Read an Excerpt

Cybercrime Investigation Case Studies

An Excerpt from Placing the Suspect Behind the Keyboard

Elsevier Science

Excerpt

CHAPTER 1

Case Studies

1.1 INTRODUCTION

In theory, investigations should succeed as planned and expected. However, in practice, theory is only the starting point for real-life situations requiring creative solutions to obstacles. A review of case studies provides a means to show theory and practical applications in real-life case scenarios, with both positive and negative results. A thorough examination of one case for a targeted study goes well beyond this book due to the amount of information any single case possesses, but we can use many examples to reinforce investigative concepts.

In order to give examples showing how successful concepts in this book have been applied in real life, this chapter will show a collection of briefed examples across a wide range of case studies. Keep in mind that there is more than one solution to any single problem you will encounter and certainly more solutions than can be given in this chapter.

Some examples are clearly criminal investigations where the availability of demanding evidence through search warrants exists. However, civil cases allow for evidence to be gathered without warrants, such as electronic evidence owned by a business and used by an employee. Whichever type of case you have, use the resources and legal authority available to secure the evidence. Sometimes you can just ask for it; other times, you may need a judge to order it.

The specific examples come with disclaimers. Depending upon the type of operating system and even the version of an operating system, certain artifacts will not exist or be recoverable. Depending upon the actions of the suspect, artifacts that existed at one point may not exist after being overwritten by other data. Even depending upon the forensic application used, some artifacts may be incapable of being recovered. So, a statement that electronic evidence may be recovered in a specific situation literally means maybe, because it depends on other factors. Usually, the answer as to whether a forensic artifact of evidence can be recovered is simply, it depends.

1.2 A DAY IN THE LIFE OF A CYBERCRIMINAL

The scenarios given in each following section are fictional, but much of the content has been taken from cases I've worked on. Each scenario has a referenced case ("Case in Point") for a real-life example of a high-profile case. Most of these can be found online through open source or court records to read detailed information on the investigative methods used.

As an investigation can be comprised of one independent incident or a multitude of crimes over a period of time, utilizing different operating systems and versions of operating systems, your investigation processes and methods will need to flow with your evidence. Some of the investigative tips discussed in this chapter will work with some cases, others will not.

1.2.1 Backdating Documents

Scenario: A business purchase agreement document in PDF format is alleged to have been altered to benefit one party in the agreement. Certain verbiage is claimed to have been changed as has the date of the agreement. Both the plaintiff and defendant claim their version of the document is accurate and the other document version is a manipulated copy.

Investigative tips: Antedating is creating files with intentionally inaccurate time stamps. A common antedating action is backdating of electronic documents. Backdating documents is changing the date of a document, such as a business contract creation date changed to an earlier date to gain a benefit. The benefit could be to cover knowledge of a crime or to benefit financially in a business dispute. Another example of backdating could be to create a suicide message after the fact, using a computer in an attempt to cover a murder. The printed date on a document is easy to manipulate and difficult to validate. The electronic time stamp is a different story.

Firstly, examining the metadata of an electronic file gives a baseline of information, whether or not the dates and times are authentic. Each copy or version of the documents under investigation will need the metadata extracted for comparison to create a historical timeline for each document.

In any document backdating investigation, being able to examine the machine on which the document was created may be the most beneficial source of information. Secondary items of evidence that the document may have been copied onto or e-mailed are also important as comparisons.

Documents which have been e-mailed as attachments create a credible source of information in the e-mail headers. A document showing a creation date after an e-mail date would be suspected of being modified. This example would be easy of course, but more important is building the timeline of historical relevance for the documents using all available information, including e-mail header time stamps.

One method of manipulating document time stamps is through the use of software intended for altering metadata. Whether used for legitimate file management or nefarious purposes, these applications enable computer users with average skills to manipulate the time stamps on electronic files. One such example is seen in Fig. 1.1, showing the dialog box for Stexbar, an open source extension for Windows Explorer. This particular extension can be downloaded from http://code.google. com/p/stexbar/ and easily installed. Once installed, computer users can change the metadata time stamps on any file by right clicking the file, choosing "properties", and selecting the TimeStamps tab to alter the metadata.

If the evidence in question is a file absent in its respective computer on which it was created, validating the time stamps is problematic. More information is needed to validate the metadata. By examining the computing system, one can recover time stamp information from the master file table, which will contain the time stamp of when the last modification of the file occurred ("Entry Modified") and when the file's attributes have changed, along with information on other actions affecting the evidence file.

Changing the computer time before creating an electronic document is another method of antedating, as the metadata for the newly created electronic file will be based on the incorrect setting of the system. Antedating using more than one means only complicates an analysis. Once there is doubt to the validity of any file's time stamp, the computer system must be analyzed to correlate dates and times as well as determine if a suspect manipulated the system.

