera used, date and time the photo was taken, and in some circumstances, even the location of where the photo was taken through embedded GPS coordinates.

An example seen in Figure 4.10 shows a photo of a bedroom and some of the EXIF data of the photo. As can be seen in the EXIF data, the image illustrated in Figure 4.10 was probably taken with a Blackberry smartphone. If the location was identifiable by the content of the photo and the Blackberry was identified, this photo would place the device at the location at a specific date and time. This would be a simpler task if the photo is geotagged, that is, GPS coordinates embedded within the EXIF data of the photo.

image

Figure 4.10 EXIF data example, using program PhotoME, http://.www.photome.de.

Mobile devices, such as smartphones and tablets, contain a wealth of information. It was not so long ago where the analysis of a mobile phone consisted of jotting the numbers that were seen in the display. The current advances in mobile device technology coupled with forensic software and hardware applications have practically made an entirely separate discipline in mobile device forensics, yet information from mobile devices can directly affect the information in computer systems through interconnectivity between the devices and systems.

Extracting data from mobile devices such as any cellular phone or tablet requires a wider variety of tools and skillsets than those needed with computer hard drives. Mostly, this is due to the difficulty in being able to access and extract the memory physically or logically from the devices while reducing the amount of file modification. The methods and software used for extracting data from these devices vary almost as much as the number of different devices.

Examining the mobile device data is similar to examining almost any electronic data, but getting to the data may not always be as easy or possible due to current limitations in acquisition software. For that reason, this section will only discuss the type of data contained in mobile devices that is directly relevant to the suspect’s activity for your investigative timeline analysis.

There are several reasons in which mobile devices greatly enhance investigations. Other than containing obvious direct evidence such as a photo taken during the commission of a crime or logged phone calls to victims or conspirators, mobile devices are practically an attached GPS device on the user. Considering that in today’s society and culture, having one or more cellular devices is the norm, and that almost every device has GPS capability, mobile device users are literally carrying around a GPS system, logging their daily movements, 24 h a day. In addition to the geolocation logging that occurs, users will self-report their location through a variety of consumer services, such as posting their whereabouts on social networking websites.

GPS enabled mobile devices are certainly convenient for their owners because of the third party applications that rely on knowing the location of the device to provide information to the owner. Some applications include navigation, social networks, weather, travel services, banking, Internet searching, and an ever–growing list of applications that can be instantly downloaded to the devices. The more a user depends upon the mobile device for these services, the more data that will be available in tracking the user’s historical locations.

The suspect’s mobile device which logs geolocation aids investigations by documenting the travels a device makes by date, time, and location. Tying that device to a person or persons can corroborate information obtained on an evidence computer system should the device and computer system exist at the same place, at the same time.

A feature for users and their use of social networking websites is informing their friends, or the entire public, of their daily whereabouts and activities. This is done intentionally with messages posted on their personal social networking sites and sometimes unintentionally with photos taken by cellular devices which are posted online. Many cellular devices embed within photos taken by the device, the GPS location along with other metadata such as the date, time, and device information.

The photo stored in the device will have this information available and if the photo is uploaded to a website, anyone with access to the photo will also be able to access the GPS location of that photo. Figure 4.11 is an example of a Geo-tagged photo taken with and stored on a mobile device.

image

Figure 4.11 Geotagged cell phone photo shown in oxygen-forensics analyst.

Additional information is generated when users update their status on social networking sites through uploading photos or posting comments. Figure 4.12 shows an example of Geotagged Facebook activity by the mobile device user.

image

Figure 4.12 Geotagged Facebook update. Courtesy of Oxygen Forensicshttp://www.oxygen-forensic.com.

Devices that are wireless enabled, in that the device can connect to an available wireless network most likely will have connection activity logged. Figure 4.13 shows an example of Wireless connections from a device, which also includes the date and time stamps of the connections.

image

Figure 4.13 Smartphone Wi-Fi log records.

Mobile devices with Skype capability can connect to wireless networks, which, not surprisingly, are also logged for your recovery by the device. Figure 4.14 shows an example of extracted Skype calls and connection information. Skype (http://www.skype.com) is an Internet video conferencing application that can be run on computer systems and some smartphones.

image

Figure 4.14 Geotagged Skype calls.

