Cloud computing: Not just for geeks or feds

February 8th, 2010

Think online investigation is just for the high-tech crimes types, the computer forensics geeks or the feds? Not so, says Todd in his interview with Cyber Speak’s Podcast (hosted, ironically, by two former federal agents). The more people are online, the more they’re likely to use cloud services, the more important it is for local law enforcement to be there too.

Todd’s appearance on Cyber Speak came about because of his two-part article on cloud computing, which had appeared in December in DFI News. He and Ovie Carroll discuss:

Impact of cloud computing on first responders

Detectives performing searches can’t simply pull the plug on a running computer anymore (a fact which prosecutors are having to get used to). They need to be able to perform data triage and possibly even volatile data collection.

Why? Because knowing whether a suspect has an online presence is critical to whether an arrest is made—and what happens afterward. Whether users are actively storing files “in the cloud” or simply members of social networking sites, law enforcement officers who don’t find evidence and therefore, do not make an arrest risk that suspect going online and deleting all incriminating information.

Why is this a problem? Because the very nature of cloud storage means investigators may not be able to access a logical hard drive somewhere to recover the evidence. First, the sheer amounts of data stored on servers make this close to impossible. Second, there are jurisdictional issues.

Are you exceeding your authority?

Not only may information be stored outside your jurisdiction, but it may also be stored in another country altogether—one with different criminal and privacy laws. Accessing evidence of a crime in the United States may actually mean committing a crime in another country (Todd relates the story of two FBI agents for whom arrest warrants were issued in Russia).

This is a problem for local law enforcement, which Todd notes has been left largely to its own devices when it comes to online crime. Only Internet Crimes Against Children (ICAC) task forces have clear direction from the federal government on how to proceed.

Hence it’s easy for local police to kick Internet crimes up to regional, state or federal task forces. But as Todd points out, more people coming online means more crimes being committed against people in local jurisdictions both large and small. Law enforcement at every level needs to be able to respond.

Please listen to Todd and Ovie, and then come back and tell us what you think!

Christa M. Miller is Vere Software’s marketing/public relations consultant. She specializes in law enforcement and public safety and can be reached at christa at christammiller dot com.

Tags: , , , , , , , , ,
Posted in Company News, Legal & Policy Issues | No Comments »

Monitoring Twitter? Try Searchtastic

February 8th, 2010

Twitter is not the pointless what-I’m-having-for-breakfast exercise in narcissism that many people think it is. The Washington Post recently reported that gangs are now using it and rival Facebook to discuss their activities–thereby inadvertently incriminating themselves.

So, it’s a good idea for gang investigators, probation/parole officers, and other law enforcement officers to monitor Twitter to see what’s going on. Best way to do that? Lauri Stevens over at ConnectedCOPS offers Searchtastic:

Try searching Twitter with its own advanced search “feature” and you might come up a bit disappointed. Put in a term or hashtag and it will take you go back only a week and a half or so in time.

With Searchtastic:

1. Search usernames or hashtags
2. You can pull up tweets from weeks and months back.
3. You can search on a particular user and the people he or she follows.
4. Then, click on a word in the search results and it modifies the search by the word. Once a word is in the search results, if you want to take it back out, click on it again.
5. And the clincher: When your search results look like something that might be interesting, export the results to Excel with the click of one button.

It seems like in ten or fifteen minutes, you could design a search, relevant to any investigation you might be working, that’s full of interesting terms and Twitter usernames. Export those results to Excel and cross reference them through your other database engines and maybe connect a few more dots. Useful?

I tried Searchtastic on the hashtag (a way to organize tweet topics) #webcase, which I used in November to live-tweet training from Charlotte, NC. The first run found tweets going back to October, but not my class tweets.

During my second run, without the # symbol, I found about six pages of tweets. Some came from Todd (who tweets as @Webcase); others from people who had “retweeted,” or recommended, WebCase or something we’d said.

