Forensic Article - Sleuthing in Cyberspace

Noise: Sleuthing in Cyberspace

     While the United States was settling its west, London was experiencing Europe’s first urban squalor: pollution, congestion and crime. The “Super Hero” of the day was Sherlock Holmes, the first fictional private investigator. His success was based on powers of observation and deduction. Holmes once summarized his methods, “When you have eliminated the impossible, whatever remains, however improbable, must be the truth.” Scientists of today say the same thing, but call it signal-to-noise ratio.

     The first two articles in this series summarized the practice of gathering and documenting electronic data as well as the role of an expert witness. Occasionally you need someone to go beyond these and figure out how or why something happened. How did your competitor get your client list? Who is sending threats to your girlfriend? Why is your computer turned on in the morning when you turned it off at night? Answering these sort of questions requires the skills of a computer forensics investigator, a network security expert and a bit more. Good Cybersleuths need to be as expert with people as they are with computers.

The Investigation

     Elimination of noise is the first step in Cybersleuthing. Scientists define noise as “irrelevant or meaningless data that occurs along with desired information.” Whatever is being investigated, a good detective’s first step is to question security measures. Was the computer room locked at night? Whom has a key? Do you have a firewall? How often do you change passwords? This sort of evaluation allows the computer detective to eliminate all of the ways information could *not* have been compromised.

     Once the investigator has discovered security flaws, he looks for evidence in each of the potential data channels. This includes all of the items mentioned in “Data, The Basics of Computer Forensics” as well as objects such as access logs and system events. Frequently the information requires further research. Who owns this IP Addresses? Who else knows your password? What were you doing at work that late?

     A second line of investigation starts with the data that was compromised and works forward. The investigator will examine logs and metadata where the data was originally stored and look for an insecure or compromised data channel. Sooner or later the investigator will talk with people who had access to the data or control of that access. Investigations rarely run in straight lines. You should expect that an investigator will need to revisit people and computers multiple times.

     The investigation usually ends when the initial questions have been answered. Sometimes the investigator is required to provide expert testimony. In many cases the investigator will be asked to be proactive, and in some rare cases, exceptionally reactive.

Active Measures

     The Internet has many parallels to the Wild West. As the United States moved across America, the vanguard of brave and hardy souls was quickly followed by thieves, opportunists and shysters. As the Internet spread across the same continent, it was followed by identity theft, sexual predators and investment fraud.

     To defend against the onslaught of dangers from the Internet, we need to take matters into our own hands. Unlike the Wild West, this rarely involves firearms or hand-to-hand combat. The first proactive step is to tighten security. Remember the security analysis our investigator performed? In many ways this is the most valuable service a computer investigator will provide. The analysis can be used as a guide to prevent future compromises. With a minimal amount of extra effort, the investigator’s report can include specific suggestions for improvement. Smart companies hire a computer investigator to audit their systems in order to prevent data loss.

     While some clients desire retribution as a form of vigilante justice, reactive measures are usually quite mundane. In criminal matters, calling the police is always the best alternative. A lawyer is the best agent to handle civil matters.

     The police have their own experts who in turn have their own methods. After consulting with your investigator, they will confirm his report and usually move forward without his help. Civil litigation lawyers are more likely to include the investigator in their plans. Frequently the investigator will contact third parties in the computer or Internet industries since he speaks their language. Did you know your server was hosting pirated software? Will you help us figure out how someone is using your mail system to steal our client’s information? Can you give me the name of some people who have been able to successfully implement your software?

Edward Pscheidt
Computer Forensics
24881 Alicia Parkway, #E-325
Laguna Hills, CA 92653
(949) 829-5700
edward@pscheidt.com



		Noise: Sleuthing in Cyberspace While the United States was settling its west, London was experiencing Europe’s first urban squalor: pollution, congestion and crime. The “Super Hero” of the day was Sherlock Holmes, the first fictional private investigator. His success was based on powers of observation and deduction. Holmes once summarized his methods, “When you have eliminated the impossible, whatever remains, however improbable, must be the truth.” Scientists of today say the same thing, but call it signal-to-noise ratio. The first two articles in this series summarized the practice of gathering and documenting electronic data as well as the role of an expert witness. Occasionally you need someone to go beyond these and figure out how or why something happened. How did your competitor get your client list? Who is sending threats to your girlfriend? Why is your computer turned on in the morning when you turned it off at night? Answering these sort of questions requires the skills of a computer forensics investigator, a network security expert and a bit more. Good Cybersleuths need to be as expert with people as they are with computers. The Investigation Elimination of noise is the first step in Cybersleuthing. Scientists define noise as “irrelevant or meaningless data that occurs along with desired information.” Whatever is being investigated, a good detective’s first step is to question security measures. Was the computer room locked at night? Whom has a key? Do you have a firewall? How often do you change passwords? This sort of evaluation allows the computer detective to eliminate all of the ways information could not have been compromised. Once the investigator has discovered security flaws, he looks for evidence in each of the potential data channels. This includes all of the items mentioned in “Data, The Basics of Computer Forensics” as well as objects such as access logs and system events. Frequently the information requires further research. Who owns this IP Addresses? Who else knows your password? What were you doing at work that late? A second line of investigation starts with the data that was compromised and works forward. The investigator will examine logs and metadata where the data was originally stored and look for an insecure or compromised data channel. Sooner or later the investigator will talk with people who had access to the data or control of that access. Investigations rarely run in straight lines. You should expect that an investigator will need to revisit people and computers multiple times. The investigation usually ends when the initial questions have been answered. Sometimes the investigator is required to provide expert testimony. In many cases the investigator will be asked to be proactive, and in some rare cases, exceptionally reactive. Active Measures The Internet has many parallels to the Wild West. As the United States moved across America, the vanguard of brave and hardy souls was quickly followed by thieves, opportunists and shysters. As the Internet spread across the same continent, it was followed by identity theft, sexual predators and investment fraud. To defend against the onslaught of dangers from the Internet, we need to take matters into our own hands. Unlike the Wild West, this rarely involves firearms or hand-to-hand combat. The first proactive step is to tighten security. Remember the security analysis our investigator performed? In many ways this is the most valuable service a computer investigator will provide. The analysis can be used as a guide to prevent future compromises. With a minimal amount of extra effort, the investigator’s report can include specific suggestions for improvement. Smart companies hire a computer investigator to audit their systems in order to prevent data loss. While some clients desire retribution as a form of vigilante justice, reactive measures are usually quite mundane. In criminal matters, calling the police is always the best alternative. A lawyer is the best agent to handle civil matters. The police have their own experts who in turn have their own methods. After consulting with your investigator, they will confirm his report and usually move forward without his help. Civil litigation lawyers are more likely to include the investigator in their plans. Frequently the investigator will contact third parties in the computer or Internet industries since he speaks their language. Did you know your server was hosting pirated software? Will you help us figure out how someone is using your mail system to steal our client’s information? Can you give me the name of some people who have been able to successfully implement your software? Edward Pscheidt Computer Forensics 24881 Alicia Parkway, #E-325 Laguna Hills, CA 92653 (949) 829-5700 edward@pscheidt.com