Call data records (CDR), available from the cellular service provider, give detailed records of call activity, more so than just calls made or received. The CDR includes the call duration, billing number for the call, disposition of the call (failed call, busy, etc.), the type of call (text, voice), and cell site accessed. An analysis of the geolocation information from accessed cell sites from the CDR is a contributing source of a suspect’s history location points and travels.

The compilation of geolocations obtained from connections to wireless networks, geotagged photos, and cellular tower connections can give a thorough picture of locations the device traveled. Even locations saved by the device user of map locations, such as searching for locations using Google Maps, can be effective at obtaining leads of possible historical locations. All of these device locations may be instrumental in showing a suspect’s location at or near a crime scene or incident or corroborating an alibi away from the scene.

Geolocation warning

An important aspect of relying on geolocation information extracted from mobile devices is that you cannot always rely on geolocation information extracted from the mobile devices. Sometimes it is just another lead, or clue, as to where to search for corroborating information. This is especially important information when geolocation is based on cellular towers. The intention of geolocation in mobile devices is not so much to track the user’s movement. This service is to give the owner of the device-specific location information as desired, such as navigation or nearby locations for personal services.

As discussed, cellular devices connect with cellular towers in order to function properly and these connections are logged by date, time, and location. However, this location may not be as accurate as it appears. In fact, especially in rural areas, the location can be within a range of miles.

Depending upon the number of cellular towers available, the surrounding environment, and even the type of cellular tower, it may be impossible to determine the exact location of the device. Also, geolocation based on wireless connections may be even more inaccurate. Devices that connect to an open wireless connection may appear to be located in New York, when the wireless spot accessed was actually in an airport in California.

The analysis of geolocation goes beyond an exported spreadsheet of locations since it is important to determine the source reliability of the extracted coordinates. Although connections to the suspect’s own network or GPS data will be more accurate than other connections, all connections most likely will have evidentiary value or give investigative leads.

Internet evidence (mobile devices, computers, and game systems)

Today’s computing systems with Internet connectivity are not restricted strictly to personal computers. More electronic devices have the ability to connect to the Internet by design. This includes mobile devices and game consoles. Each of these devices should be considered as prime sources of information in your investigations.

Notes on device interconnectivity

Most current consumer computing devices, from cell phones to desktop computers, have not only Internet connectivity, but also connectivity between devices to share information. Examiners need to be aware that any electronic device belonging to a suspect that has some aspect of connecting to a network or the Internet may also hold key evidence. Also, as these devices may be connected in some fashion, the destruction of evidence through remote commands is a possibility. Even with many smartphones, a delete or wipe command can be sent via a text message which can make data recovery practically impossible in some cases.

Therefore, rather than focusing on a single electronic evidence item, examiners may want to take a step back from the one device to make sure the totality of a suspect’s network contributes to the analysis. This network does not have to be a user configured computer network by intentional design, but rather a network of interconnected user devices through automated file sharing and user accessed devices.

Since these devices are commonly interconnected, each device may also be able to prove or disprove allegations based on the contained information. At a minimum, just knowing that device interconnectivity can affect a forensic examination may save frustration. A simple example of the effect of suspect-created data can be seen with the Internet-capable and camera-equipped smartphone. Not only can this smartphone take a geotagged photo and upload it instantly to a social networking website, but it can also be synced through a wireless connection to a home computer.

Photos and videos that are taken by the smartphone can be transmitted and saved onto the unattended home computer or multiple computers. In an instance such as this, there would be activity on the home unattended computer with new files being created as well as activity on the smartphone, showing the suspect to be at two locations at the same time.

Digital cameras are another potential source of evidence that can be connected wirelessly to a suspect’s network and devices. A non-Internet capable camera is easily given Wi-Fi access with memory cards with a Wi-Fi feature. The Wi-Fi enabled memory cards connect to wireless networks and uploads to storage locations chosen by the user, to include smartphones, computers, and file sharing websites. As with geotagged smartphone photos, these photos may also be geotagged, giving the investigator more suspect locations based on the EXIF data embedded in the photos.