As Lauri says, Searchtastic is in beta, so it may not catch 100% of what you are trying to find. As with so much when it comes to online investigations, best is to run the search sooner rather than later. However, Searchtastic does find much more than Twitter Search; it does organize tweets nicely by username; and it does allow for export to Excel.

Find out more on Searchtastic’s About page.

Christa M. Miller is Vere Software’s marketing/public relations consultant. She specializes in law enforcement and public safety and can be reached at christa at christammiller dot com.

Tags: , , , ,
Posted in Investigative Tools | No Comments »

Todd on CyberCrime 101: Episode 7

February 5th, 2010

Last month while Todd was training in New York City, he had a chance to meet Joe Garcia, an NYPD computer crimes detective we connected with on Twitter. Joe has a podcast, CyberCrime 101, about all things computer forensics and information security. After reviewing the WebCase demo, he kindly invited Todd on the show to talk.

Their focus: Todd’s background, WebCase, and being president of the International High Tech Crimes Investigators’ Association (HTCIA). Joe voiced his approval for our tutorial screencasts, as well as our webinars and 2-day training; Todd told us that WebCase now offers 64-bit support, and will soon be released in a new version that has more features.

Thanks for having Todd on the show, Joe!

Christa M. Miller is Vere Software’s marketing/public relations consultant. She specializes in law enforcement and public safety and can be reached at christa at christammiller dot com.

Tags: , , ,
Posted in Company News | No Comments »

A DFI News double feature

February 5th, 2010

We were pleased and honored in December when Digital Forensics Investigator (DFI) News opted to give two of Todd’s articles top billing on its site.

The articles, a two-part series, addressed whether collection of electronic evidence from the Internet is feasible. Some say no; obviously, we say yes!

In Part I, Todd drew from his 2007 white paper, “Collecting Legally Defensible Online Evidence,” to discuss the need for and development of a standard methodology for Internet evidence collection. In Part II, he addressed the application of that methodology specifically to “cloud” computing.

The cloud does present different challenges to evidence collection than do conventional Internet sources. But that doesn’t mean evidence collection from the cloud is impossible.

Read Part I here and Part II here. And please be sure to come back and tell us what you think. Do you agree? Disagree? Have you encountered the need for Internet evidence collection methodology… or investigative issues specific to the cloud? Comments are open!

Christa M. Miller is Vere Software’s marketing/public relations consultant. She specializes in law enforcement and public safety and can be reached at christa at christammiller dot com.

Tags: , , ,
Posted in Company News, Online Investigations in the News | No Comments »

Legal Issues with Online Investigations: Some background

January 15th, 2010

As Executive Director and Senior Counsel of the National Law Center for Children and Families, Richard Whidden is most familiar with laws and precedents related to child pornography—but stresses that investigators of other crimes can take away important information, too. “Much of the case law on electronic evidence comes from child porn cases because those are what prosecutors take on,” Whidden says.

During his webinar, “Legal Issues with Online Investigation,” on Thursday, January 21, Whidden will be discussing a sampling of cases from 2009 that had to do with Internet and computer forensics. One of the primary cases, however, has to do not with child pornography but instead with steroids.

Specifically, U.S. v. Comprehensive Drug Testing, Inc. describes forensic procedures relative to search and seizure of electronically stored evidence. Although it applies to the 9th Circuit Court of Appeals’ jurisdiction, it’s likely that other courts will look to the decision when dealing with their own issues of electronic evidence.

The case also illustrates how the process of e-discovery has evolved over the past 10 years. Typically this is difficult to discuss. As Whidden says, “You could have entire symposiums on how the law has changed over the last 10 years, before you even break out the crystal ball on how it will change over the next 10.”

Notably, law changes according to the technology. “We’ve gone from pornographic images of children, to streaming video of abuse taking place,” says Whidden. “Modes of transmission change. Cell phone technology is much more prevalent now, and will continue to evolve.”

