Posts Tagged ‘digital evidence’

How the bad guys use social media: An interview with Todd Shipley

Monday, February 28th, 2011

Hardly a day goes by when the news isn’t reporting criminal use of social media to find and groom victims, start and fuel gang wars, or exploit other weaknesses. Todd Shipley joined Spark CBC host Nora Young last week to talk about some of these issues, along with how police can use social media to find the activity.

Listen to the 20-minute interview now to find out:

  • How criminals exploit their victims’ weaknesses, along with their own need for social connections
  • The importance of looking beyond the physical crime scene to its virtual extension
  • The social and technical skills police need to document online and other digital evidence before it gets to detectives
  • How online or cloud investigation is similar to network forensics (and unlike computer forensics)
  • What legal requirements police need to abide by when they go online

Got questions about Todd’s interview? Leave us a comment!

Simplifying the webmail collection process

Thursday, January 13th, 2011

A recent ComputerWorld article discussed the security problems posed by webmail within organizations. In short, because webmail comes across HTTP rather than SMTP protocols, the organization does not protect against data leakage as it does from its own email system.

The reasons for this are many. In 2008, ComputerWorld ran an article that discussed ways webmail could breach even organizations with strong security. As always, the human factor can be a challenge. Well-meaning employees may use webmail to segregate business from personal email, when they are required not to conduct personal business on company accounts; employees may also use webmail to bypass overly complicated email security procedures.

At that point, even if employees’ personal webmail accounts aren’t being archived per the law, their email may become discoverable in the event of litigation. How to document the emails’ content?

In an October 2009 article for EDEN: The Electronic Data Extraction Network, Jonathan Yeh discussed various ways in which webmail could be captured for archival purposes. Among them:

  • Download the email locally using an email client with a POP or IMAP protocol. It can then be searched just like other digital evidence.
  • If these protocols cannot be used, screenshots, web page capture, or even printing.
  • Obtain data via browser artifacts.

Each of these methods is, however, complicated. Yeh goes into these issues in some detail, ending with the need to document each step of the collection process. While true that the courts accept expert testimony together with downloaded or screenshot data, there is still nothing about these collection methods to prove that the content was not manipulated in any way.

In addition, the procedures Yeh describes, along with some of the issues that the investigator must take into account, are time-consuming. Under such conditions, the margin for human error is greater, and as Yeh concludes, “The reliability of evidence can often only be gauged by the reliability of the methods used to collect it, and proper documentation can be the difference between admissibility and inadmissibility in court.”

Simplifying the “screenshots and web page captures” process, and in doing so addressing the reliability issue that Yeh brings up, is WebCase. That it is currently the only tool to do so should not be lost on e-discovery experts or other investigators.

Want more information? Schedule your free demo today!

Podcast: Todd talks social media, online investigations

Monday, November 30th, 2009

Canada-based podcasting service provider The Daily Splice recently started its own podcast: Law Enforcement 2.0, in which marketer Mike Waraich interviews individuals who are involved with encouraging police departments to “join the conversation” online.

Social media is, of course, beginning to figure into much more than conversation: it’s playing a role in everything from online crime to police recruiting to intelligence. Because all of this information must be verifiable, police need a standard methodology to collect it.

Which is why Mike invited Todd on the show a few weeks ago. For just about half an hour, the two discussed the following:

Defining online investigation in terms of standard methodology.

Would online investigation be less “scary” if the people conducting it knew they could do it without their veracity being called into question? Standardized process counts for a lot, so being able to date/time stamp, “digitally fingerprint” (hash), and log Internet evidence in the same way other forms of evidence are authenticated can make investigators’ jobs a lot easier.

Social media as a “neighborhood.”

Most everyone under 30 (and many over 30) are, in some ways, members of this online space. Just as in a real-world neighborhood, the number of “residents” = number of potential victims. And crimes are being committed, not just on the Web, but in other areas of the Internet which are their own communities. (Think chat rooms, instant messaging and Usenet.)

Whether law enforcement can coexist with community relations.

As long as law enforcement is an active participant in the online community, it cannot be misconstrued as “Big Brother” watching. Instead, it brings community policing concepts to the Web: like a park in a bad section of town, it will stay “bad” unless law officers go there, partner with people who live there to clean it up.

Reputation management.

What people post on the Web is there forever. Some law enforcement officers need to be made cognizant of this fact. Employers look at people’s social media profiles not just to make hiring decisions, but also to ensure their employees are maintaining the standard expected of them.

Part of maintaining that standard is not to avoid parts of the neighborhood which are not well understood or liked. Investigators who do need to understand that the “conversation” goes on without them. Not to be there for it risks missing valuable intelligence and other information.

In other words, as Todd put it, “You may not want to go into a bad neighborhood because you know bad things can happen, but you still need to be there.”

Understanding the neighborhood.

Just as a good cop takes time to learn the landscape and culture of the neighborhood s/he is responsible for, a good Internet investigator takes time to understand where people are online–and where they are moving, what they are talking about, what they are doing.

With hundreds of social sites, this can be hard to figure out much less monitor. But the more investigators learn, the more they can make online investigation part of their everyday work lives, the more efficient they will become.

The conversation wrapped up, of course, with a short discussion about WebCase and where it fits in all this. Thanks again to Mike for the interest. We hope to be able to participate in future podcasts!

Christa M. Miller is Vere Software’s marketing/public relations consultant. She specializes in law enforcement and public safety and can be reached at christa at christammiller dot com.