Conversely, just as easy as it is to create files remotely through file sharing via a smartphone, files can be deleted remotely. Computer tablets or mobile laptops with remote connections to home computers can allow the suspect to control multiple computers remotely, giving an initial impression of an actual person being at a keyboard unless the forensic examiner discovers the remote connections having taken place.

Internet history

Some of the best evidence to find on any examined computer is that of Internet history. Of the billions of websites available, with an immense number of generalized topics and themes, the computer user will most always visit those websites of personal or professional interest. Favorite websites may be bookmarked or saved and revisited regularly. If for no other reason but to gain a glimpse into the mindset of the suspect, Internet history is a goldmine of information.

To place a suspect behind a particular computer using Internet history adds more credibility given certain actions having taken place. The most common method is logging into webmail through the Internet rather than an email client. Suspects that have logged into their webmail account verified their identity, or at least verified ownership, of the email account by entering the username and password. It is possible that a person other than the suspect may have the login credentials, but this may not be likely based on other factors, such as the other person needing access to the computer, perhaps login credentials for the operating system, and permission from the suspect to even use the computer.

If an explanation that it was not the suspect that had control of the computer but another person logged onto the suspect’s computer, then logged into the suspect’s email, a further analysis is warranted. Along the same lines of a suspect logging into webmail is that of logging into any website requiring login credentials. This can be social networking websites, shopping websites, blogs, forums, or company intranet websites. The more websites that require suspect credentials to access, the more unlikely that another person would have access. The likelihood that the suspect’s mobile phone was used for Internet surfing and account access by another person can be considered slim, or at least the suspect most probably was within arm’s reach of the smartphone at all times if that was the case.

The analysis of Internet history has become more automated with current forensic applications specific to Internet forensics. One example of an intensive Internet analysis tool is Internet Examiner from SiQuest. As can be seen in Figure 4.15, Internet history can be parsed from the major browsers, sorted by URL address, host name, or dates. Webpages can also be automatically rebuilt through reconstruction of Internet history files.

image

Figure 4.15 Internet Examiner, http://www.siquest.com.

The questioning of a suspect should also include confirmation on all persons that had access or control of any evidence device, not just the suspect. In some homes, multiple persons may have access to a single computer, but these same persons probably do not have the login credentials to the webmail accounts of other persons in the home. In the instances where multiple persons can access the Internet on a common computer, the only evidence that the suspect was the person behind the keyboard may rest on the accessing of protected accounts known only to the suspect.

Online groups

Message boards, listservs, forums, blogs, and newsgroups are examples of online services allowing the communication of persons online by either posting comments to websites or sending email messages to a group of persons. Both comments and group emails can be made private where only the group members have access or made public where anyone on the Internet can access and view.

For all online groups where settings are private, user login credentials are needed, which is attributing evidence to a specific person due to having to use a private password. Public boards may not require any login credential and also allow for anonymous posting. Anonymous posting does not mean that the IP address used by the commenter will be anonymous, only that no credentials are needed. Owners and moderators of blogs and websites generally will have immediate access to any comments made along with the date and time stamps, as can be seen in Figure 4.16.

image

Figure 4.16 Logged IP address on blog with date/time stamp.

Suspects that post or comment to any of these online groups create a trail of geolocation data on the servers of these third party providers. The recovery of membership or access to any online group from examined systems should be an indication to the investigator that additional geolocation may exist. This is particularly important when a suspect accesses the online groups using different computers at different locations, resulting in a bread trail of geolocations.

Game consoles

Conducting forensics on electronic game consoles, such as the X-Box (http://www.xbox.com) or the Playstation (http://us.playstation.com/), is not new, nor is the criminal use of these devices. The mere appearance of an electronic game console in a residence usually does not automatically raise a warning flag containing evidence and may be easily overlooked. In the most basic description, these game machines are computers, capable of many of the features available in the common desktop computer. This includes Internet connectivity, video and photo creation, file transfer, file storage, and electronic communication through voice, video, and typed chat. Hard drives of varying sizes are common as is the ability to attach external storage devices such as USB hard drives and flash media cards.

