1.4 Following the Cybertrail


1.4 Following the Cybertrail

Many people think of the Internet as separate from the physical world. This is simply not the case - crime on the Internet mirrors crime in the physical world. There are several reasons for this cautionary note. First, a crime on the Internet usually reflects a crime in the physical world, with human perpetrators and victims and should be treated with the same gravity. To neglect the very real and direct link between people and the online activities that involve them limits one's ability to investigate and understand crimes with an online component. Auction fraud provides a simple demonstration of how a combination of evidence from the virtual and physical worlds is used to apprehend a criminal.

CASE EXAMPLE (AUCTION FRAUD 2000):

start example

A buyer on E-bay complained to police that he sent a cashier's check to that seller but received no merchandise. Over a period of weeks, several dozen similar reports were made to the Internet Fraud Complaint Center against the same seller. To hide his identity, the seller used a Hotmail account for online communications and several mail drops to receive checks. Logs obtained from Hotmail revealed that the seller was accessing the Internet through a subsidiary of Uunet. When served with a subpoena, Uunet disclosed the suspect's MSN account and associated address, credit card and telephone numbers. Investigators also obtained information from the suspect's bank with a subpoena to determine that the cashier's checks from the buyers had been deposited into the suspect's bank account. A subpoena to E-bay for auction history and complaints and supporting evidence from each of the buyers helped corroborate the connections between the suspect and the fraudulent activities. Employees at each mail drop recognized a photograph of the suspect obtained from the Department of Motor Vehicles. A subpoena to the credit card company revealed the suspect's Social Security Number and a search of real estate property in the suspect's name turned up an alternate residence where he conducted most of his fraud.

end example

Second, while criminals feel safe on the Internet, they are observable and thus vulnerable. We can take this opportunity to uncover crimes in the physical world that would not be visible without the Internet. Murders have been identified as a result of their online actions, child pornography discovered on the Internet has exposed child abusers in the physical world, and local drug deals are being made online. By observing the online activities of offenders in our neighborhoods, jurisdictions, and companies, we can learn more about the criminal activities that exist around us in the physical world. Third, when a crime is committed in the physical world, the Internet often contains related digital evidence and should be considered as an extension of the crime scene. For instance, a program like Chat Monitor can be used to find individuals from a specific geographical region who are using Internet Relay Chat (IRC) networks to exchange child pornography.

The crimes of today and the future require us to become skilled at finding connections between crimes on the Internet and in the physical world, following the cybertrail if you will. By following the cybertrail, investigators of physical world crime can find related evidence on the Internet and investigators of crime on the Internet find related evidence in the physical world. The cybertrail should be considered even when there is no obvious sign of Internet activity. Criminals are learning to conceal their Internet activities and even the most obvious indication that a computer is used to access the Internet is disappearing: a cable connecting the computer to a jack in the wall. With the rise in wireless networks fewer computers have network cables.

The Internet may contain evidence of the crime even when it was not directly involved. There are a growing number of sensors on the Internet such as cameras showing live highway traffic on the Web as shown in Figure 1.2. These sensors may inadvertently capture evidence relating to a crime. In one investigation of reckless driving that resulted in a fatal crash, the position of the victim's car and average speed was determined using position data relating to a mobile telephone in the car, enabling investigators to locate a surveillance camera at a gas station along the route. The surveillance videotape showed the offender's car tailgating the victim at high speed, supporting the theory that the offender had driven the victim off the road. Conversely, a cyberstalker can access sensors over the Internet, such as a camera and microphone on a victim's home computer, to monitor her activities.

click to expand
Figure 1.2: Web camera of live traffic from www.marylandroads.com.

In addition to the Internet, digital evidence may exist on commercial systems (e.g. ATMs, credit cards, debit cards) and privately owned networks. These privately owned networks can be a richer source of information than the public Internet. In addition to having internal e-mail, chat, newsgroup, and Web servers, these networks can have databases, document management systems, time clock systems, and other networked systems that contain information about the individuals who use them. Also, private organizations often configure their networks to monitor individuals' activities more than the public Internet. Some organizations monitor which Web pages were accessed from computers on their networks. Other organizations even go so far as to analyze the raw traffic flowing through their network for signs of suspicious activity.

Furthermore, these smaller networks usually contain a higher concentration of digital information about the individuals who use them (more bits per square foot) making it easier to find and collect relevant digital data than on the global Internet. It is conceivable that a digital investigator could determine where an individual was and what he/she was doing throughout a given day, especially if the individual is an employee of an organization that makes heavy use of their network. The time an individual first logged into the network (and from where) would be recorded. E-mail sent and received by an individual throughout the day would be retrievable. The times an individual accessed certain files, databases, documents, and other shared resources might be available. The time an individual logged out of the network would be recorded. If the individual dialed in from home that evening, that would also be recorded and any e-mail sent or received may be retrievable.




Digital Evidence and Computer Crime
Digital Evidence and Computer Crime, Second Edition
ISBN: 0121631044
EAN: 2147483647
Year: 2003
Pages: 279

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net