Sponsored By

Collecting Internet Evidence, Part 2Collecting Internet Evidence, Part 2

Cloud services, social media, and other developments create their own sets of issues when pursuing Internet-based criminals.

Gary Audin

January 30, 2014

6 Min Read
No Jitter logo in a gray background | No Jitter

Cloud services, social media, and other developments create their own sets of issues when pursuing Internet-based criminals.

Cybercrime is among the fastest growing types of illegal behavior, as more offenders seek to exploit the speed, convenience, and anonymity that the Internet provides to commit a diverse range of illegal activities.

Collecting information to pursue Internet attackers is part of the IT security staff's function. Knowing how to collect and use the information is a growing concern, with many new personnel entering the field. Todd Shipley and Art Bowker co-authored "Investigating Internet Crimes: An Introduction to Solving Crimes in Cyberspace," which was just released this December. I contacted Todd to interview him about collecting Internet evidence, and this blog post is the second part of that interview. (See here if you missed Part 1.)

What are the differences in these investigations between an enterprise-owned environment and the same services offered in a cloud? Todd Shipley: From an investigative point of view, it is all about access and control of the data. If the investigator can access the network or the contracted cloud services, he has greater control over the outcome of the data and the ability to collect the data in its original form.

We often cannot collect original data from a server, unless it is downloadable such as a photograph or document. Any data interpreted by a browser is just that, a representation of the data sent to your computer that is then interpreted and displayed to you by that specific browser. Wholly owned data in control of the enterprise can be accessed and collected forensically. Browser-based data on a server cannot be collected through the Internet in the same manner.

Are there different issues when investigating social media?
TS: There are definitely issues when collecting social media data. It's not just the existence of the visual representation of the data; it is that the data is in motion and that the data can constantly change.

Additionally, depending on the social media site, there is more data than the simple post made by the target. There can be other "meta-data," [a term] which describes other information found in the social media posts. Even on some of the image sharing sites, the original images' "meta-data," referred to as Exif (Exchangeable image file format) data, can be collected. This can include even the latitude and longitude of where an image was taken if the smartphone camera uses that capability. Sometimes this data can also be obtained with legal processes on the Internet Service Provider.

How does information collection help or limit the prosecution of criminals?
TS: I think in today's connected world, almost everyone has a smartphone of some type. This allows us, along with our laptops and desktop computers, to stay connected 24/7. Add the near-constant use of social media and you have a recipe for huge amounts of information to be collected. The National Security Agency (NSA) has been criticized for its use of this data, but the fact is that every user freely offers the information up to these sites, and even a large percentage is publically available.

From an investigative point of view, this is a huge source of information that can be translated into actionable intelligence if timely, or uniquely specific historical data for time can tie a person to an event. All of this data, either publically available or contained on a service provider's network, obtainable by legal service (search warrant, subpoena, etc.), can and is being used daily in investigations and prosecutions.

The problem investigators have is that most are not looking for the evidence hidden in plain sight on the Internet. I coined the phrase "Make the Internet your regular beat" years ago in an attempt to raise awareness about the Internet's investigative potential. Whether it is direct investigation of an incident in a chat room, or the collection and identification of intelligence on a case, the Internet will in almost every case have some informational value to the investigator.

How do forensic investigators protect themselves while performing investigations?
TS: Digital officer safety is a great consideration for the Internet investigator. Working on the Internet can cause considerable damage to agency or company computers if due consideration is not taken prior to going online.

A segregated computer is the best start to considering the threats posed by Internet-based investigations. Art Bowker and I detail in our new book how investigators should prepare their system prior to actually starting an investigation. Some of the tips include adding a firewall to their system, ensuring up-to-date anti-virus programs are running, and numerous other thoughts on protecting the officer during the investigative process.

I am sure there are tools to help. Are there free tools? Can you provide examples of tools that are for purchase?
TS: Free tools for collecting evidence can include anything that can document the data observed by the investigator. Old school chat investigations were just a video camera over the shoulder of the investigator recording his chat with the suspect. Today, there are many free video recording and snapshot programs available for this purpose.