A game console may have been the instrument of a crime or contain electronic evidence of a crime. Even if the game console was not used as an instrument of a criminal act, the historic evidentiary value of user activity may be helpful in corroborating a suspect’s alibi. Since a game console is a computer system, the user activity is logged as such. For example, the Internet history on the Playstation is maintained in a directory containing Internet history files (PSPSYSTEMrowser). This directory stores URLs that were entered in the browser address bar and bookmarks chosen by the user. Websites that are discovered may be directly linked to the suspect through supplied login credentials.

Game console activity, or inactivity, may be a very important piece of evidence concerning an alibi. An alibi of playing games all night on the night of a crime can be discredited if an analysis shows the game console not being used at all on that night. Even if the game console did show activity for a date in question, the location of the game console may be available and important for the investigation.

Through the interconnectivity between online players, IP addresses, server addresses, and daily connection logs are stored locally on the consoles and by third parties that provide online services. These third parties that provide peer-to-peer gaming or group gaming most likely will maintain the IP addresses of the game consoles only for a certain period of time. The locally stored information includes the connection name, such as home network or broadcasted wireless network.

HTTP extraction

In May 2012, a technical report published from the University of California detailed a method of extracting geolocation data from a seized hard drive based on HTTP header information. The method discussed involved analyzing HTTP header content from websites existing on the hard drive. This intriguing method, using data from cookies and Internet files stored on the system, was shown to identify IP addresses and dates. The paper states that additional corroborating information is needed to verify the identified geolocation, but of course, that is also one of the themes of this book.

IP address and relationships to devices

In nearly every investigation type, from civil electronic discovery cases to a global hacking case, electronic devices are most always connected to third party commercial or government providers through Internet connections at some point. A forensic analysis of a device identifies many of these third parties, such as a wireless access point discovered from the registry leading to the identification of a previously connected network or networks. Internet history showing a user’s webmail history identifies third party webmail providers.

A visual seen in Figure 4.17 shows how most devices may directly identify a single third party, online service provider. The reasons for device connections to third party providers range from communication to storing data such as digital photos on the third party data storage systems. A single third party provider could provide a single user account’s information related to more than one device.

image

Figure 4.17 Third party online service provider example.

As these third parties regularly maintain records of customer logins and attempted logins, neglecting to review their logs could result in missing additional avenues of suspect location identification and additional electronic evidence. Through the third party connection logs of user IP addresses, investigators may be able to trace back to a physical location to where a device was used.

Reviewing a webmail provider’s records will usually show multiple IP addresses of access by the user. This is due to the user accessing the webmail account using computers at home, work, and school, or through mobile devices and game consoles. Each of these points of access potentially identifies the location of access through the logged IP addresses, which could lead to additional sources of electronic media.

Figure 4.18 shows a visual example of a third party service provider identifying multiple locations of user account access. Each of the access points may or may not be from the same device, but can be assumed that the owner of the online service account is probably the same person as the owner should be the only person with authorized access.

image

Figure 4.18 Customer login records from third party online service provider

Identifying third party service providers through analysis of each device may result in identifying more electronic devices and suspect locations. Corroborating these locations and suspect account logins with other methods, such as call data records, will build circumstantial evidence to help place the suspect at that particular keyboard, at a particular date and time.

Texts and emails

The spoken, or written, word of a suspect is powerful, particularly when the statement is against the suspect’s penal interest. Text messages or emails that state time and location from a suspect are helpful to verify verbal statements that may be in contrast with physical evidence. The content of a text message may not always contribute evidence to an investigation. However, if any messages are tied to the user, then the GPS, Cell Site, and Wi-Fi coordinates obtained from the device or from call detail records place that suspect at a location with that device.

Text messages shown in Figure 4.19 are examples of a mobile device user stating his future time and location, again placing the device in suspect’s hands at a specific location and time.

image

Figure 4.19 Extracted text messages from mobile device. Courtesy of Oxygen Forensics http://www.oxygen-forensic.com.

Emails can also be good sources of geolocation data based both on content of the emails as well as the email headers. Content based, in that the suspect may state dates and location in his own words, or header based information. Header based information includes the IP addresses or the sender and receiver in which the physical addresses of subscribers can be obtained, whether it is at a residence, workplace, or public location. Figure 4.20 shows an example of an email header with the originating IP address noted.

image

Figure 4.20 Example of email header showing originating IP address.

