Posts Tagged ‘social media’

New Book Investigating Internet Crimes Released

Saturday, February 15th, 2014
41wMbTIcmVL._SY300_

Investigating Internet Crimes

Investigating Internet Crimes:
An Introduction to Solving Crimes in Cyberspace

You can find the new book by Todd G. Shipley and Art Bowker on Amazon books and you can  also follow the authors on their blog. What’s being said about the book:

Neal Ysart, Director First August Ltd, likes Investigating Internet Crime by Shipley and Bowker

“At last….. Informed, pragmatic guidance from two highly experienced professionals who  have actually spent time on the front line, not just the classroom.  This book is relevant for  practitioners working in both law enforcement and within business – every aspiring cyber  investigator should have a copy.” Neal Ysart, Director First August Ltd, Information and  Corporate Risk Services

So you thought Tor was bad enough. Check out Tor’s Hidden Web Services.

Monday, July 25th, 2011

Recently and article appeared at NPR titled “Senators Target Internet Narcotics Trafficking Website Silk Road”. I only bothered to hit the link because I saw it mentioned on the website Anit-forensics.com. The short article complained of drugs blatantly sold on the Internet and something needed to be done about it and Congress is going to solve that one for us. Although selling drugs on the Internet is nothing new, the place on the Internet “openly” selling drugs was on the Tor network through the use of Tor’s “Hidden Services” function.  The “Silk Road” is an online market open for the sale of goods and named after the ancient road used to bring goods from the orient to the west.

For the power user of the Tor network Hidden Services is probably nothing new. For the average online investigator though you may have heard of Tor and may have even tried to use it (especially of you read my last article on using Tor in your investigations). But were you aware that webpages can be hidden within the Tor network? Have you ever seen a .onion domain name? if you haven’t then read on.

Hidden services were introduced to the Tor network in 2004. Tor’s Hidden Services are run on a Tor client using special server software. This “Hidden Service” uses a pseudo top-level-domain of “.onion”. Using this domain, the Tor network routes traffic through its network without the use of IP addresses.

To get to these hidden services you must be using the Tor Network and have your browser enable to use Tor.  How do you find sites using the hidden services? Start at the core…

http://eqt5g4fuenphqinx.onion/ 

Welcome to .onion Welcome to .onion

Core.onion according to its hidden services site has been in the network since 2007.

Once in the Core.onion you find a simple directory to start exploring Hidden Services on the Tor network.

TorDir TorDir

TorDir is a directory of Hidden Services. It gives you access to a variety of sites that offer instant messaging services, email, items for sale, social media type sites and marketplaces.

Black Market Black Market

 

In the markets a variety of things are for sale, most look to be illegal though. File sharing also looks to be popular and can be found in several .onion sites.

File Sharing File Sharing

 

To make purchases bitcoin seems to be the most popular virtual currency and is regularly mentioned throughout the .onion sites.

Bitcoin Bitcoin

 

Another good location to start finding out about what Tor’s Hidden Services have to offer is a wiki located at:

http://xqz3u5drneuzhaeo.onion/users/hackbloc/index.php/Mirror/kpvz7ki2v5agwt35.onion/Main_Page

 

Also, if you are an IRC fan Tor hidden services can be used there also. The Freenode website gives the instructions on how to access Freenode IRC servers on Tor’s Hidden Services.

If you are interested in learning more about Tor’s Hidden Services here are a few sites that can get you on your way:

http://www.onion-router.net/Publications/locating-hidden-servers.pdf

http://www.irongeek.com/i.php?page=videos/tor-hidden-services

http://www.torproject.org/docs/tor-hidden-service.html.en

 

Not to make it any worse but if you have not heard Ip2 (another anonymizing network that is becoming increasingly popular) also has its own “eeepsites” similar to the Hidden Services offered in Tor that a user can post content to like a website.

Hidden Services are going to increasingly become a location that will be misused by many. It will also become a place on the Internet that investigators will need to become increasingly familiar with if they are to further their online investigations.

Cell phones, the Internet and common evidence issues

Wednesday, July 6th, 2011

Our free webinar last week was on cell phones and the common apps used to connect them with the Internet. Mike Harrington of Teel Technologies talked about some of the items of evidence which those apps leave, both on the phones and on the Internet sites the apps lead to.

Todd has been talking for some time about how the normal crime scene has been changing over time and that investigators, both civil and criminal, need to be thinking of where there evidence is outside of the physical location they are at. The Internet, and the ability of most modern cell phones to connect to it, have greatly expanded our possible locations for evidence to be found – far beyond the physical crime scene. With this increase means of course more work. But with the additional locations for evidence, investigators can obtain a clearer picture of what occurred.