Whidden will cover other legal issues, such as the definition of “possession” of child pornography, procedures related to computer related evidence, search and seizure issues, and the difference between state and federal prosecutions. He will not discuss civil cases, only criminal cases because of the higher burden of proof.

Christa M. Miller is Vere Software’s marketing/public relations consultant. She specializes in law enforcement and public safety and can be reached at christa at christammiller dot com.

Tags: , , , , , , ,
Posted in Legal & Policy Issues | 1 Comment »

Some thoughts on Howard Schmidt’s appointment as Cyber Security Coordinator

January 6th, 2010

I first met Howard Schmidt around 1999 at one of the many National Institute of Justice (NIJ) cybercrime programs we eventually served on together. Howard was someone I looked up to and sought advice from when we saw each other. I have always been impressed by his demeanor and his ability to simplify the complex cybercrime problem when he speaks.

So, I thought initially that I should jump out and comment on my friend Howard’s new appointment as the U.S. Cyber Security Coordinator and congratulate him on the appointment.  But, I then I thought I should wait and not be part of the pack.

After the announcement of his appointment, I surfed the Web to see what kind of reaction his appointment would cause in the media and the blogosphere.  What I have seen so far is fairly tame for an Obama appointment. 

For the most part the traditional media have been fairly benign in their response to the announcement. It appears to them it is just another Obama “Czar”. Most seemed interested in his introduction as the new Cyber Security Coordinator through a videotaped presentation on the White House’s website rather than his ability to do the job. 

Indeed, Howard’s overall non-political stances appear to have placed him in the right place at the right time. And his extensive back ground in the cyber crime fighting arena is encouraging for a lot us involved in the cyber crime fight.

But some people are not as encouraged. The attacks on Howard have already started, as evidenced by the comments on Bruce Schneier’s  blog. (Ironic that the very technology he is asked to defend is the same anonymous place used to attack him.)If he was involved as part of the Bush administration, this promises to NOT be an improvement. Others here have correctly observed that it is a position completely set up to fail. Schmidt has never stayed in any one position very long. What has he ever actually accomplished over the years?

By taking this job, Schmidt is able to cash out of eBay without having to pay some taxes on gains he made there.

Howard, like so many in the public eye, takes a beating for being able to stand up and offer themselves to the wolves of criticism.  He is a fine man, a veteran federal and military investigator, an experienced law enforcement officer, and a Chief Security Officer in large corporations.

In other words, he has seen the problems from multiple levels within and from without government. His appointment will give him the opportunity to put a varied background of experience to work on a problem affecting everyone. How many people considered by the Obama administration had a resume to compare? 

So what should Howard focus on and attempt to accomplish? First of all, he could help to define better the understanding in this country of the differences between Cyber-Security and Cyber-Crime. All too often they get melded into the same concept or believed they are the same thing.

Some think that Cyber Security matter are the only issues he has or should deal with. Investigating Cyber Crime is a complex issue with just as many complex, multi-level facets as Cyber Security.  Howard’s clear understanding of the issues related to both give him an advantage. I would just like to see Cyber Crime investigation given the attention it needs and deserves.

Given his background and the infighting amongst the current bureaucrats governing IT security and cybercrime in the United States, Howard has a rough road ahead. Even though he  does seem to want  to remain out of the politics of the job (as evidenced by his release of a videotaped statement rather than a press conference),  many feel the job is all title and no authoritative bite.

With the dissatisfaction of Melissa Hathaway and others that where standing in line or considered for the job this year, I hope the Obama administration gives Howard the latitude and support  to do the work that needs to be done.  Good luck Howard…..

Tags: , , , , , , ,
Posted in Uncategorized | No Comments »

Identity theft online: Some background

December 7th, 2009

Identity theft is one of Detective Kipp Loving’s investigative specialties. Having worked hundreds of ID theft cases in the last decade, Loving has seen the crime evolve along with, and as an integral part of, the Internet. His webinar is based on the 8-hour block he teaches during the 40-hour California Peace Officer Standards & Training course on financial crimes.

