Fingerprinting a Web server from an investigative point of view

May 19th, 2010

Fingerprinting web servers is not a startling new revelation in web development. For several years now technology to identify web servers has been used by black and white hackers to identify weaknesses in web servers. Companies have used these “fingerprinting” techniques to identify incoming information about IP addresses and the servers they come from to prevent Identity Theft and credit card fraud. These techniques are also commonly used by penetration testers to help identify a system prior to attempting to review the system. Hackers have used the techniques to ascertain weakness in a web servers implementation to attack the system.

Most often the technique of “fingerprinting” is implemented as a server side technique to view the incoming traffic. The implementation of client side application is what would be of interest to the online investigator. There have been numerous discussions about its use and technical development but not from the law enforcement investigative capacity. Identify the information about a server can be advantageous for an investigation being conducted on the internet. “Fingerprinting” the web server can identifying certain aspect about the server, including the operating system and version.  This identification can potentially provide law enforcement investigators with additional useful information as to the nature and origin of the website.

Using browser responses to identify what the system is running can aid the investigators preliminary examination of a website. The initial review of the website can determine the website’s ownership and validity. A commonly used tool that has been a hacking/penetration tester staple for years is Nmap. Nmap is short for Network Mapper, an open source utility for exploring networks and doing security audits. Other tools have been developed specifically for the purpose of identifying web servers through the server’s response to a browsers request. Some of those tools include hmap, Nikto, httprint and XProbe.

More in depth identification of web server “fingerprinting” needs to be accomplished to identify its complete benefit as an investigative tool. Based on its current use in the field, as a reliable penetration tester’s tool, the prospect appears great that this methodology could be beneficial to law enforcement.

Tags: , , , , , , ,
Posted in Investigative Techniques, Investigative Tools | No Comments »

Now available: 3 free model policies for social networking support

May 12th, 2010

Our 2-day on-site training devotes a fair amount of time to policy issues: investigative ethics applied online, undercover work, deconfliction, and employee stress management. However, while we talked about the need for policy, we didn’t have a model to offer.

Well, now we do! In the “White Papers” section of our Web site, you’ll now find three separate model policies: social networking investigations, official agency communication, and employee off-duty use.

Why 3 policies?

Law enforcement presence online isn’t just about gathering evidence. It’s also about ensuring that employees represent themselves and their agencies as professionals at all times (including not conducting investigations via their personal accounts). Also, just as agencies simultaneously conduct investigations and community relations in their communities, they should at least consider doing the same online.

The three policies complement each other, and as Todd is quoted in our press release, they’re meant to minimize the risk and maximize the reward of an online presence. They also fill a gap: while many policies are available from private companies, few are published by law enforcement agencies.

What the policies cover

The “Investigative Use of Social Networking” policy provides for:

  • Professional online conduct
  • Investigation preparation
  • Undercover work
  • Legal issues
  • Employee stress management

The “Agency Official Use of Social Networking” policy discusses:

  • Social media tools
  • Strategy for use
  • Communicating on the agency’s behalf
  • Restrictions on use
  • Handling requests from media and general public

The “Employee Off-Duty Use of Social Networking” policy includes:

  • Employee self-identification as a police officer
  • Confidential and sensitive information
  • Legal requirements
  • Disciplinary action

Because these are model policies, be sure to run them through administrators and department or other legal staff before you implement them, as state or jurisdictional laws may need to be specifically addressed.

Who will benefit?

We timed these policies’ release during the week of the ICAC Conference in Jacksonville, FL, where Todd is exhibiting. Now, we know ICAC investigators are well-versed in online investigation and thus policy – but we also know that their investigations can take them into jurisdictions where other detectives are not familiar with online work, undercover or otherwise.

So whether you’re an investigator whose agency needs social networking policies, or you know of investigators who do, please feel free to pass these along. You can refer others to the policy page using this address:

http://tinyurl.com/verepolicies

And if you have any questions, please let us know at info (at) veresoftware (dot) com !

Tags: , , , , , ,
Posted in Company News, Legal & Policy Issues | No Comments »

DragNet? In what form?

May 5th, 2010

In February, CNet reported that police are looking for a “back door” to private data, in the form of “a national Web interface linking police computers with those of Internet and e-mail providers so requests can be sent and received electronically.”