Internet web browsers are full of time-stamped records from reliable sources such as from an Internet service provider or web site. These can be compared to files on the system in relation to the evidence files. Event logs in Windows are also a great source of information to determine if antedating occurred, such as the system logging a computer clock change. Other log files, like antivirus program logs, may also have time stamps to help correlate activity on the system.

Generally, antedated documents are made with a substantial gap in the actual date and time compared to the altered date and time. For these situations, the differences are obvious. For situations where the time gap may be small, finding the differences requires attention to minute detail. Also, the time stamps of files do not change consistently. Depending upon how a file was copied or moved will affect which time stamps are modified. Time stamps can be updated when extracted from a zip file, downloaded from the Internet, or moved to a folder when using the command line. Conversely, simply moving a file from one folder to another will not update the Create time.

The versions of software used to create a document give an indication if a file has been antedated. An example would be an evidence file, such as a Microsoft Word document which has been produced as authentic evidence in the file format of ".docx," yet the claim is the document was created and not modified since the year 2001. The file format of the document is immediately questionable because it did not exist in 2001.

To antedate a file and make it appear credible, the suspect has to take into consideration the relation of the date chosen to backdate the file to the software and hardware used. Obviously, purchasing a new laptop in 2012, with the most current operating system and programs installed will not be the best choice to create a file made to appear as if it were created in 2004. The file format type, metadata of the file, and system clock changes will each show any number of techniques to backdate the file.

When presented with a goal to validate time, you need to take into consideration the factors specific to the evidence in front of you. The operating system, the method of file creation and movement, log files, and even the printed documents need to be correlated for discrepancies. Without an authentic timeline of events, including accurate file time stamps, placing a suspect at the keyboard is an extremely difficult task. First things first: develop the timeline and then take the steps to identify possible suspects.

1.2.2 False Names and Disposable E-mail Accounts

Scenario: A victim has been receiving harassing and threatening e-mails from an unknown person. The names used in the e-mails are false names and the e-mail accounts are commonly used, free webmail accounts.

Investigative tips: This case includes great examples of suspect elimination. Interviews, polygraphs, and searches of computers and e-mails eliminated most potential suspects, leaving Bruce Ivins as the prime suspect. From the elimination of suspects, focus on Ivins resulted in obtaining the evidence needed to determine he had to be the suspect in the murders.

Techniques used to gather information on Ivins comprised pen registers on e-mail accounts and telephones, search warrants on his residence and cars, covert collection of his trash, and the installation of GPS devices on his vehicles. The pen registers, or trap-and-trace devices, allow for investigators to have near real-time information on phone numbers called/received and e-mail addresses of correspondence but without accessing the content of either voice or data.

Doctor Ivins sent anonymous e-mails days before the anthrax attacks with the warning of "WE HAVE THIS ANTHRAX ... DEATH TO AMERICA ... DEATH TO ISRAEL." Linking these e-mails to Doctor Ivins required a pen register that revealed additional e-mail addresses related to the case. Additionally, an e-mail address was linked to an online posting on Wikipedia.

Following the trail of evidence on Wikipedia led to information obtained where Ivins communicated with others with an e-mail having his real name in the name field of the e-mail. Other e-mail accounts believed to be owned by Ivins were identified, from where Ivins was sending e-mails to himself, between e-mail accounts.

The investigation of a single e-mail address may lead to another e-mail or to the identification of an online account with accurate username information. The inclusion of IP address verification in your investigations is an important aspect if the IP addresses can be traced to an actual physical location. Otherwise, the investigative means will be to trace and follow e-mails through online sources such as online bulletin boards and forums to eventually end at the legitimate information of your suspect.

1.2.3 Evidence Leads to More Evidence

During the collection of storage media at a site with a search warrant related to a gang shooting, a smartphone is seized. There are several computer systems to be examined and only one forensic examiner. Where do you start?

Investigative tips: The forensic examiner starts the first forensic examination first. Ideally, the first examination is the one that cries for attention as a priority. In one case, this could be the laptop. In another case, it may be the smartphone or a flash drive. All things being equal, the smartphone may be a good piece of evidence to start your examinations.

As in the case in point above, investigators not only examined the iPhones, but requested the call detail records that helped to identify victims. The analysis of mobile devices such as smartphones can yield a wealth of evidence and much of that evidence can place a suspect at any one location that has been either logged by GPS on the phone or through cell tower records. Being able to create a historical location and movement history of a suspect helps prove or disprove alibis. It also helps to potentially identify locations where additional evidence may exist.

Although smartphones capable of geolocation through GPS logging or by embedding EXIF data in photos are incredible items of evidence for suspect locations, laptops may contain some of the same location information, as they are almost as portable as a smartphone.
(Continues...)

---

Excerpted from Cybercrime Investigation Case Studies by Brett Shavers. Copyright © 2013 by Elsevier Inc.. Excerpted by permission of Elsevier Science.
All rights reserved. No part of this excerpt may be reproduced or reprinted without permission in writing from the publisher.
Excerpts are provided by Dial-A-Book Inc. solely for the personal use of visitors to this web site.

---