Trends in online identity theft

The Internet’s reach often means multiple jurisdictions and sometimes hundreds of victims. In fact, it’s part of at least one of every level of an ID theft case, ranging from how criminals obtain identities to how they use them.

“Information compromise is just one component,” Loving says. “An ID thief doesn’t have to phish; he could as easily go dumpster diving for information, then go online to use it.”

Phishing is now a tool mainly of high-end rings associated with international gangs like the Russian Mafia, or Southeast Asian groups, who hire hackers to compromise databases. Cases involving them are usually federal, and much more sophisticated than most local ID thieves.

More likely for the average investigator to see:

  • “Crankster” (methamphetamine addict) dumpster divers.
  • An employee in a local company, abusing privileged access to private information in the employer’s databases.
  • Family-on-family ID theft.

The last trend has been particularly accelerated. ID theft is still prevalent in elder abuse cases. But in a troubling turn, more parents are stealing their children’s identities.

“The parents don’t get reported until the kids are of age and try to buy a first car or get an apartment,” says Loving. “And they can’t get out from under the liability unless they are willing to prosecute Mom and Dad.”

Case management + presentation

“Most people don’t associate case management with case presentation,” says Loving, “but prosecutors consider ID theft cases to be only a step above real estate fraud cases. When you’re dropping what may be a four-inch-thick case file on their desk, how you managed the case will be critical to how you present it, and therefore how it is received.”

A well-managed case contains several elements. “First, identify the cream that floats to the top,” says Loving. “You can’t manage 300 victims, so find out from the prosecutor how many is enough.” Sometimes the case will “go federal,” so local law enforcement and prosecutors need only do so much.

Second, a detailed timeline is critical to success. “A prosecutor will not read every page of your case, so a start-to-finish timeline on each charge helps them,” Loving says. “You include every incident, the elements of the crimes, dates, and amounts.”

Most important of all, however, is not to simply forward the case to the prosecutor once it is wrapped up. “You have to make an effort to form a relationship, talk to the prosecutor throughout the case,” says Loving, who once worked as a criminal investigator in a DA’s office. “They’ll tell you what they like and don’t like about the investigation.”

That relationship is not about micromanaging—it’s about “selling” the case. “You have to get to the point where you don’t need to sell it; they’re already sold by the time you close the case,” Loving says. “In fact, they’re so sold that they ask when they can have it.”

The need for information sharing

Identity theft investigations can be time-consuming and frustrating because it can span multiple victims and jurisdictions—which, at a time when law enforcement budgets are tight, makes them harder to work.

“You can’t always work with victims face to face, and there are usually many more victims than you know about,” says Loving. “The ones you work with are simply those who noticed and talked enough to assist your investigation.”

The most important thing at that point is for investigators to be involved with groups like the International High-Tech Crimes Investigators’ Association (HTCIA). Loving also runs his own 800+ member listserv, a restricted-access Yahoo! Group where detectives from across the nation can get search warrant language, company contact information, and connect with each other on their cases.

“Cops aren’t always good at information sharing,” he says, “but we need to get better as more of these crimes go into other jurisdictions.”

Christa M. Miller is Vere Software’s marketing/public relations consultant. She specializes in law enforcement and public safety and can be reached at christa at christammiller dot com.

Tags: , , , ,
Posted in Investigative Techniques, Investigative Tools | No Comments »

Podcast: Todd talks social media, online investigations

November 30th, 2009

Canada-based podcasting service provider The Daily Splice recently started its own podcast: Law Enforcement 2.0, in which marketer Mike Waraich interviews individuals who are involved with encouraging police departments to “join the conversation” online.

Social media is, of course, beginning to figure into much more than conversation: it’s playing a role in everything from online crime to police recruiting to intelligence. Because all of this information must be verifiable, police need a standard methodology to collect it.

