Friday, December 12, 2008

UK police: 'We need crime breathalysers for PCs'

“UK police are hoping to one day develop a breathalyser-style tool for computers that could instantly flag up illegal activity on any PC it's attached to.

Detective superintendent Charlie McMurdie, architect of the UK's Police Central E-crime Unit (PCeU), said front line police ideally need a digital forensic tool as easy to use as the breathalyser, to help them deal with growing numbers of computers being seized during raids on suspects' homes.

She told “Do we need to seize five computers in a suspect's house or could we use a simple tool to preview on site and identify there's that one email we are looking for and we can then use that and interview the person now, rather then waiting six to 12 months for the evidence to come back to us?” Source: sector.

If you think about it, it doesn't seem like such a crazy idea. Years ago I fooled around with Prolog, a programming language specifically for such programs.

What she is talking about is an expert system using fuzzy logic. Very similar to programs already in existence or in development in other fields like medical diagnostics and mechanical troubleshooting.

It is fun to theorize about how such a system could actually work:

First of all, each of the areas of investigation would need to be identified and analyzed for the type of expert knowledge required to perform that specific investigative task.

By the way, this should not be confused with some of the operations that some first responder software already perform, such as automatically collecting certain types of data from a suspect computer like Internet history or suspected child porn.

Data collection, while the primary driver for beginning the analysis, is only the start. Where the expert system software comes in is in duplicating to some degree what a computer forensics expert would do with that data. The analysis part of it.

Once a specific area of investigation is identified, several things would need to happen to begin to build such a system:

1.What data must be collected for that area?

2.What type of analysis must be done?

3.What type of information (expert knowledge) is needed to properly analyze that data?

4.How can the expert system analyze the data using fuzzy logic?

5.What would trigger a “hit”?

As a computer forensics examiner and long time software designer and programmer, I find the idea very interesting and worth pursuing.

Now, who wants to give me some grant money to make this happen?

Wednesday, December 10, 2008

No Anti-Forensics Here

I recently received a comment on a specific method of anti-forensics prompted by one of my posts.  I rejected the comment and here's why:

I will not write about specific anti-forensic methods on this blog, nor will I publish comments that include such information.

For those willing to do the research, such information is available.  Just not here.

Thursday, December 4, 2008

Free Internet Email Accounts – A False Sense of Security

Lots of people have free email accounts from Yahoo, Hotmail, Google, and other vendors. And of course, the obvious reason is that they are free.

However, some people use these free email accounts for more nefarious reasons: Sending hate mail to someone, exchanging love letters with their paramour, extortion, scams, creating false alibis, etc. You name it and there is probably someone using one of these free email accounts do it.

What many of these people don't understand. And when I say these people, I am not talking about the sophisticated spammers and spoofers to use these to make a living. I am talking about your everyday computer user who decides that using one of these free accounts will guarantee their privacy or anonymity.

What can I say to those folks? Wrong!

First of all, it is relatively easy to backtrack an email from one of these accounts to the IP address. (the IP address is a unique string of numbers used by a computer accessing the Internet), of the originating computer or computer network. Now that may not get you to the actual sender's IP address if they are in a big network like a university or company, or if they are using a wireless hot-spot somewhere. Of course, if the wireless hot-spot requires an account, like many do, your information will be stored there somewhere as well. Most likely by whatever company records your usage for billing to your credit card.

But in general, if the header can be gotten, tracking the email back to its source is simple and usually only takes a few minutes.

And very few people go to the amount of effort to never access the account from some place where they can be identified if the email is tracked to that location.

But backtracking an email is only the barest of techniques for finding out who sent an email to someone using one of these free accounts.

The next step is to subpoena the email service, i.e. Yahoo or Microsoft and get the access history for the account. This will provide the investigator with the IP address, date and time for every instance the account was accessed.

From there it is a simple matter of contacting the ISP, (Internet Service Provider), such as Time Warner or Bell South and obtaining the subscriber information for each of the IP address. That will yield the name, address and payment information for each of the IP addresses.

If the email came from a university, they tend to keep access logs for all the computers on their networks as well. Even the public computers in the library. And since most universities require a user name and password to access their networks, guess what? Yep, they can track the access back to a student or faculty account.

Now I know that you techie folks will say that the IP can be spoofed and so can the MAC address of the network card on the computer. But those are techniques that the general public is not aware of and would not know how to do anyway.

Beyond backtracking emails, many people use these accounts because they are Internet based and do not require an email program like Microsoft Outlook or Outlook Express to use. The thinking here is that if there is no program to store emails, they cannot be recovered from their computer.

Wrong again.

Any time someone is using the Internet to view or compose email, those pages are being stored on the hard drive just like all other web site pages. And even if the person is diligent about erasing their Internet history, those pages can probably be recovered if the computer gets into the hands of a computer forensics expert.