The location of the suspect based on the IP address of emails authored and sent from the suspect’s account can be supported through email header analysis. As discussed, methods to obscure the true IP address, such as proxy servers or anonymizing services, may render the use of IP addresses useless in determining the physical location. Email providers may also cause difficulty by not providing the original IP address in the email headers, which would require court or administrative authority to demand originating IP addresses.

Calendar evidence

Many email programs have an incorporated calendar function which could contain a suspect’s historical location information. Smartphones with an appointment and calendar function, if in use by the suspect, can also identify past and future meetings locations. Smartphone calendars may or may not be synched with their personal or work computers.

Although any calendar appointment is not absolute confirmation that the suspect may have completed any listed appointment, it still can provide leads for further investigation to verify the whereabouts of a suspect. Figure 4.21 is an example of a calendar displayed in Oxygen-Forensics Analyst existing on a smartphone. Since appointments are made with people, investigators can develop a set of persons to interview in order to corroborate relevant dates discovered in a calendar.

image

Figure 4.21 Calendar extraction from mobile device. Courtesy of Oxygen Forensics http://www.oxygen-forensic.com.

“Other” Device Forensics

If a computer system cannot be tied to a suspect, perhaps a computer accessory may be used instead. Devices that a suspect controls or admits to controlling may be physically tied to one or more computers through a forensic analysis of the computers. All devices plugged into a system are logged by that system, by date, time, and type of device. Smart cards, USB storage devices, media players, digital cameras, and smartphones are examples of these devices.

If the suspect’s smartphone has been connected to a computer system, even if the suspect does not admit ownership of the computer system, it can be assumed that the suspect accessed that computer, on the date and time logged with the smartphone. Additional devices attributed to the suspect that have been connected over a period of time to any computer system contribute to tying the suspect to those systems on those occasions. Depending upon the device, an automated backup may occur with each connection. Media players can back up music and video while smartphones may back up the entire phone’s data, including text messages, videos, and geotagged photos.

Figure 4.22 shows a list of connected devices by description, created date, last plug/unplug date, and serial number (if available) using USBDeview from Nirsoft (http://www.nirsoft.net). Most forensic software suites and registry specific utilities are able to extract the same information as seen in this figure.

image

Figure 4.22 Connected devices, USBDeview, http://www.nirsoft.net.

Every electronic device identified should be considered as a source of information that can place a suspect at a location at a specific time. Even some printers store historical information on printing, including storing complete digital copies of documents that have been printed. It is the concepts and principles applied across the spectrum of electronic evidence that makes the difference in an investigation.

Online Social Networking

Online social networking provides a wealth of information and evidence well beyond could ever be dreamed years ago. Public and government databases containing information on persons, such as credit histories and criminal histories, have always been relevant to investigations. But the mass public appeal to social networking websites adds an entirely new dimension in obtaining personal information.

All social networking websites allow the customer to create their own information using a computer or mobile device to upload photos, post comments, and engage others from any location that has access to the Internet. Each of these connections creates the breadcrumb trail of geolocation based on IP address connections, geotagged photos, and self-admitted comments which state physical locations.

When examining social network website activity, examiners need to be aware that one suspect may control multiple personas. The reasoning may be to restrict the amount of personal data with each online identity or to create confusion and anonymity. Also, one online identity can easily be controlled by more than one person, in that several may share the online identity. Again, the reasons may be to throw suspicion off a suspect, such as providing an alibi of being online from one physical location at the time of a crime committed in another.

It is also plausible that a suspect could create an automated, updated, electronic identity through software applications that do not require human intervention. This method could create data on multiple connected devices giving the appearance a person was at the system, when in fact; the suspect may be committing a crime at a different location.

It is unfortunate that criminals victimize legitimate users of social networking sites through stalking and harassment; however, the same methods can be used by investigators to obtain evidence on the criminals. The words submitted to any social networking website by the suspect may or may not be important or even pertinent to an investigation, but the geolocation at the time of the comment most likely will be.

