Archive for the ‘Investigative Techniques’ Category

Six Internet Tools for Researching Someone

Saturday, February 13th, 2010

Finding information about someone online can be as simple as searching them in Google. For some more detailed information about people several resources are available on the Internet for identifying people.  Each website returns a limited amount of information on whom you are researching and most are a front end for a pay for service which for a small amount you can get a complete background on the individual. However, searching several of the services, which return different information, you can quickly put together a significant amount of information on your target.

Search Bug  http://www.searchbug.com/

Zabba Search http://www.zabasearch.com/

The Ultimates    http://www.theultimates.com/

Skip Ease  http://www.skipease.com/

Pipl http://www.pipl.com/

Zoom Info http://www.zoominfo.com/

 

Internet Investigators Toolbar

All of these websites are easily accessible from our free, to the online investigations community, Internet Investigators toolbar which can be found on our website at http://veresoftware.com/index.php?page=downloads#toolbar

Identity theft online: Some background

Monday, December 7th, 2009

Identity theft is one of Detective Kipp Loving’s investigative specialties. Having worked hundreds of ID theft cases in the last decade, Loving has seen the crime evolve along with, and as an integral part of, the Internet. His webinar is based on the 8-hour block he teaches during the 40-hour California Peace Officer Standards & Training course on financial crimes.

Trends in online identity theft

The Internet’s reach often means multiple jurisdictions and sometimes hundreds of victims. In fact, it’s part of at least one of every level of an ID theft case, ranging from how criminals obtain identities to how they use them.

“Information compromise is just one component,” Loving says. “An ID thief doesn’t have to phish; he could as easily go dumpster diving for information, then go online to use it.”

Phishing is now a tool mainly of high-end rings associated with international gangs like the Russian Mafia, or Southeast Asian groups, who hire hackers to compromise databases. Cases involving them are usually federal, and much more sophisticated than most local ID thieves.

More likely for the average investigator to see:

  • “Crankster” (methamphetamine addict) dumpster divers.
  • An employee in a local company, abusing privileged access to private information in the employer’s databases.
  • Family-on-family ID theft.

The last trend has been particularly accelerated. ID theft is still prevalent in elder abuse cases. But in a troubling turn, more parents are stealing their children’s identities.

“The parents don’t get reported until the kids are of age and try to buy a first car or get an apartment,” says Loving. “And they can’t get out from under the liability unless they are willing to prosecute Mom and Dad.”

Case management + presentation

“Most people don’t associate case management with case presentation,” says Loving, “but prosecutors consider ID theft cases to be only a step above real estate fraud cases. When you’re dropping what may be a four-inch-thick case file on their desk, how you managed the case will be critical to how you present it, and therefore how it is received.”

A well-managed case contains several elements. “First, identify the cream that floats to the top,” says Loving. “You can’t manage 300 victims, so find out from the prosecutor how many is enough.” Sometimes the case will “go federal,” so local law enforcement and prosecutors need only do so much.

Second, a detailed timeline is critical to success. “A prosecutor will not read every page of your case, so a start-to-finish timeline on each charge helps them,” Loving says. “You include every incident, the elements of the crimes, dates, and amounts.”

Most important of all, however, is not to simply forward the case to the prosecutor once it is wrapped up. “You have to make an effort to form a relationship, talk to the prosecutor throughout the case,” says Loving, who once worked as a criminal investigator in a DA’s office. “They’ll tell you what they like and don’t like about the investigation.”

That relationship is not about micromanaging—it’s about “selling” the case. “You have to get to the point where you don’t need to sell it; they’re already sold by the time you close the case,” Loving says. “In fact, they’re so sold that they ask when they can have it.”

The need for information sharing

Identity theft investigations can be time-consuming and frustrating because it can span multiple victims and jurisdictions—which, at a time when law enforcement budgets are tight, makes them harder to work.

“You can’t always work with victims face to face, and there are usually many more victims than you know about,” says Loving. “The ones you work with are simply those who noticed and talked enough to assist your investigation.”

The most important thing at that point is for investigators to be involved with groups like the International High-Tech Crimes Investigators’ Association (HTCIA). Loving also runs his own 800+ member listserv, a restricted-access Yahoo! Group where detectives from across the nation can get search warrant language, company contact information, and connect with each other on their cases.

“Cops aren’t always good at information sharing,” he says, “but we need to get better as more of these crimes go into other jurisdictions.”

Register for the webinar on Thursday, April 28 — and during the webinar, find out how you can get 10% off the price of WebCase, plus free shipping!

Christa M. Miller is Vere Software’s marketing/public relations consultant. She specializes in law enforcement and public safety and can be reached at christa at christammiller dot com.