This was followed up in April by a revelation that the Department of Justice had requested Yahoo emails without a warrant—because the emails were older than 180 days and stored on Yahoo servers rather than on a local machine.

Civil libertarians, of course, regard these stories as evidence of Big Brother manifesting all his totalitarian glory. But the original concept of a national network, says its originator, has been misrepresented.

More efficient, not more invasive

Sgt. Frank Kardasz is director of the Phoenix (Arizona) area Internet Crimes Against Children task force and, in a report to the Commerce Department’s Online Safety and Technology Working Group, wrote about the need for Internet service providers (ISPs) at least to maintain records for longer than the few weeks they currently do—up to a year or longer.

“The trouble with real life policing is that there are reporting delays from victims, overwhelming caseloads for detectives, forensics analysts and prosecutors, time delays or no response from Internet service providers and many other systemic issues that impede the rapid completion of our work,” he wrote in his report, “Internet Crimes Against Children and Internet Service Providers: Investigators Request Improved Data Retention and Response.”

Similar problems exist among government agencies, which is why Los Angeles County instituted the Electronic Suspected Child Abuse Report System. The Web-based system links public agencies together, replacing outdated forms of communication like faxes and postal mail, and reducing the likelihood that charges will be dropped or reduced due to missing evidence.

Not a direct link from law enforcement to private records, it doesn’t carry quite the same implications for privacy. It does, however, solve very similar problems, and as the first of its kind in the country, could easily serve as a model for other efforts.

Logistical concerns

The need for a strong model is particularly important when it comes to security. Many companies have hesitated over moving to “the cloud,” fearful of what might happen if a malware-infected PC accessed cloud-based private information. (Many of these issues are discussed in our white paper, “Basic Digital Officer Safety.”)

However, the U.S. Army is now using “milBook”, a secure Facebook-like interface restricted to its own personnel. Connecting people with each other as well as with defense-related topics, milBook facilitates the sharing of a broad range of information. Fundamentally, it might be compared to the Regional Information Sharing System, though more socially oriented.

Whether this would be as easy to set up is debatable, however. The Army, after all, has the DoD to administer its private network. For the DOJ to set up and maintain a public-private information exchange would not, to put it lightly, sit well with groups like the Electronic Frontier Foundation.

More likely may be for the DOJ to require ISPs to set up their own networks. Some already do, as CNet pointed out. The networks would have to comply with certain requirements regarding data storage and speed of retrieval, but the companies would retain control of user information.

The need for better ISP support

Kardasz noted, based on a 2009 survey of 100 investigators:

  • 61% reported ISP delays and limited time periods for storage detrimentally affected their investigations.
  • 47% reported they had to end investigations because the ISP didn’t retain the data they needed to make a case.
  • 89% wanted to see a national network established to make legal process requests more efficient.

“Investigators recognize that the subject of data preservation is controversial,” Kardasz wrote. “I think investigators respect the Constitution, support the rights of Commerce and simultaneously want to protect citizens from cybercrime. They seem to be asking for a system that is more efficient, not more invasive, a system that favors the crime-fighters instead of the criminals.”

What law enforcement can do

In last month’s issue of Law Enforcement Technology, Vere president and CEO Todd Shipley was quoted as saying, “It’s not just a federal problem. It’s a state and local problem too because the victims are citizens of the local community.”

So while ISPs can improve their processes, so can law enforcement. Todd’s recommendations: Know how to take reports on cyber crimes. Collect information the cybercrime experts need. Know how to share information and with whom. These pieces, the building blocks of professional police response, must be in place so that whatever ISPs institute to help law enforcement, it will be supported rather than criticized.

Christa M. Miller is Vere Software’s marketing/public relations consultant. She specializes in law enforcement and digital forensics and can be reached at christa at christammiller dot com.

Tags: , , , , , , , , ,
Posted in Legal & Policy Issues | No Comments »

Social Media, Travel, Speeches and FourSquare

April 29th, 2010

As much as I try to avoid business travel anymore, the more I seem to do.  Although travel is not bad it can get overwhelming at times and seems to just put me further behind. I did recently in my travels have the opportunity to speak, on an as of late favorite topic, and that is the use of Social Media by law enforcement. Specifically I was speaking on the lack of policy by agencies starting to use Social Media, not only as a community policing tool, but as an investigative tool.