Which is why Mike invited Todd on the show a few weeks ago. For just about half an hour, the two discussed the following:

Defining online investigation in terms of standard methodology.

Would online investigation be less “scary” if the people conducting it knew they could do it without their veracity being called into question? Standardized process counts for a lot, so being able to date/time stamp, “digitally fingerprint” (hash), and log Internet evidence in the same way other forms of evidence are authenticated can make investigators’ jobs a lot easier.

Social media as a “neighborhood.”

Most everyone under 30 (and many over 30) are, in some ways, members of this online space. Just as in a real-world neighborhood, the number of “residents” = number of potential victims. And crimes are being committed, not just on the Web, but in other areas of the Internet which are their own communities. (Think chat rooms, instant messaging and Usenet.)

Whether law enforcement can coexist with community relations.

As long as law enforcement is an active participant in the online community, it cannot be misconstrued as “Big Brother” watching. Instead, it brings community policing concepts to the Web: like a park in a bad section of town, it will stay “bad” unless law officers go there, partner with people who live there to clean it up.

Reputation management.

What people post on the Web is there forever. Some law enforcement officers need to be made cognizant of this fact. Employers look at people’s social media profiles not just to make hiring decisions, but also to ensure their employees are maintaining the standard expected of them.

Part of maintaining that standard is not to avoid parts of the neighborhood which are not well understood or liked. Investigators who do need to understand that the “conversation” goes on without them. Not to be there for it risks missing valuable intelligence and other information.

In other words, as Todd put it, “You may not want to go into a bad neighborhood because you know bad things can happen, but you still need to be there.”

Understanding the neighborhood.

Just as a good cop takes time to learn the landscape and culture of the neighborhood s/he is responsible for, a good Internet investigator takes time to understand where people are online–and where they are moving, what they are talking about, what they are doing.

With hundreds of social sites, this can be hard to figure out much less monitor. But the more investigators learn, the more they can make online investigation part of their everyday work lives, the more efficient they will become.

The conversation wrapped up, of course, with a short discussion about WebCase and where it fits in all this. Thanks again to Mike for the interest. We hope to be able to participate in future podcasts!

Christa M. Miller is Vere Software’s marketing/public relations consultant. She specializes in law enforcement and public safety and can be reached at christa at christammiller dot com.

Tags: , , , , , , , , , , , , ,
Posted in Company News, WebCase | No Comments »

MySpace Investigations Basics: Some Background

November 3rd, 2009

A senior detective in Corona (California), Frank Zellers first realized the power of MySpace evidence during a 2006 homicide investigation. The suspect had a MySpace page, and not only were investigators able to recover current photos and intelligence from the site’s internal messaging system, they were also able to identify his location.

“Under a court order, MySpace provided us with the suspect’s IP address and subscriber ID, which we were then able to tie to his physical address,” says Zellers. “We watched him log in at 1 a.m., and we had him in custody nine hours later.”

That experience led Zellers to create an investigations course around MySpace, one that was designed not for task force members or computer forensic examiners, but for “novice” investigators. “For our basic class, we set up accounts to show the site’s internal functionality,” he says. “We show the students things like determining whether an image was uploaded to the site, or is embedded from another site. That helps them figure out where to serve search warrants.”

The “MySpace Investigations Basics” webinar grew out of that course. Zellers will discuss the site’s functionality, different ways to find different kinds of evidence, and how to save it, along with how advanced searches via Google and Yahoo figure into an investigation.

He’ll also cover how investigation of a MySpace page translates into investigation of other sites. “vBulletin forum software is very prevalent among the more obscure social networks,” he explains, “like the bulletin boards that host communities of online gamers, hard-core rappers, and others.”

That’s because many social networks retain the same general features which MySpace pioneered, including profile pages, comment space for friends, private messaging, and ability to share images and videos.

This varies by site—MySpace is more versatile than Facebook or Twitter—and the way the features are cataloged change, so investigators must take care to keep current with what each site does.

