Forensics 101: Digital Investigations and Cybercrime

The last of the forensics panels at Bloody Words XIII led us into the fascinating world of cybercrime. Our guide for the hour was digital forensics investigator Michael Perkin. Michael walked us through a couple of his cases (with all the specifics removed, of course) to give us a taste of how the bad guys were caught.

A case of defamation:

  • A string of terrible allegations of was posted in a series of blog entries.
  • The perpetrator then created a Gmail account to email the victim’s family, friends and colleagues links to the blog posts.
  • Enter Michael. The first step in any digital investigation is the forensic acquisition of data. Never work from the original but make a full copy of all drives onto brand new, blank drives. Then the analysis can begin.
  • Michael was able to analyze the email headers and trace the emails back to a specific internet provider. This is turn led back to the perpetrator, someone known to the victim.
  • A judge  issued an ‘Anton Piller’ order—the search and seizure order from the civil side of law (as opposed to a standard criminal law order).
  • The perpetrator had 30 minutes as the law allows to consult with his lawyer before the search could begin. He spent that entire time on his computer. When the computer was recovered, the desktop and documents folders on the hard drive were all blank. Except they really weren’t.
  • Michael then drew the analogy of a hard drive being like a book (it was a writing conference after all!). The book has a table of contents and information on every page.
  • The table of contents is what the computer considers the ‘master file table’—this keeps track of all the files on the computer.
  • When the perpetrator deleted all the files, all he really did was remove the table of contents—the file index—leaving the information still in place.
  • All Michael had to do was read through all the information on the drive and all the data required to convict the perpetrator was right there.

The complicated bounce:

  • A computer at a company was suddenly locked out by a remote user.
  • Michael came in to investigate, copied all the files, and analyzed the data.
  • He discovered that the computer was accessed from another computer within the organization, which was accessed through another computer within the organization… rinse and repeat through numerous bounces.
  • Michael was finally able to access the high value computer that was the actual target and discovered that data had been copied from it. But to where?
  • In the end, it was the perpetrator’s printer that gave him up. No matter where he had bounced, each connection mapped back to his networked printer. So the final link in the chain could be mapped back to the perpetrator’s printer and, from there, to his computer and to him.

Bitcoin and its potential for cybercrime:

  • Bitcoin is essentially a protocol. Just like email is a protocol to send messages over the Internet, Bitcoin is a protocol to send money over the Internet.
  • Bitcoin has an address and a key, just like email has an address and a password. Both are an extremely long alphanumeric string.
  • Bitcoin information can be stored on a computer, on a USB key, in a barcode, on a printout, or in your memory. This last is important as border crossings have a $10,000 limit to cross without reporting. But your Bitcoin account could contain millions of dollars and if you cross the border with the account and key memorized, you can circumvent reporting the money you ‘carry with you’.
  • You can access your money from anywhere in the world. You can also send any amount of money to anywhere in the world.
  • You could keep your printed Bitcoin key in a safety deposit box. Every time you deposit money into your Bitcoin account, you are essentially beaming it straight into that safety deposit box since it can’t be accessed without that key.
  • People have accessed funds when in trouble simply by finding a public access—like television—and broadcasting their Bitcoin address in a 2D barcode with ‘Send Money’.
  • Previous ID theft required a victim’s name, birthday, and social insurance number to steal your money. Now all that is required is your Bitcoin key.

Nifty facts about digital forensics:

  • There are three types of space on a hard drive:
  • Allocated space—sections of the drive used to hold files; these sections are listed in the table of contents/master file table.
  • Unallocated space—sections of the drive that aren’t in use; these sections are not listed in the table of contents/master file table, but still may hold information.
  • Slack space—Back to the book analogy: Suppose that a full page of information is deleted from the table of contents. That space is now considered unallocated. If half of that page is overwritten with new information (listed in the table of contents) the remaining half page of old information—the portion of the allocated space that is not used—is considered ‘slack space’.
  • The only way to truly destroy data on a drive is to overwrite it multiple times. Data destruction software does this by simply writing 1’s and 0’s to the drive. Military protocol demands the drive be written over 10 times to consider the previous information truly ‘deleted’.
  • If you truly need to secure your computer, take it off the internet and lock it in a room where only limited people have access through physical keys.
  • Computers silently record everything we do through printer mapping, file edits, program usage and your browsing history (yes, even when you delete the cache). A skilled investigator can trace you through any of these pathways.

Photo credit: Benjamin Doe/Wikimedia Commons