Recently I was asked to present at the first annual SMILE conference or Social Media in Law Enforcement conference in Washington DC. This was a great gathering of various law enforcement professionals interested in Social media and its implementation within law enforcement. My specific piece was on the policy decision behind using social media as a law enforcement tool.  I spoke about the need to have policy to protect the law enforcement officer as much as the agency. I was able to speak with some great talent in the field that are adapting social media for investigative and communicative reasons.

I also had the opportunity to speak at the Massachusetts Attorney Generals Cyber crime Initiative quarterly meeting. The Mass AG sponsors a meeting quarterly on various cybercrime topics. She brings in investigators from all over the state to discuss cybercrime. I was lucky enough to speak on the investigation of social media, and of course hit the topic of policy for law enforcement.  The crowd of over 200 Massachusetts law enforcement investigators was eager to understand more about investigating social media especially as it applied to Cyber bullying cases.

During the two weeks I was gone, connecting to so many investigators in person, I wanted to be sure not to lose touch with my online contacts — not just customers and prospects who email me, but also Twitter and Facebook followers. So, as a smartphone user, I downloaded a new app and signed up for a new program called “Foursquare”. The use of FourSquare allowed me to stay connected on the road from my phone.  I could and did update my Facebook page and my twitter account from my phone with a few clicks of the keyboard.

I found this to be a simple and easy use of the media and received numerous comments back regarding my updates. Many were interested in my travels and found the topics I was speaking on of interest.

Why am I mentioning this? When I talk to groups like these, I want to be sure they understand the value of social networking in their professional lives — not just from an investigative standpoint, but also from the standpoint of being able to network and share ideas with one another. Our increasingly interconnected world makes this an absolute necessity.

Are you on Foursquare, Twitter, Facebook or LinkedIn? Please feel free to connect with me.

Tags: , , , , , , , , , , ,
Posted in Company News | 1 Comment »

How people socialize online

April 8th, 2010

By now, news stories about online criminal investigation are commonplace, from finding graffiti taggers to collecting gang intelligence.

But where do the social network users come from, and how do they use their favorite sites? These are important questions, whether you are trying to understand your community’s overall demographics, or specifically address criminal activity.

From spectators to creators

ladderIn 2007 think tank Forrester Research came up with the graphic on the right (explained most recently in this post). Rather than showing segmented user groups, the Social Technographics Ladder demonstrates a progression of behavior, from “inactive” (bottom rung) to “creators” (top rung), so that behaviors overlap.

What does this mean for law enforcement? Lots of things. Although it’s generic (Forrester has completed profiles for specific companies and industries about their customers), it’s a good start for investigators and administrators who want to understand victims and criminals alike.

First, only 17% of U.S. adults who are online are inactive in social media. From the standpoint of victims, they’re still at risk from email phishing, for instance, or other forms of identity theft.

But they’re not as at risk as Facebook or Twitter users, for instance, who are more exposed to “bad” links that send them to phishing sites, or surreptitiously download keylogger and other malware to their computers.

Criminals, meanwhile, are becoming bolder and more active. They may not so much be “curating” content—collecting, say, tips and techniques—as sharing and creating it, largely for the sake of having “bragging rights.” Witness the copious photos of drug and gun stashes on MySpace.

A full spectrum of social networks

convoprismembedThe other graphic law enforcement can make use of is the Conversation Prism, a graphic designed by public relations professionals Brian Solis and Jesse Thomas. The Prism shows not just the wide variety of social networks out there, but also groups them into categories by use type.

The circular spectrum is a good way to visualize how social networks fit and the many ways users have to create and share content, according to their behavior as shown on the Social Technographics Ladder.

Additionally, at the Prism’s core are shown the value of these uses: ongoing feedback and insight, crisis communications and PR/marketing and customer support, all revolving around an organization’s brand. This is important to law enforcement agencies, but also valuable when applied to criminal organizations, such as gangs or narcotics networks.

And no, investigators do not have to create or maintain accounts on every single one of these sites. That would be cost-prohibitive. They should, however, maintain awareness—of these and of new popular sites—and be prepared to go where the investigation leads.

What online networking behaviors have you observed among criminals you investigate?