They should also stay up-to-date on site demographics. MySpace, with its longtime reputation for being a teen hangout, remains more popular among young people than Facebook, which is popular among older generations.

More social networks are also moving toward integration. MySpace, for instance, has partnered with Skype, a Voiceover IP application which allows both instant messaging and voice communications between members. A MySpace member can therefore IM a Skype user. (Zellers notes, however, that the chat conversation is archived on the user’s machine rather than on MySpace servers, making it a computer forensic job.)

Just because the MySpace user interface is complicated to adult eyes doesn’t mean plenty of evidence can’t be recovered and used either as intelligence, or to solve crimes—even in unexpected ways, as Zellers’ team discovered. And the continued popularity of social networking sites both new and old means investigators need to have these skills sooner rather than later.

Christa M. Miller is Vere Software’s marketing/public relations consultant. She specializes in law enforcement and public safety and can be reached at christa at christammiller dot com.

Tags: , , , ,
Posted in Investigative Techniques, Investigative Tools | No Comments »

Tracing IP Addresses: Some Background

October 14th, 2009
Tools like traceroute show the many data packet paths across the Internet.

Tools like traceroute show the many data packet paths across the Internet.

Everyone uses the Internet, says Gary Kessler, instructor of upcoming “Tracing IP Addresses” webinar—but few people understand how it actually works. And while investigators don’t need to know how the telephone system works to get a warrant for phone records or even wiretapping, the Internet is far more complex–but far more accessible to the investigator.

“Computer forensics starts ‘under the hood’,” he explains. The investigator must know about file allocation tables, storage space on a hard drive or other digital device, and so forth, before being able to use the appropriate tool to recover evidence.

And because the Internet figures into so many forensic examinations—those involving child pornography, cyber bullying and harassment, etc.—it is one of the working parts “under the hood.” “No longer are there standalone computers,” says Kessler, “so conducting online investigations involves the application of some forensic principles.”

Tying digital evidence to individuals

These include both legal and technical aspects. “Investigators need to be able to understand the networking clues left on the computer,” says Kessler, “such as where to look, and how the clues can mislead. For example, the email header doesn’t prove who sent the email, but it can indicate where the email came from.”

In fact, he adds, everything in digital forensics is about finding patterns of behavior. “When taken together, those patterns can lead a reasonable person to what a suspect did,” says Kessler. “Digital forensics provides exculpatory or incriminating information which might take an investigation in a direction it may not otherwise have gone.”

In the case of IP tracing, this can even include geolocation. “An IP address can provide a general location from where an individual accessed email, for example,” says Kessler. “In one homicide investigation, this was key when the suspect denied an email account was his. Not only was the account established as his, but the IP addresses also showed the account being accessed from locations which coincided with his business trip calendar.”

Seeing evidence from every angle

Kessler says there are few misunderstandings about IP address tracing, but that investigators don’t always correctly interpret the evidence. “As an example, a traceroute showing data packets going from Point A to Point B will show a different set of addresses than the packets going back from Point B to Point A,” he explains, “which could be interpreted as a completely different route. The investigator has to know how to interpret the information, which is simply the same route being reported in a different way.”

The takeaways from Kessler’s webinar: how IP addresses relate back to online activities, along with tools that show how addresses relate to Web domains, how the domains relate to individuals, and how IP addresses relate to geographical locations.

In addition, Kessler will cover how criminals use the same tools. “An investigator uses the tools in a criminal case, but a hacker uses them to discover vulnerabilities,” he explains. So in all, while IP address tracing may seem trivial, it is important in any case with a networking component.

Christa M. Miller is Vere Software’s marketing/public relations consultant. She specializes in law enforcement and public safety and can be reached at christa at christammiller dot com.

Image: curiouslee via Flickr

Tags: , , , , , , , , , ,
Posted in Investigative Techniques, Investigative Tools | 1 Comment »

« Older Entries