MySpace Investigations Basics: Some Background

Tuesday, November 3rd, 2009

A senior detective in Corona (California), Frank Zellers first realized the power of MySpace evidence during a 2006 homicide investigation. The suspect had a MySpace page, and not only were investigators able to recover current photos and intelligence from the site’s internal messaging system, they were also able to identify his location.

“Under a court order, MySpace provided us with the suspect’s IP address and subscriber ID, which we were then able to tie to his physical address,” says Zellers. “We watched him log in at 1 a.m., and we had him in custody nine hours later.”

That experience led Zellers to create an investigations course around MySpace, one that was designed not for task force members or computer forensic examiners, but for “novice” investigators. “For our basic class, we set up accounts to show the site’s internal functionality,” he says. “We show the students things like determining whether an image was uploaded to the site, or is embedded from another site. That helps them figure out where to serve search warrants.”

The “MySpace Investigations Basics” webinar grew out of that course. Zellers will discuss the site’s functionality, different ways to find different kinds of evidence, and how to save it, along with how advanced searches via Google and Yahoo figure into an investigation.

He’ll also cover how investigation of a MySpace page translates into investigation of other sites. “vBulletin forum software is very prevalent among the more obscure social networks,” he explains, “like the bulletin boards that host communities of online gamers, hard-core rappers, and others.”

That’s because many social networks retain the same general features which MySpace pioneered, including profile pages, comment space for friends, private messaging, and ability to share images and videos.

This varies by site—MySpace is more versatile than Facebook or Twitter—and the way the features are cataloged change, so investigators must take care to keep current with what each site does.

They should also stay up-to-date on site demographics. MySpace, with its longtime reputation for being a teen hangout, remains more popular among young people than Facebook, which is popular among older generations.

More social networks are also moving toward integration. MySpace, for instance, has partnered with Skype, a Voiceover IP application which allows both instant messaging and voice communications between members. A MySpace member can therefore IM a Skype user. (Zellers notes, however, that the chat conversation is archived on the user’s machine rather than on MySpace servers, making it a computer forensic job.)

Just because the MySpace user interface is complicated to adult eyes doesn’t mean plenty of evidence can’t be recovered and used either as intelligence, or to solve crimes—even in unexpected ways, as Zellers’ team discovered. And the continued popularity of social networking sites both new and old means investigators need to have these skills sooner rather than later.

Christa M. Miller is Vere Software’s marketing/public relations consultant. She specializes in law enforcement and public safety and can be reached at christa at christammiller dot com.

Tracing IP Addresses: Some Background

Wednesday, October 14th, 2009
Tools like traceroute show the many data packet paths across the Internet.

Tools like traceroute show the many data packet paths across the Internet.

Everyone uses the Internet, says Gary Kessler, instructor of upcoming “Tracing IP Addresses” webinar—but few people understand how it actually works. And while investigators don’t need to know how the telephone system works to get a warrant for phone records or even wiretapping, the Internet is far more complex–but far more accessible to the investigator.

“Computer forensics starts ‘under the hood’,” he explains. The investigator must know about file allocation tables, storage space on a hard drive or other digital device, and so forth, before being able to use the appropriate tool to recover evidence.

And because the Internet figures into so many forensic examinations—those involving child pornography, cyber bullying and harassment, etc.—it is one of the working parts “under the hood.” “No longer are there standalone computers,” says Kessler, “so conducting online investigations involves the application of some forensic principles.”

Tying digital evidence to individuals

These include both legal and technical aspects. “Investigators need to be able to understand the networking clues left on the computer,” says Kessler, “such as where to look, and how the clues can mislead. For example, the email header doesn’t prove who sent the email, but it can indicate where the email came from.”

In fact, he adds, everything in digital forensics is about finding patterns of behavior. “When taken together, those patterns can lead a reasonable person to what a suspect did,” says Kessler. “Digital forensics provides exculpatory or incriminating information which might take an investigation in a direction it may not otherwise have gone.”

In the case of IP tracing, this can even include geolocation. “An IP address can provide a general location from where an individual accessed email, for example,” says Kessler. “In one homicide investigation, this was key when the suspect denied an email account was his. Not only was the account established as his, but the IP addresses also showed the account being accessed from locations which coincided with his business trip calendar.”

Seeing evidence from every angle

Kessler says there are few misunderstandings about IP address tracing, but that investigators don’t always correctly interpret the evidence. “As an example, a traceroute showing data packets going from Point A to Point B will show a different set of addresses than the packets going back from Point B to Point A,” he explains, “which could be interpreted as a completely different route. The investigator has to know how to interpret the information, which is simply the same route being reported in a different way.”

The takeaways from Kessler’s webinar: how IP addresses relate back to online activities, along with tools that show how addresses relate to Web domains, how the domains relate to individuals, and how IP addresses relate to geographical locations.