Christa M. Miller is Vere Software’s marketing/public relations consultant. She specializes in law enforcement and digital forensics and can be reached at christa at christammiller dot com.

Tags: , , ,
Posted in Investigative Tools | No Comments »

By popular demand: WebCase adds new features

March 26th, 2010

WebCase users have been asking us for three things:

  • Full page capture
  • HTML, or “source,” code capture
  • 64-bit compatibility

We’re very pleased to have just released these features in WebCase 1.9, which is available now. Current WebCase users will find their efficiency improved via full page and HTML capture functions. Meanwhile, investigators who work exclusively on 64-bit systems can now take advantage of WebCase.

Full page and HTML capture

Full page capture improves efficiency, in part, with automatic scrolling. In previous WebCase versions, investigators had to scroll manually to areas of a page that were not immediately visible on the screen. Lengthy pages such as those seen on MySpace could result in numerous screenshots. Now with one click, WebCase captures an entire web page in a single JPEG graphic file.

WebCase 1.9 also introduces the ability to copy only the web page’s HTML (Hyper Text Markup Language), or underlying “source” code, to an evidence file. Some web pages are difficult to archive properly because of the embedded code, and previous versions of WebCase required several steps to archive the code. The HTML copy function allows just one step to document the source code for later review.

To see these two new features in action, watch our video here!

64-bit compatibility

64-bit systems have the performance to process more demanding applications, such as audio and video encoding, so 64-bit compatibility is important as WebCase users move to the latest in desktop computing technology.

Finally, WebCase 1.9 now also supports Windows 7 along with Vista and XP, and adds Internet Explorer 8 to its list of supported browser versions.

We’re still working on getting the demo version available, but meanwhile, please view the video (and the others we have available) — and please sign up for our next WebCase webinar on April 1st. (No April Fool’s!)

Tags: , , , , ,
Posted in Company News, WebCase | No Comments »

Six Online Tools for Tracing IP Addresses

March 9th, 2010

Tracing IP addresses is a fundamental skill for online investigations. Several resources are available on the Internet to assist in this process. Several online resources for doing your basic IP identification include:

ARIN – American Registry of Internet Numbers
ARIN is a Regional Internet Registry (RIR) that provides services related to the technical coordination and management of Internet number resources in its respective service region. The ARIN service region includes Canada, many Caribbean and North Atlantic islands, and the United States.

Use the “Search Whois” function at  https://www.arin.net/index.html  to obtain IP registration information.

Sam Spade
Sam Spade has been in use as a tool for obtaining domain registration information for years. It has a simple Google like interface where you enter an IP address or a domain name.

http://samspade.org/
DNS Stuff
This is another website that has been around for a number of years. This website offers both free and pay for option for assisting in the identification IP addresses and other online information.

http://www.dnsstuff.com/tools/tools/
Network-Tools.com
Another website with a simple user interface to assist in IP tracing.

http://network-tools.com/
Central Ops.net
Central Ops is another website that assists with your IP tracing. One of its features “Domain Dossier” does multiple lookups on an IP address or domain.
http://centralops.net/co/
Internet Investigators Toolbar
All of these websites are easily accessible from our free to the online investigations community Internet Investigators toolbar which can be found on our website at http://veresoftware.com/index.php?page=downloads#toolbar

Tags: , , , , , , ,
Posted in Investigative Tools | 3 Comments »

How important are date/time stamps to online investigations?

February 25th, 2010

Recently I read a listserv posting wherein the poster described his use of the system clock to document the video evidence he was collecting. He described using the computer’s system clock as the source of the verification of the date and time, and recording with the video the system clock to show what the time is when you are recording the video.

Likewise, a WebCase user I spoke with told me that in the past, members of his unit would have to create a folder in which to keep case documents. Again, this used the system’s date/time stamping.

Date/time stamping is one of WebCase’s key features, but these two users bring up an excellent question: what, exactly, is the big deal about date/time stamping? More importantly, how can the defense challenge it in court?

Actually, it’s pretty easy to fudge a computer’s system clock. Not that an ethical investigator ever would, but the defense can introduce reasonable doubt with a simple demonstration. In Windows Vista, all it takes is a right-click on the time in the bottom right-hand corner. Then, select “Adjust Date/Time” and click on “Change date and time…”. System clock changed.