This means that evidence will be located at a minimum in the following places:

  1. The cell phone itself (forensic data extraction)
  2. The social media site (accessed from the web and properly documented). Depending on the number of apps on the phone this could be numerous sites.

Because we don’t generally let the cell phone access the web during data extraction (to prevent syncing and therefore data change), what is on the cell phone will undoubtedly be different then what is on the social media site.

This is particularly true if the user accesses the sites from places other than his cell phone, or his friends make posts to his wall (as themselves or even posing as him). So, to corroborate what they find on the phone, investigators should also plan to collect additional items through legal service (civil or criminal subpoena or search warrant):

  1. Cell phone/tower records from the provider
  2. Social media site records from the social media site. Again, depending on the number of apps on the phone, this could be numerous sites.

Each of these records contains a piece of the puzzle. Compiling all of them can give the investigator a more accurate picture of what occurred and when, but it all needs to be documented properly.

The investigator must also be prepared to investigate further when the two are inconsistent, and if necessary, explain the inconsistencies in court. For example, if phone artifacts have date/time stamps and content that are different from those found on social networking sites, investigators must question why. Likewise when a cell service provider’s records differ from phone or Internet evidence.

In short: none of this evidence – data on the cell phone, the social networking site, or in the cell or Internet service provider’s records – should be considered “nice to have.” With courts paying more attention to the authenticity and verifiability of digital evidence, gathering as much information as possible from as many sources as possible is a requirement to ensuring that victims and suspects alike get the due process they deserve.

Using NodeXL for Social Networking Investigations

Friday, March 4th, 2011

nodexllogoMapping social network users is nothing particularly new. Social scientists use it to compare people’s networks online and offline, and thanks to tools like Loco Citato’s MySpace, Facebook and YouTube Visualizers, investigators have a valuable tool for finding criminals and their associates.

Complementing Loco Citato’s excellent tools is an open-source application called NodeXL, which maps Twitter, Flickr and YouTube users. A book about it from Elsevier, “Analyzing Social Media Networks with NodeXL: Insights from a Connected World,” talks about the tool’s social-science value. But whether law enforcement or corporate investigators are using NodeXL is unknown. (If you use NodeXL or have heard of other investigators using it, please let me know.)

Perhaps the most striking fact about NodeXL is that Microsoft made the tool. Licensed under the Microsoft Public License (Ms-PL), NodeXL is available on the open source download site CodePlex.

NodeXL stands for Network Overview, Discovery and Exploration for Excel – yes, that is correct, Excel, which is the engine that runs the graphing. NodeXL is a template for Excel 2007, although it also works in Windows 7.

Crunching large datasets for social maps

Most of the information that appears to be available online so far about NodeXL regards its ability to easily graph data input into the spreadsheet. As social researchers put together relationships between users, the graphing ability allows the researchers to sift through large amounts of data from a social networking site and find associations that might have been missed.

For the few social networks it collects data from, it is quick and very powerful. Flickr, Twitter and Youtube are the only ones programed directly into the template at this time. Some blogs, including Marc Smith’s (one of the authors of a book on NodeXL), mention that Facebook is in the works for inclusion with NodeXL. Hopefully other social media sites will be added as this tool matures.

To test what NodeXL can do with a Twitter account, I used my own, @Webcase. (Please note: you do not have to be logged into an account to use NodeXL.)

Very quickly NodeXL collected a list of the Twitter users being followed by “@webcase”. For visual fun, Excel also makes a graph of the followers (it takes a few settings to get the pictures into the graph—but once you know how, which took me a little research to figure out, it is pretty easy).

Of interest is the number of followers each user has, how many they are following, the number of tweets they have posted, their time zone, when they joined Twitter and the link to their Twitter page.

Pulling information about videos posted on Youtube is one of NodeXL’s excellent features. Let’s say you have an investigation where a particular term or name is used. You can enter that name in to the Youtube video selection and get a list of videos, with the link to those videos, in a usable spreadsheet. Flickr searches are similar: you can search for image tags as well as Flickr users.

The real power of NodeXL, and the reason (besides its price tag) it is so popular among researchers and academics it, is its ability to graph associations. If, for instance, you select a Twitter user to download and choose options to obtain data on both followers and following along with any tweets that mention the user, you can collect a lot of data that can then be used to show associations. Associations for investigators = leads, witnesses or possibly even suspects.

