17.4 Summary

17.4 Summary

Watching information move around the Internet is like watching ants work. Tiny entities move around quickly, bumping into each other and occasionally getting lost or damaged, but an overall order is maintained by TCP. These activities generate entries in log files and state tables of servers and personal computers, intermediate routers and firewalls, and other hosts on the network. These and other sources of digital evidence can be located and collected using the methodologies and techniques provided in Chapter 15. The resulting digital evidence can be used to corroborate Web browser history, e-mail messages, and other activities on related hosts.

There are several challenges that investigators encounter when dealing with TCP/IP as evidence. For instance, IP headers only contain information about computers, not people, so it is difficult to prove that a specific individual created a given packet. However, an investigator can use the source IP address to get closer to the point of origin of the crime. Knowing the point of origin of TCP/IP traffic can also help identify suspects. For example, only a small group of individuals might have access to a given computer or the ability to use a specific IP address (e.g. in a home or college dormitory).

Another challenge arises when criminals change their IP address frequently (using dynamic IP addresses). Individuals who exchange illegal information and materials by turning their personal computers into file servers can avoid detection by regularly changing the IP address of the server. For instance, by dialing into a large ISP, such a criminal will be assigned an IP address that others then use to connect to the computer being used as a file server. After a few hours, the criminal might decide that it is time to move. Disconnecting and redialing will often result in the criminal being assigned a different IP address. The only difficulty on the criminal's end is notifying a select group of people using the criminal's computer as a file server about the new IP address. Investigators find it difficult to find and monitor these roaming servers. However, once found, the IP address of a server can lead investigators to the culprit.

Another significant challenge arises when information in the IP header is falsified. It is possible to create a packet with a false source IP address making it appear that data are coming from one computer when it is actually coming from another. For example a malicious program will purposefully insert a false source IP address into packets, before interrupting service on a network (e.g. by flooding a network with data or crashing a central machine on the network). When the administrators of the flooded network try to track down the culprit, they find that the information in the packets is false - making it difficult to trace information back to the sender. When a source IP address has been falsified, tracking becomes a lengthy and tedious process of examining log files on all of the routers that the information passed through. When multiple ISPs are involved, the time and effort that it takes to get everyone's cooperation is rarely justified and there is a high probability that the trail will be too cold to follow. Additionally, if one ISP does not maintain logs, it may not be possible to establish the continuity of offense and track down the source of the attack.

Yet another challenge is that few networks are designed to make evidence collection simple. Evidence is scattered and there is rarely one person in an organization who has access to, or even knows about, all of the possible sources of digital evidence on their network. Also, every network is unique, comprising many different components that are sometimes held together by little more than the digital equivalent of duct tape. Therefore, it is impractical to create a general checklist of all potential sources of evidence with an associated method of collection. As was mentioned before, as digital evidence becomes utilized more, some organizations will develop digital evidence maps of their networks to save time and protect themselves against liability. In the absence of such a map, looking for digital evidence on a network is a matter of exploration and interviewing knowledgeable people.