User Activity

Apart from a forensic analysis to recover electronic evidence, such as stolen intellectual property or child pornography, this section on user activity will detail only that activity to help place a specific suspect behind the keyboard, not the actual evidence of the incident under investigation. The recovery and analysis of electronic evidence is best discussed with books dedicated to the science of digital forensics, where this book supplements evidentiary findings by placing an identified suspect at the keyboard.

User logins

The easiest method of suspect identification is that when the suspect self-identifies through supplying login credentials to access a computer system or online accounts owned by the suspect. When these credentials include fingerprint identification or facial recognition, identification is that much more accurate.

Claims that another person other than the suspect logged into a particular account by password guessing can be made irrelevant depending upon the password. Complex passwords consisting of varied uppercase, lowercase, numbers, and characters would be nearly virtually impossible to guess.

Each additional security measure required to log into a system diminishes the possibility that any person other than the suspect logged into the account or system. This can include physical security measures, even locked doors, to access the computer system. The more layers needed to gain ultimate access results in more credibility in placing an identified suspect behind the keyboard.

User-specific computer activity

Attempting to attribute user activity to a specific person may involve examining the content of data created as it relates to a person. Using a word processing document as an example, the context of the document may be more accurate of owner identification than the metadata contained in the document. Metadata of a document, as seen in an example document in Figure 4.23, shows the author as “James Smith” and last saved by “acer”.

image

Figure 4.23 Example of metadata in document.

Based solely on this information, James Smith would be considered the creator of this document. However, looking at the content of the document may go against what the metadata shows. Figure 4.24 shows the content of the same file with a signature name of Jessica Bell. Whether or not the author is James Smith or Jessica Bell is not so much the issue as to not rely upon one piece of information for suspect identification. However, the more specific the content applies to a person, especially with personal information known only to one person, the more likely the identification of the author will be certain.

image

Figure 4.24 Content of document inferring identity.

Typed URLs and Internet history can be extracted from computer from registry key HKCUSoftwareMicrosoftInternet ExplorerTypedURLs key, as well as from the cache and Internet history files of web browsers. This includes typed searches made with Internet search engines and social networking websites. As the content of a word processing document can point to a specific person, search terms may also point to a specific person. Examples of search terms to attribute to a user could be terms related to the planning or commission of a crime or even search terms of complete sentences with context of an incident under investigation.

Digital Authorship

Digital authorship may be compared to a handwriting exemplar, which is the forensic examination of handwritten samples for comparison of documents. This requires a high degree of skill to compare unique handwritten notes, but cannot be applied in the same manner with documents created using computers. Electronic writings must focus on the words, grammar, and context as typed, not the words as written on a paper document.

One method to identify an author is through an analysis of the style of the grammar, punctuation, errors, vocabulary, and other idiosyncrasies. This method requires a source record for comparison, such as documents or emails that have already been attributed to the suspect. This method has “obtained 95% accuracy and has been successfully used in investigating and adjudicating several crimes involving digital evidence” (Chaski, 2005).

Since the type of document created (email, word processing, etc.) is usually created for different purposes, the style may also be different. An example would be text in an email written by the suspect which may be short, terse, and to the point, whereas a letter written via a word processor may be more fully developed. A comparison between the short email and more fully developed letter most likely will not give accurate results.

Current research in identifying authorship is being conducted and software developed that is able to pinpoint differences between persons through analyzing sentence structure and syntax. Two such software tools in development by graduate students at Drexel University help identify authors of disputed documents or help keep authors anonymous (Perlroth, 2012). Other approaches of authorship attribution are based on comparing writing patterns in emails, in which “the frequent patterns themselves serve as strong evidence for supporting the conclusion of authorship” (Iqbal, Hadjidj, Fung, & Debbabi, 2008).

Through biometrics, the dynamics of keystrokes can identify a person through typing patterns, speed, and timing of each keystroke. However, this method is generally used as a credential verifier for login access rather than identification of a person on past historical computer use. With keystroke dynamics, each person has a unique pattern of typing on a keyboard. By use of keystroke dynamic software, the dynamics of a person’s manner of typing can be analyzed and attributed to a person. Subsequent login attempts are compared to the previously analyzed typing to allow or deny access. This allows for an authorized computer user to access a system based on password credentials and their keystroke dynamics.