In addition, Kessler will cover how criminals use the same tools. “An investigator uses the tools in a criminal case, but a hacker uses them to discover vulnerabilities,” he explains. So in all, while IP address tracing may seem trivial, it is important in any case with a networking component.

Learn more: register for the Tracing IP Addresses webinar today!

Christa M. Miller is Vere Software’s marketing/public relations consultant. She specializes in law enforcement and public safety and can be reached at christa at christammiller dot com.

Image: curiouslee via Flickr

Gangs on the Internet

Wednesday, September 16th, 2009

Everyone engaged in technology today is using some form of social media. Law enforcement is learning to deal with it and so are the criminals. Gang members have found it to be a great communication source and are regularly using social media to keep in contact. MySpace, Facebook and especially Bebo, have become popular places for gang members to hang out.  The term used to describe gang members activity online is Cyberbanging. Cyberbanging isn’t a brand new term, but it is probably not widely known outside of its gang member users.

General intelligence collection is a task that the web can offer gang investigators. Blogs, social media pages, tweets can all give the law enforcement gang investigator valuable information about the goings on in a gang and potential strife between varying factions.

Law enforcement generally identifies a criminal street gang by having 3 or more members, common symbols or leadership, and gathering together to commit crimes or a continuing criminal conduct (or enterprise). They also generally classify gang members according to one of four criteria: 1) self admission, 2) a reliable informant confirms membership, 3) an unreliable informant confirms, and a second source corroborates, and 4) via confirmed law enforcement source.

The Internet can help identify gang affiliation by finding the members’ self admissions, i.e. photos of gang activity, comments indicating gang activity and being the corroborated source of information. A member’s MySpace page can contain significant information about them and their activities.

Those investigating gang members need to look on the Internet for potential members of their local gangs. Failing to do so could potentially overlook threats or trophy shots of criminal behavior that could prevent or solve crimes. In the worst cases, they may find the evidence to support a murder as a gang related crime as in the Jamiel Shaw case in Los Angeles. By many reports Jamiel was a star athlete. The dark side of his life was his Cyberbanging as a member of the Bloods.  His MySpace page tells a very different story of his life then many people thought. There he allegedly proclaimed his gang membership and flashed gang signs.

Documenting this kind of online activity easily supports a law enforcement agency’s investigation into gang activity.

Sources of Online Information: Some Background

Wednesday, September 9th, 2009

Cynthia Navarro understands how overwhelming Internet searches for information can be. Not only does she do them in the course of her work as a private investigator, but she also regularly teaches law enforcement officers, corporate practitioners, and others about what’s available and how to find it.

Her “Sources of Online Information” webinar grew out of that experience. “The Internet is a tool that augments what you already have and enables you to get more,” she says. “I base my training on how investigators can get what they need. If they need an individual’s professional information, there’s LinkedIn or Spokeo. If they need personal information, I show them what they can and cannot get from various sites, and how that information is presented.”

She also shows how to perform “creative” searches across Web sites, not just in Google but using search utilities included in social networking sites. “Different results come up for my name, Cynthia Navarro, than for ‘Cynthia Navarro’ enclosed in quotes,” she explains. Likewise results that include a keyword combined with a name, such as the individual’s interests or profession.

Sometimes investigators must collect information from people directly, using social networking sites to get personal. Such “pretexting” is necessary because people would not otherwise give up information to someone they know is an investigator. Pieced together with data gleaned from searches, this can become an invaluable means of constructing a case.

Connecting people, connecting identities

Navarro provides numerous examples of the ways it’s possible to use Web-based information to connect people to each other, as well as to find “other lives” they lead. One man she investigated turned out to have a profile on Match.com—as a woman. “People you wouldn’t expect to be associated with certain sites turn out to have a real dark side,” Navarro explains.

They also have certain habits, “things they need to get out there about themselves,” she says. “One CHP officer used his police vehicle and uniform in one of his Match.com pictures. I used him as an example in my classes, and not long after, his profile was deleted. But when he came back later on, using a different profile with different information, he still had a photo of a police vehicle.”

Navarro recognized him because she’d talked about him so much; she now uses the example to discuss how one deleted profile doesn’t necessarily mean another isn’t available.

Keeping up with information changes

Because Web-based information changes so rapidly, Navarro teaches that two things are important:

  • Evidence capture and preservation. “Within just one hour, a profile can go from public to private or even deleted,” she notes.
  • Evidence verification. “Some people post totally false information, so the investigator needs to know where to go to verify that what’s out there is true,” she says. Likewise what they find on information retrieval services, which may not contain the most up-to-date data.

Overall, as Navarro teaches, many different tools exist for evidence capture; investigators must know which are most appropriate for the investigator’s needs at the time. She cites Archive.org as one example of ways investigators can see what a website looked like at a certain point in time.

Most important for investigators to know: “The enormous amount of information at their fingertips,” says Navarro.

