Posts Tagged ‘network forensics’

How the bad guys use social media: An interview with Todd Shipley

Monday, February 28th, 2011

Hardly a day goes by when the news isn’t reporting criminal use of social media to find and groom victims, start and fuel gang wars, or exploit other weaknesses. Todd Shipley joined Spark CBC host Nora Young last week to talk about some of these issues, along with how police can use social media to find the activity.

Listen to the 20-minute interview now to find out:

  • How criminals exploit their victims’ weaknesses, along with their own need for social connections
  • The importance of looking beyond the physical crime scene to its virtual extension
  • The social and technical skills police need to document online and other digital evidence before it gets to detectives
  • How online or cloud investigation is similar to network forensics (and unlike computer forensics)
  • What legal requirements police need to abide by when they go online

Got questions about Todd’s interview? Leave us a comment!

Tracing IP Addresses: Some Background

Wednesday, October 14th, 2009
Tools like traceroute show the many data packet paths across the Internet.

Tools like traceroute show the many data packet paths across the Internet.

Everyone uses the Internet, says Gary Kessler, instructor of upcoming “Tracing IP Addresses” webinar—but few people understand how it actually works. And while investigators don’t need to know how the telephone system works to get a warrant for phone records or even wiretapping, the Internet is far more complex–but far more accessible to the investigator.

“Computer forensics starts ‘under the hood’,” he explains. The investigator must know about file allocation tables, storage space on a hard drive or other digital device, and so forth, before being able to use the appropriate tool to recover evidence.

And because the Internet figures into so many forensic examinations—those involving child pornography, cyber bullying and harassment, etc.—it is one of the working parts “under the hood.” “No longer are there standalone computers,” says Kessler, “so conducting online investigations involves the application of some forensic principles.”

Tying digital evidence to individuals

These include both legal and technical aspects. “Investigators need to be able to understand the networking clues left on the computer,” says Kessler, “such as where to look, and how the clues can mislead. For example, the email header doesn’t prove who sent the email, but it can indicate where the email came from.”

In fact, he adds, everything in digital forensics is about finding patterns of behavior. “When taken together, those patterns can lead a reasonable person to what a suspect did,” says Kessler. “Digital forensics provides exculpatory or incriminating information which might take an investigation in a direction it may not otherwise have gone.”

In the case of IP tracing, this can even include geolocation. “An IP address can provide a general location from where an individual accessed email, for example,” says Kessler. “In one homicide investigation, this was key when the suspect denied an email account was his. Not only was the account established as his, but the IP addresses also showed the account being accessed from locations which coincided with his business trip calendar.”

Seeing evidence from every angle

Kessler says there are few misunderstandings about IP address tracing, but that investigators don’t always correctly interpret the evidence. “As an example, a traceroute showing data packets going from Point A to Point B will show a different set of addresses than the packets going back from Point B to Point A,” he explains, “which could be interpreted as a completely different route. The investigator has to know how to interpret the information, which is simply the same route being reported in a different way.”

The takeaways from Kessler’s webinar: how IP addresses relate back to online activities, along with tools that show how addresses relate to Web domains, how the domains relate to individuals, and how IP addresses relate to geographical locations.

In addition, Kessler will cover how criminals use the same tools. “An investigator uses the tools in a criminal case, but a hacker uses them to discover vulnerabilities,” he explains. So in all, while IP address tracing may seem trivial, it is important in any case with a networking component.

Learn more: register for the Tracing IP Addresses webinar today!

Christa M. Miller is Vere Software’s marketing/public relations consultant. She specializes in law enforcement and public safety and can be reached at christa at christammiller dot com.

Image: curiouslee via Flickr