With this security, any other person attempting to use a valid password will not be able to access the system due to having a different keystroke dynamic. Computer systems that have this security have a much greater potential of placing specific persons behind the keyboard, solely because of the heightened measures to gain access by authorized users.

Profiling

Entire texts have been written and careers devoted to criminal profiling. With certain types of crimes, criminal profiling may be effective. Perhaps 20 years ago, criminals using computers may have been easier to profile because of fewer persons having the skill level to use computers or write malicious software programs. Today, many people use computers daily and the programs available for specific work spans a wide spectrum including the ability to simply purchase malicious or hacking software without knowing how it works.

Narrowing a list of suspects using the traditional “motive and opportunity” theory also needs reconsideration. At this stage of technology, any person using a computer with Internet access has the opportunity to commit nearly any computer related crime from any global location. As to motives, human nature has not changed nor has motives to commit crimes. Even hackers have varied motives which may be difficult to determine. According to Steven Branigan, a founding member of the New York Electronic Crimes Task Force, “Hackers are motivated to do what they do for different reasons, such as money, revenge and curiosity.”

It is the unfettered access allowed by an Internet connected computer that allows the opportunity to exist anywhere, by anyone, for any reason. This ease of global opportunity and widely available malicious software access does not make the profiling of cybercriminals any easier.

Profiling a known suspect against an incident will have to be based upon that suspect’s past behavior and history. Is the incident under investigation like others committed by the suspect? Is this behavior consistent with the suspect’s past behavior? Questions such as these determine present and future behavior based on past behavior.

Biological Forensic Evidence

Blood. Hair. Fingerprints. Biological evidence is not just for non-computer crime scenes. Computers can also contain each and every one of these types of evidence. Keyboards and the entire systems can be fingerprinted, hair strands recovered for forensic examination and comparison. Even blood or other bodily fluids can exist on computer systems.

Perhaps the most certain evidence that the suspect was in proximity of a system would be the recovery of the suspect’s fingerprints or DNA from the system. This alone cannot show the suspect accessed the system, but it will show the suspect at one point in time, was in close physical proximity to the computer system, or even touched it in some manner.

In cases where it is imperative to show the suspect had access to any device, fingerprinting will be the best evidence. Photos of the suspect and electronic evidence are powerful, but only if the photographed systems can be positively identified as the evidence in question.

Triage and Previews

In addition to the forensic analysis attempts to place suspects behind the keyboard, an effective approach to this goal is a triage, or preview, of electronic media, on location with the suspect. There are varying opinions and definitions of “triage” and “preview” of electronic media, but in the context of this section, both triage and preview refer to the examination of electronic media to find evidence of immediate and actionable value. Immediate and actionable value evidence is also known as “low hanging fruit”.

This method of looking for evidence is typically conducted onsite, with the computer owner present. The situations can range from being given consent to search by the suspect, a search based on court authority such as a parole check, or even a search warrant or civil data collection. As the suspect or computer custodian is present, in close proximity to the computer systems, and having the authority to give consent (thereby, admit to being in control), the suspect has been placed at the computer. The suspect’s access to the computer will be undisputed. The suspect is there with the computer. It will be the results of the triage that will place the suspect at the computer during the dates and times in question.

By using any number of methods to triage a computer, evidence in plain view can be addressed by the investigator immediately, potentially resulting in admissions or confessions from the suspect. Two methods of triaging/previewing a suspect computer are when the computer is on and when the computer is off. Most procedures of data collection and triage with computers that are on recommend that the computer remain on during the procedure and if off, remain off. This is primarily due to potential encryption issues that can render data recover practically inaccessible if the computer is turned off.

For computers that are running, a wide variety of programs dedicated to the task of previewing a live system are available. Two such programs are Field Search (Figure 4.25) and osTriage (Figure 4.26).

image

Figure 4.25 Field Search, http://www.kbsolutions.com/html/field_search.html.

image

Figure 4.26 osTriage, http://feeble-industries.com/forums.

Either of these triage/preview applications can effectively and quickly find relevant evidence. This includes Internet history, searched keywords, documents, photos and videos, and computer system information.