Christa M. Miller is Vere Software’s marketing/public relations consultant. She specializes in law enforcement and public safety and can be reached at christa at christammiller dot com.

Cyber Vigilantism or Cyber Neighborhood Watch?

Saturday, March 28th, 2009

Governments across the globe have been trying to deal with Cybercrime and its impact on our communities. Some have done a better job than others in responding to those crimes. The rise in Internet users over the past decade and our dependence on it as a medium for communication has increased the number of concerned citizen users. The Internet is no longer just a tool to do our shopping from our home, or a tool to research a school paper. Through social networking the Internet is truly becoming a community. With those communities come problems, but also concerned citizens, ready to rise up and act in the best interests of their community.

Law enforcement is still grappling with its response to enforcing the law on the Internet. They continue to meet the challenges with mixed results. Because of this enforcement vacuum there recently has been a rise in what can only be described as citizen activists. The rise in social networking has brought together many diverse people. The commonality among them is their willingness to protect their piece of the Internet. As evidence of this are several examples of concerned netizens standing up and taking actions to protect their Internet.

Twitter, the recent social networking phenomenon, gave rise to an incident recently”, as commented on by socialmedia.biz, where a “Twitterer” in Virginia found a threat posted on a Wikipedia page against a school in St. Louis. Enlisting others from the Twitter ranks they tracked down information about the student posting the threat and made plans via Twitter about what to do with the information. The local police department was contacted and the threat relayed. However, the police complaint taker was less than cooperative according to reports and stated he “did not have access to the Web”. Another neighboring agency was contacted and appropriate actions were taken to resolve the issue.

And as far away as China, the Internet is changing the way the people feel about, and communicate. Locating people online has become almost a sport. When unpleasant comments were posted online after the earthquake deaths in the Sichuan province, numerous Netizens researched and attacked the posters online. Even Chinese government officials are not immune from response. With millions of people online, the Chinese government is finding it increasingly difficult to control its citizen’s response to overzealous government officials. Wearing a $25,000 watch in the picture you post on the Internet is not a probably a good idea when your government salary is not enough to cover its cost. The official was later dismissed partly I am sure to the Netizens complaints. In China this growing trend of Cyber-vigilantism is called “renrou sousuo”, or “human-flesh searches”. It is done spontaneously by Netizens to ferret out perceived wrong doers.

To the extreme in this country we have the Texas Border Watch program. This is a novel concept of recruiting Cyber border watchers. Individuals can watch streaming video over the Internet from cameras mounted at various locations on the southern U.S. Border and report suspicious activity. According to a report by NPR, “43,000 pairs of eyes are watching the Texas-Mexico border”. Netizens observations of the border have lead to arrests of wrongdoers.

Cyber Vigilantism is not necessarily new. A few years ago a Korean girl was publically humiliated online after not picking up after her dog on a train. In the late 1990’s Cyber-vigilantism was thought to be a reasonable response to the emerging online crime problem because of law enforcements inability to respond to the problem. Even extremists groups have been tracked by vigilantes on the web. It’s a popular enough concept that Wikipedia has a page defining it.

The dark side of this argument has been groups such as Perverted Justice whose regular work was chasing those who would prey on our children on the Internet. Their member’s antics have been regularly discredited as well as praised for their aggressive and persistent actions which arguably may not be within the law. In the UK recently a law was passed to try and curtail the extreme amount of pornography found on the Internet. The “Extreme Porn” law has given rise to a group, the Enforcers of the Extreme Porn Law, who are dissatisfied with UK law enforcements position about not actively policing extreme porn.

How much have law enforcements response to Internet crime changed in the past decade? Certainly law enforcement has gotten better at dealing with the technology and on many levels their response is better. Many law enforcement agencies are even using social networking sites to communicate with its citizens. But there is no real drive to recruit netizens to become the eyes and ears of law enforcement online. In a recent blog entry by Bill Schrier in his blog “Note from a City CIO” he wrote an article “Twitter, Facebook not ready for Government 2.0”. Ready or not Government will have to address social networking and the netizens on it, more likely sooner than anticipated at its growth rate.

With the isolated examples of netizens reaction to criminal’s online; law enforcement may be missing an opportunity to recruit a neighborhood “Net-Watch” type of faithful following. Law enforcement could guide netizens and encourage their support. With the Internets ability to mobilize vast numbers in response to a crime on the Internet an opportunity exists to establish a major blow to criminals everywhere. People now spend their waking hours, and some with web cameras, their sleeping ones too, online. It may be time for law enforcement to expand its online ranks with properly trained and recruited cyber watchers. It might also be a way of corralling the behavior of some of the Cyber vigilantes that have gone a little far in their attempts to hang online wrongdoers. Look out online criminals, your next door neighbor may soon be watching you.