A Graphic Picture of Crime
ibx100
ibx100 at myrealbox.com
Sun Sep 22 23:50:27 BST 2002
Apologies if this has been posted already..
Technology Review - An MIT enterprise
A Graphic Picture of Crime
Security Management Lang, Dave 09/07/2002
Originally Published: 20020901.
EARLY ONE MORNING, John strolls along a road in Arlington, Virginia.
He seems to be making notes on his pocket PC, but he is actually
logging locations and network addresses of unprotected wireless
Internet connections in homes and businesses. If John or one of his
associates taps into these unprotected connections, it will not be
directly traceable to the thieves; rather, the connection can only be
traced back to the registered user at the home or business.
It is quite easy for John to find these unprotected connections by
using off--the-- shelf software (available for both pocket PCs and
full-size computers) and the wireless receivers that enable computers
to receive wireless signals. He locates an unprotected connection
coming from a house located in the vicinity of a parking garage. After
completing his search, he covertly passes this information along to
Frank, his partner in crime.
Two days later, Frank sits with his laptop computer in the parking
garage and hijacks the wireless Internet connection that John
identified. He does this using the basic network information detected
and noted during John's survey; this information includes the wireless
network frequency and assigned network name (wireless routers are sold
with preset network names that are usually left unchanged by users).
Frank simply sets his laptop wireless settings to mimic these wireless
network access settings, and the wireless router's Dynamic Host
Configuration Protocol (DHCP), the protocol that assigns IP, or
Internet protocol, addresses to the devices in a network, configures
the connection, and provides him with a private IP address.
Once connected to the Internet, Frank visits a Web site and downloads
encrypted instructions placed there by another member of his
organization. He then posts a photograph to that same Web site.
Although the photograph looks innocent enough, Frank has actually
hidden a document within its bits of data by using a steganography
program. Once the messages are exchanged, Frank drives away to New
York, ready for his next assignment.
WELCOME TO THE new world of industrial espionage. The author has been
involved in many criminal investigations in which the techniques and
technologies just described were used. And while Frank and John aren't
real-they are a fictionalized composite from the author's
experience-they paint an accurate picture of the newest twist in
intellectual property theft. The following tale of how investigators
caught this pair and their associates offers security managers a
glimpse into the methods used by information thieves today-as well as
how their high-tech tools can be turned against them by detectives who
know how to track the digital footprints.
The investigation. The company targeted by John and Frank had been
alerted to the thefts weeks earlier by federal law enforcement agents
who had found evidence of the espionage while conducting an unrelated
investigation. The agents passed the information to the company's
security director (a former law enforcement agent whom the agents
already knew) without disclosing its source, which could have
compromised a sensitive federal investigation.
The agents told the company of the site where Frank had posted the
steganographic picture containing hidden information. The site itself
was an innocent looking Web page where anyone could post and share
photos, but the presence of encrypted documents raised suspicions that
some users were doing more than sharing family albums. Corporate
investigators took the information from the federal leads to local law
enforcement, which agreed to assist in their investigation.
Elements of proof. The first concern was to establish an investigative
plan that defined the elements of proof-a list of facts that must be
proven to substantiate that the crime was committed. For example,
investigators needed to prove that criminals had stolen a
corporation's intellectual property and were involved in a conspiracy
to transmit it to others for profit. They also needed to show that
those involved illegally hijacked a wireless Internet connection.
Before beginning, investigators also laid out in the plan other
details, such as procedures and timelines. Investigators must pay
strict attention to evidence collection and chain of custody. All
evidence must be obtained legally, and there must be a clear and
well-- documented custody trail from the time the evidence is seized
until it arrives in court.
Additionally, any change in the condition of evidence while in the
custody of investigators must be meticulously documented.
Documentation should show an unbroken chain of custody from one person
to the next.
If investigators need to search a site, they must establish a legal
right to investigate and probable cause to obtain a warrant. To get a
warrant, investigators much present a magistrate with facts sufficient
to show that investigators have reasonable grounds at the time of the
affidavit to believe that the law is being violated on the premises to
be searched. Normally, such evidence must be in the form of direct
observation, sworn testimony from direct witnesses, or other evidence
obtained under legal circumstances.
In this case, however, by law, investigators need only a court order
to require the Internet service provider (ISP) to make subscriber
information available to law enforcement so that they can contact the
homeowners whose connection has been hijacked. The subscriber
information doesn't show who is accessing the site or downloading the
file, or where that person is physically located, only the registered
user for the IP address accessing the Web site.