As for purchasing tools, a longtime favorite in the evidence collection field has been TechSmith's SnagIt and Camtasia. There is our own product WebCase that was designed from the ground up as an Internet evidence collection tool and holds the only U.S. patent for collecting Internet data as evidence.

There are other considerations for tools such as Hashing tools to uniquely fingerprint the collected data. Hashing tools can be found as freeware too. WebCase has the Hashing of collected data built into the suite of tools.

Would you describe your recently published book and how it addresses these issues?
TS: Our book was designed to provide that fundamental knowledge, including how to properly collect and document online evidence, trace IP addresses, and work undercover.

* It helps by providing step-by-step instructions on how to investigate Internet crimes.
* It covers how software tools can assist during their Internet investigations with the collection and documentation of online data.
* We discuss how to track down, interpret, and understand Internet electronic evidence to the benefit of an investigation.
* We also detail guidelines for collecting and documenting online evidence that can be successfully presented in court.

###

Todd G. Shipley has more than 25 years of experience in law enforcement: from investigating financial and computer crimes to overseeing the training of high-tech crimes investigators. Between 2004 and 2007, he was the Director of Systems Security and High Tech Crime Prevention Training--and manager of the National Criminal Justice Computer Laboratory and Training Center--for SEARCH, The National Consortium for Justice Information and Statistics.

About the Author

Gary Audin

Gary Audin

Gary Audin is the President of Delphi, Inc. He has more than 40 years of computer, communications and security experience. He has planned, designed, specified, implemented and operated data, LAN and telephone networks. These have included local area, national and international networks as well as VoIP and IP convergent networks in the U.S., Canada, Europe, Australia, Asia and Caribbean. He has advised domestic and international venture capital and investment bankers in communications, VoIP, and microprocessor technologies.

For 30+ years, Gary has been an independent communications and security consultant. Beginning his career in the USAF as an R&D officer in military intelligence and data communications, Gary was decorated for his accomplishments in these areas.

Mr. Audin has been published extensively in the Business Communications Review, ACUTA Journal, Computer Weekly, Telecom Reseller, Data Communications Magazine, Infosystems, Computerworld, Computer Business News, Auerbach Publications and other magazines. He has been Keynote speaker at many user conferences and delivered many webcasts on VoIP and IP communications technologies from 2004 through 2009. He is a founder of the ANSI X.9 committee, a senior member of the IEEE, and is on the steering committee for the VoiceCon conference. Most of his articles can be found on www.webtorials.com and www.acuta.org. In addition to www.nojitter.com, he publishes technical tips at www.Searchvoip.com.

See more from Gary Audin

Editor's Spotlight

How Air Canada Tapped Amazon Connect to Modernize Its Contact Center Operations
Ccaas
How Air Canada Tapped Amazon Connect to Modernize Its Contact Center Operations
How Air Canada Tapped Amazon Connect to Modernize Its Contact Center Operations

Dec 16, 2024

How Talkdesk Delivers for Vertical Industries
Ccaas
How Talkdesk Delivers for Vertical Industries
How Talkdesk Delivers for Vertical Industries

Dec 5, 2024

How Vendors Could Help Small and Medium Businesses Navigate Change Amidst Rapid Change and Complexity
Ccaas
How Vendors Could Help Small and Medium Businesses Navigate Change Amidst Rapid Change and Complexity
How Vendors Could Help Small and Medium Businesses Navigate Change Amidst Rapid Change and Complexity

Dec 17, 2024

Subscribe to Our Weekly Newsletters
Stay informed and sign up for weekly No Jitter and WorkSpace Connect newsletters
Sign Me Up
Mar 17 - Mar 20, 2025
As the #1 communications, collaboration and CX Conference and Expo in North America, we empower IT professionals to confront and overcome today's most pressing challenges. Attend Enterprise Connect and join thousands of like-minded peers building a framework for future success. You’ll walk away with rich learning experiences, invaluable connections, business opportunities, and inspiring insights. Register with Promo Code CONNECT25 to save $200 on Conference passes.
Learn More