The live triage of a running system coupled with collection of physical memory serves an important purpose. The possibility of a defendant claiming the Trojan Defense, in that someone installed malicious software onto the evidence system that committed alleged acts, may arise. Defending against this claim can be difficult as it is impossible to prove that malicious software did not exist while the computer was on and subsequently was erased from physical memory when the computer was shut down.

Through the collection of physical memory, to include the running processes, open ports, and open connections, this defense can be challenged, or proven to be correct, through a forensic analysis.

Computers that are not running when approached can still be triaged if not encrypted without turning on the operating system. This can be done by removing the hard drives and connecting the drives to a forensic workstation or by booting the computer to a forensically modified compact disk or USB drive that can run operating systems which have been modified to be forensically sound. One commonly used operating system for a forensic bootable environment is one of many variations of forensically modified Linux distributions. Another option is a forensically modified Windows operating system, such as the Windows Forensic Environment developed by Troy Larson of Microsoft.

Although conducting a triage/preview with the suspect near the computer does not automatically place the suspect behind the keyboard at the time of an incident, it just may be the closest you can get and sometimes, that may all that you need.

Summary

Attributing computer use to a specific person or persons is just as important as a forensic analysis of the computer device to uncover the criminal activity, civil violations, or internal policy violations. The ongoing process of creating a timeline does not have a beginning or end, as it is constantly changing with new information added as it is discovered.

Although there are few, if any, evidentiary items which can place a suspect behind a keyboard with absolute certainty, the culmination of a forensic analysis of activity combined with traditional investigative methods can result in substantial circumstantial evidence. Circumstantial evidence that eliminates persons of interest integrated with corroborating sources of evidence contributes to conclusions that no other person but the suspect could have been behind the keyboard.

Bibliography

1. Allen, E. (2010). Speech by Ernie Allen. <http://www.missingkids.com/missingkids/servlet/NewsEventServlet?LanguageCountry=en_US&PageId=4279> Retrieved June 11, 2012.

2. Bisbing R. The forensic laboratory handbook. Totowa, New Jersey: Humana Press; 2006.

3. Carvey H. Windows registry forensics: advanced digital forensic analysis of the windows registry. Burlington, Massachusetts: Elsevier; 2011.

4. Chaski, C. (2005). Who’s at the keyboard? authorship attribution in digital evidence investigations, <http://www.utica.edu/academic/institutes/ecii/publications/articles/B49F9C4A-0362-765C-6A235CB8ABDFACFF.pdf> Retrieved June 11, 2012.

5. Hofmann, M. (2011) Why IP addresses alone don’t identify criminals. <https://www.eff.org/deeplinks/2011/08/why-ip-addresses-alone-dont-identify-criminals> Retrieved June 11, 2012.

6. Iqbal, F., Hadjidj, R., Fung, B., & Debbabi, M. (2008). A novel approach of mining write-prints for authorship attribution in e-mail forensics. <http://www.dfrws.org/2008/proceedings/p42-iqbal.pdf> Retrieved June 11, 2012.

7. Perlroth, N. (2012) Software helps identify anonymous writers or helps them stay that way. <http://bits.blogs.nytimes.com/2012/01/03/software-helps-identify-anonymous-writers-or-helps-them-stay-that-way/> Retrieved June 11, 2012.

Further reading

2. Field Search, <http://www.kbsolutions.com/html/field_search.html>.

3. Internet Examiner, <http://www.siquest.com>.

4. osTriage, <http://feeble-industries.com/forums>.

5. Oxygen Forensics Suite 2012, <http://www.oxygen-forensic.com/en/>.

6. PhotoME, <http://.www.photome.de>.

7. Playstation, <http://us.playstation.com/>.

8. Registry Decoder, <http://www.digitalforensicssolutions.com/registrydecoder/>.

9. RegRipper, <http://regripper.wordpress.com>.

10. Tor Project, <http://www.torproject.org>.

11. Windows Forensic Environment, <http://winfe.wordpress.com>.

12. Windows Registry File Viewer, <http://www.mitec.cz/>.

13. X-Box, <http://www.xbox.com>.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.145.125.51