The subscriber information leads the forensic investigators back to
the private residence in Arlington. Although the evidence acquired so
far may not be enough to establish the probable cause necessary to
obtain a search warrant for that residence, a quick check of public
records shows that an elderly couple with no criminal record owns the
home. Acting on years of experience and faced with a time-critical
decision, investigators decide to take a chance that the owners are
unknowing participants and willing to cooperate.
Less than an hour later, local law enforcement officers, along with
technical specialists, arrive at the residence and obtain consent for
a search from the couple. Now, working with the owners' consent and
cooperation, network computer forensic investigators begin to unravel
clues.
Finding rogue users. The first step for investigators is to gather
information about any unauthorized computers that have used the
owners' wireless network. Fortunately, a wireless network has a router
that collects data on every computer that sends information through
the network, including the computer's address on the Internet (IP
address) assigned to it by the router, and each computer's unique
identifier from the factory, called the Media Access Controller (MAC)
address.
The investigators match the MAC addresses from the couple's computers
with the records kept by the wireless router, and they find another
MAC address that does not correspond to any computer in the home. The
investigators believe that someone has exploited the couple's wireless
network connection. They note the MAC for future reference, along with
the IP address the router associated with the MAC address, the
router's IP address assigned by the ISP, and the date and time of the
unauthorized access.
Video clues. Later that day, law enforcement authorities canvass the
Arlington neighborhood within transmission range of the wireless
network looking for clues to the identities of whoever has accessed
this wireless network. They discover that the parking garage is within
transmission range and inspect it for evidence.
Since they know the date and time of the unauthorized network access
from router logs, they obtain the garage's toll-booth surveillance
tapes for the corresponding period. The tapes are of poor quality and
many license numbers are too dark to read, but the investigators are
able to enlist the help of a law enforcement laboratory, where a
forensic video examiner uses a process known as frame averaging to
enhance the license plate numbers and make them readable.
Of the cars identified as entering the garage during the period under
examination, four were rentals. Two had been returned, one to Dulles
Airport and one to Reagan National Airport, both located not far from
the garage. Two other cars, both rented from New York, are still out.
Fearing that the culprits are on their way out of the country, local
law enforcement contacts the FBI and requests help with the
investigation. The FBI agrees, and in looking at the evidence already
gathered, quickly discovers two names that are familiar to them from
previous corporate espionage cases-- John and Frank.
The FBI agents focus their attention on these two men and find that
John is the person who returned one car to Dulles Airport; his name is
traced to a flight bound for San Francisco. When John arrives in San
Francisco, he is met by local law enforcement authorities and detained
for questioning.
Perhaps thinking that law enforcement will not be able to find any
information on his hand-held computer to link him to the illegal
activities (as he's already deleted any incriminating data), he allows
the authorities to take the computer for further examination. The data
on this device will become part of the evidence in the industrial
espionage trial.
On the following day, two special agents who have checked with the
rental car company to find out when and where the cars are to be
returned meet Frank when he arrives to return the rental car in New
York. The agents stop him before he turns in the vehicle and present
him with a search warrant based on parking garage video images. While
searching Frank's rental car, they seize the laptop computer, wireless
networking equipment, and the car's global positioning system (GPS).
A field forensic review of the laptop confirms that the computer's
unique MAC address matches the address logged by the hijacked router
in the elderly couple's residence in Arlington. Frank is arrested for
illegally accessing a computer network, and his equipment, along with
John's, is sent to a national computer forensics laboratory outside of
Washington, D.C., for analysis.
The puzzle. Now in possession of the puzzle pieces, forensic computer
investigators start to examine and link evidence. Like physical crime
investigators, they must pay strict attention to evidence-collection
practices.
Courts require a clear and well-- documented custody trail from the
time the evidence is seized until it arrives in court, as well as
documentation of any changes in the condition of evidence that
occurred while it was in the custody of investigators. This
documentation is particularly important in a cyberinvestigation
because the evidence-the data on a computer-can be altered or even
destroyed merely by turning the computer on or off
The examiners begin by matching the network and router logs with the
MAC addresses of the seized computers. This evidence, along with
information on John's computer logging the network information of the
hijacked wireless connection, places both John and Frank within
transmission distance of the wireless network node. Other
corroborating evidence includes the video images captured in the
parking garage.
An eyewitness. While computers are often used to commit a crime or are
the victims of a crime, a computer can also be the witness to a crime.
The next piece of evidence comes from an unusual computer witness-the
GPS from Frank's rental car.
The forensic examiners extract the information from the GPS and use it
to re-create Frank's round trip from New York to Washington, D.C. By
building a timeline, they identify the locations of various stops that
Frank made along the way.
Armed with this information, investigators obtain and enhance
commercial surveillance video from banks, gas stations, and
convenience stores along the route and identify three other members of
Frank's organization.