By using the dynamic filters within NodeXL, you can limit the graph’s view to fewer contacts by increasing the requirement for the number of contacts (tweets, retweets) the associations have.

Another plus about NodeXL: it has an active community working on this open source tool, and updates come out regularly.

For more information

A great primer on analyzing social media networks with NodeXL, “Analyzing Social Media Networks: Learning by Doing with NodeXL,” is available from the University of Maryland. (The posted copy on the UMD website says “Draft” and “Please do not distribute”. What? Do they know what the Internet does in Maryland?). Despite that, it is a good guide to some of NodeXL’s more esoteric graphing uses. For our purposes I’ll cover some of the quicker applications from an investigative standpoint.

If you are interested in finding out more about NodeXL, plug it into Google and you’ll get enough responses to keep you busy. Here are a few more references to get you started:

http://casci.umd.edu/NodeXL_Teaching

http://casci.umd.edu/images/a/a2/NodeXL_UserStudy.pdf

http://twitter.com/nodexl

How the bad guys use social media: An interview with Todd Shipley

Monday, February 28th, 2011

Hardly a day goes by when the news isn’t reporting criminal use of social media to find and groom victims, start and fuel gang wars, or exploit other weaknesses. Todd Shipley joined Spark CBC host Nora Young last week to talk about some of these issues, along with how police can use social media to find the activity.

Listen to the 20-minute interview now to find out:

  • How criminals exploit their victims’ weaknesses, along with their own need for social connections
  • The importance of looking beyond the physical crime scene to its virtual extension
  • The social and technical skills police need to document online and other digital evidence before it gets to detectives
  • How online or cloud investigation is similar to network forensics (and unlike computer forensics)
  • What legal requirements police need to abide by when they go online

Got questions about Todd’s interview? Leave us a comment!

Podcast: Todd talks social media, online investigations

Monday, November 30th, 2009

Canada-based podcasting service provider The Daily Splice recently started its own podcast: Law Enforcement 2.0, in which marketer Mike Waraich interviews individuals who are involved with encouraging police departments to “join the conversation” online.

Social media is, of course, beginning to figure into much more than conversation: it’s playing a role in everything from online crime to police recruiting to intelligence. Because all of this information must be verifiable, police need a standard methodology to collect it.

Which is why Mike invited Todd on the show a few weeks ago. For just about half an hour, the two discussed the following:

Defining online investigation in terms of standard methodology.

Would online investigation be less “scary” if the people conducting it knew they could do it without their veracity being called into question? Standardized process counts for a lot, so being able to date/time stamp, “digitally fingerprint” (hash), and log Internet evidence in the same way other forms of evidence are authenticated can make investigators’ jobs a lot easier.

Social media as a “neighborhood.”

Most everyone under 30 (and many over 30) are, in some ways, members of this online space. Just as in a real-world neighborhood, the number of “residents” = number of potential victims. And crimes are being committed, not just on the Web, but in other areas of the Internet which are their own communities. (Think chat rooms, instant messaging and Usenet.)

Whether law enforcement can coexist with community relations.

As long as law enforcement is an active participant in the online community, it cannot be misconstrued as “Big Brother” watching. Instead, it brings community policing concepts to the Web: like a park in a bad section of town, it will stay “bad” unless law officers go there, partner with people who live there to clean it up.

Reputation management.

What people post on the Web is there forever. Some law enforcement officers need to be made cognizant of this fact. Employers look at people’s social media profiles not just to make hiring decisions, but also to ensure their employees are maintaining the standard expected of them.

Part of maintaining that standard is not to avoid parts of the neighborhood which are not well understood or liked. Investigators who do need to understand that the “conversation” goes on without them. Not to be there for it risks missing valuable intelligence and other information.

In other words, as Todd put it, “You may not want to go into a bad neighborhood because you know bad things can happen, but you still need to be there.”

Understanding the neighborhood.

Just as a good cop takes time to learn the landscape and culture of the neighborhood s/he is responsible for, a good Internet investigator takes time to understand where people are online–and where they are moving, what they are talking about, what they are doing.

With hundreds of social sites, this can be hard to figure out much less monitor. But the more investigators learn, the more they can make online investigation part of their everyday work lives, the more efficient they will become.

The conversation wrapped up, of course, with a short discussion about WebCase and where it fits in all this. Thanks again to Mike for the interest. We hope to be able to participate in future podcasts!

Christa M. Miller is Vere Software’s marketing/public relations consultant. She specializes in law enforcement and public safety and can be reached at christa at christammiller dot com.