How does using WebCase prove you didn’t do this?

WebCase, when it starts, makes a system call to the National Institute of Science and Technology’s (NIST) atomic clock to obtain the correct time. It then dates and stamps all evidence collected in the current UTC (this stands for Universal Coordinated Time, or what we used to refer to as Greenwich Mean Time) time—not the system clock time.

WebCase automatically verifies the UTC and documents this in the reports users generate. This helps to ensure that any reliance on the system clock is avoided.

On the listserv, the poster went on to describe his collection process using a document program to cut and paste chats into. Again, he used the system date and time as the time stamp for the file.

Not only does WebCase negate the need to use two separate programs—video collection and document—but its date and time stamping, along with its automatic hashing function, guarantees the file integrity of any video recorded.

See it in action: download a free demo!

Christa M. Miller is Vere Software’s marketing/public relations consultant. She specializes in law enforcement and public safety and can be reached at christa at christammiller dot com.

Tags: , , , , ,
Posted in WebCase | No Comments »

Six Internet Tools for Researching Someone

February 13th, 2010

Finding information about someone online can be as simple as searching them in Google. For some more detailed information about people several resources are available on the Internet for identifying people.  Each website returns a limited amount of information on whom you are researching and most are a front end for a pay for service which for a small amount you can get a complete background on the individual. However, searching several of the services, which return different information, you can quickly put together a significant amount of information on your target.

Search Bug  http://www.searchbug.com/

Zabba Search http://www.zabasearch.com/

The Ultimates    http://www.theultimates.com/

Skip Ease  http://www.skipease.com/

Pipl http://www.pipl.com/

Zoom Info http://www.zoominfo.com/

 

Internet Investigators Toolbar

All of these websites are easily accessible from our free, to the online investigations community, Internet Investigators toolbar which can be found on our website at http://veresoftware.com/index.php?page=downloads#toolbar

Tags: , , , , , , ,
Posted in Investigative Techniques, Investigative Tools | 1 Comment »

Cloud computing: Not just for geeks or feds

February 8th, 2010

Think online investigation is just for the high-tech crimes types, the computer forensics geeks or the feds? Not so, says Todd in his interview with Cyber Speak’s Podcast (hosted, ironically, by two former federal agents). The more people are online, the more they’re likely to use cloud services, the more important it is for local law enforcement to be there too.

Todd’s appearance on Cyber Speak came about because of his two-part article on cloud computing, which had appeared in December in DFI News. He and Ovie Carroll discuss:

Impact of cloud computing on first responders

Detectives performing searches can’t simply pull the plug on a running computer anymore (a fact which prosecutors are having to get used to). They need to be able to perform data triage and possibly even volatile data collection.

Why? Because knowing whether a suspect has an online presence is critical to whether an arrest is made—and what happens afterward. Whether users are actively storing files “in the cloud” or simply members of social networking sites, law enforcement officers who don’t find evidence and therefore, do not make an arrest risk that suspect going online and deleting all incriminating information.

Why is this a problem? Because the very nature of cloud storage means investigators may not be able to access a logical hard drive somewhere to recover the evidence. First, the sheer amounts of data stored on servers make this close to impossible. Second, there are jurisdictional issues.

Are you exceeding your authority?

Not only may information be stored outside your jurisdiction, but it may also be stored in another country altogether—one with different criminal and privacy laws. Accessing evidence of a crime in the United States may actually mean committing a crime in another country (Todd relates the story of two FBI agents for whom arrest warrants were issued in Russia).

This is a problem for local law enforcement, which Todd notes has been left largely to its own devices when it comes to online crime. Only Internet Crimes Against Children (ICAC) task forces have clear direction from the federal government on how to proceed.

Hence it’s easy for local police to kick Internet crimes up to regional, state or federal task forces. But as Todd points out, more people coming online means more crimes being committed against people in local jurisdictions both large and small. Law enforcement at every level needs to be able to respond.

Please listen to Todd and Ovie, and then come back and tell us what you think!

Christa M. Miller is Vere Software’s marketing/public relations consultant. She specializes in law enforcement and public safety and can be reached at christa at christammiller dot com.

Tags: , , , , , , , , ,
Posted in Company News, Legal & Policy Issues | No Comments »

« Older Entries