At the computer forensics laboratory, forensic examinations of Frank's
laptop and John's hand-held computer provide more critical
information. Internet connection records retrieved from the computers
not only confirm the illegal use of the wireless network link, but
they also provide evidence pointing to other Internet Web sites used
by the criminal organization.
Digital evidence. Next, examiners need to thoroughly investigate the
data on the computers. Doing so requires computer forensic examiners
to look for useful data in many different parts of the computer s hard
drive. The working memory of a computer, random access memory (RAM),
is called primary storage; calculations and data manipulation occur in
this area. With few exceptions, all data entered into a computer goes
to primary storage before going to disk, tape, CD, or hard-drive
storage (these are secondary storage areas.
Investigators begin their investigation by looking in active files.
These are files listed in a computer's directory, clearly visible to
the user. But investigators must also search for less obvious sources
of evidence. For example, information taken from the computer's
primary storage when files are saved to the hard drive ends up in what
is called "slack space." The forensic examiner is most concerned with
the section of slack space known as RAM slack, which contains
information taken from primary storage at the time the file is saved
to the hard drive. Since this filler data comes from primary storage,
it may contain anything processed since the computer was last turned
on, including passwords and other information that may be critical for
the investigation.
Other spaces that need to be checked include swap files, the area of
the hard disk drive that temporarily stores data used by the operating
system. Special software programs allow the forensic examiners to
retrieve even deleted information from slack space and swap files.
Examiners next create a forensic timeline analysis, using network
records, information from active and deleted files, dates and times
the user logged on and off, as well as the dates and times that
certain software programs and documents on the computers were opened
or closed. By correlating this information with the network
information from the ISP used by the wireless network, examiners
create a timeline and confirm that Frank downloaded and decrypted the
instructions from the Internet before using steganography software to
hide his progress report in the graphic file he uploaded.
Now, forensic investigators use password-cracking techniques to
recover the password that will allow the encrypted instructions to be
decrypted as well as the steganography tool password needed to extract
Frank's report from the graphic file. They then decrypt the hidden
instructions and access the report that Frank uploaded to the
Internet.
Investigators now have probable cause to obtain search warrants for
several ISPs hosting the various Web sites used by the gang for
transferring information. (They need a search warrant here, rather
than just a court order, because they want more than just the
subscriber information.)
The gigabytes of logs and transaction records seized ultimately reveal
to investigators an intricate web of relationships resulting in dozens
of additional leads in the case. This takes investigators to other
individuals who might be involved in the espionage ring as well as
other organizations that may be targets or sponsors of espionage.
3-D links. The huge amount of evidence from different sources
accumulated in this case makes it cumbersome for investigators to see
all the connections. To make this connection process more practical,
the investigators use data mining and visualization software to
construct a link analysis of the seized information. This computerized
three-dimensional link model relates geographic, temporal, and
informational links between members of the criminal organization. Each
node of the link contains every piece of known, related information,
making it easier for investigators to identify connections that might
have otherwise gone unnoticed, simply by clicking on a particular item
in the three-dimensional link.
Within a few weeks, investigators finish a comprehensive report that
documents evidence of the network intrusion, the criminal activities
of Frank and John and three co-defendants, and the chain of custody.
The report includes photos of evidence, timelines, charts, and
diagrams that recreate in detail the activities of the gang for the
last six months based on computer forensic evidence. The report and
exhibits are forwarded to the prosecutor's office.
Building defenses. There are some steps that can help companies
simplify the task of conducting a computer forensic investigation,
should one ever be required. The most important step is to ensure that
network logging devices are turned on. Many system administrators turn
them off because they use a lot of disk space and processor time.
However, if and when an investigation begins, logs can make the
investigator's job much easier (and in fact, without any logs, many
investigations end before they start).
Other basic safe computing practices, such as closing any unneeded
ports on the company firewall and patching systems regularly, work to
further safeguard the network against intruders who can make off with
valuable company data. Also, participation in public-private
partnerships that bring corporations together with law enforcement
agents in the fight against cybercrime (the FBI's InfraGard program is
one example) builds the networks and friendships that may one day be
useful when the unthinkable has happened.
As this composite case study illustrates, sophisticated computer
techniques are becoming common tools of industrial espionage.
Companies need to understand how information thieves work and how to
retrieve and preserve the digital evidence that can be used against
them. That knowledge may not be a defense in itself, but it is an
important component in any proprietary information protection program.
(C) 2002 Security Management. via ProQuest Information and Learning
Company; All Rights Reserved
http://www.technologyreview.com/offthewire/3001_1092002_3.asp
More information about the Consume-thenet
mailing list