eBook - ePub
Cybercrime Investigation Case Studies
An Excerpt from Placing the Suspect Behind the Keyboard
- 48 pages
- English
- ePUB (mobile friendly)
- Available on iOS & Android
eBook - ePub
Cybercrime Investigation Case Studies
An Excerpt from Placing the Suspect Behind the Keyboard
About this book
Cybercrime Investigation Case Studies is a "first look" excerpt from Brett Shavers' new Syngress book, Placing the Suspect Behind the Keyboard. Case studies are an effective method of learning the methods and processes that were both successful and unsuccessful in real cases. Using a variety of case types, including civil and criminal cases, with different cybercrimes, a broad base of knowledge can be gained by comparing the cases against each other. The primary goal of reviewing successful cases involving suspects using technology to facilitate crimes is to be able to find and use the same methods in future cases. This "first look" teaches you how to place the suspect behind the keyboard using case studies.
Frequently asked questions
Yes, you can cancel anytime from the Subscription tab in your account settings on the Perlego website. Your subscription will stay active until the end of your current billing period. Learn how to cancel your subscription.
At the moment all of our mobile-responsive ePub books are available to download via the app. Most of our PDFs are also available to download and we're working on making the final remaining ones downloadable now. Learn more here.
Perlego offers two plans: Essential and Complete
- Essential is ideal for learners and professionals who enjoy exploring a wide range of subjects. Access the Essential Library with 800,000+ trusted titles and best-sellers across business, personal growth, and the humanities. Includes unlimited reading time and Standard Read Aloud voice.
- Complete: Perfect for advanced learners and researchers needing full, unrestricted access. Unlock 1.4M+ books across hundreds of subjects, including academic and specialized titles. The Complete Plan also includes advanced features like Premium Read Aloud and Research Assistant.
We are an online textbook subscription service, where you can get access to an entire online library for less than the price of a single book per month. With over 1 million books across 1000+ topics, we’ve got you covered! Learn more here.
Look out for the read-aloud symbol on your next book to see if you can listen to it. The read-aloud tool reads text aloud for you, highlighting the text as it is being read. You can pause it, speed it up and slow it down. Learn more here.
Yes! You can use the Perlego app on both iOS or Android devices to read anytime, anywhere — even offline. Perfect for commutes or when you’re on the go.
Please note we cannot support devices running on iOS 13 and Android 7 or earlier. Learn more about using the app.
Please note we cannot support devices running on iOS 13 and Android 7 or earlier. Learn more about using the app.
Yes, you can access Cybercrime Investigation Case Studies by Brett Shavers in PDF and/or ePUB format, as well as other popular books in Computer Science & Cyber Security. We have over one million books available in our catalogue for you to explore.
Information
Chapter 1
Case Studies
1.1 Introduction
1.2 A Day in the Life of a Cybercriminal
1.2.1 Backdating Documents
1.2.2 False Names and Disposable E-mail Accounts
1.2.3 Evidence Leads to More Evidence
1.2.4 Searching for All the Bad Things
1.2.5 Scenario—Threatening Blog Posts
1.2.6 Making the Wrong Kind of Friends Online
1.2.7 A Break in the Case, Otherwise Known as a Suspect’s Mistake
1.2.8 Altered Evidence and Spoliation
1.2.9 Spoofed Call Harassment
1.2.10 Disgruntled Employee Steals and Deletes Employer’s Data
1.2.11 Missing Evidence
1.2.12 Bomb Threats by E-mail
1.2.13 ID the Suspect
1.2.14 Online Extortion
1.2.15 Placing Suspect at a Location
1.2.16 Placing the Suspect in the Office at a Specific Location
1.2.17 Stolen Property
1.2.18 IP Addresses Aren’t Enough
1.2.19 Planted Evidence
1.3 The Life and Casework of a Cyber Investigator
1.3.1 Technical Knowledge and Skills
1.3.2 This Case is Different from That Case
1.4 Testifying to Your Work
1.5 Summary
Bibliography
1.1 Introduction
In theory, investigations should succeed as planned and expected. However, in practice, theory is only the starting point for real-life situations requiring creative solutions to obstacles. A review of case studies provides a means to show theory and practical applications in real-life case scenarios, with both positive and negative results. A thorough examination of one case for a targeted study goes well beyond this book due to the amount of information any single case possesses, but we can use many examples to reinforce investigative concepts.
In order to give examples showing how successful concepts in this book have been applied in real life, this chapter will show a collection of briefed examples across a wide range of case studies. Keep in mind that there is more than one solution to any single problem you will encounter and certainly more solutions than can be given in this chapter.
Some examples are clearly criminal investigations where the availability of demanding evidence through search warrants exists. However, civil cases allow for evidence to be gathered without warrants, such as electronic evidence owned by a business and used by an employee. Whichever type of case you have, use the resources and legal authority available to secure the evidence. Sometimes you can just ask for it; other times, you may need a judge to order it.
The specific examples come with disclaimers. Depending upon the type of operating system and even the version of an operating system, certain artifacts will not exist or be recoverable. Depending upon the actions of the suspect, artifacts that existed at one point may not exist after being overwritten by other data. Even depending upon the forensic application used, some artifacts may be incapable of being recovered. So, a statement that electronic evidence may be recovered in a specific situation literally means maybe, because it depends on other factors. Usually, the answer as to whether a forensic artifact of evidence can be recovered is simply, it depends.
1.2 A Day in the Life of a Cybercriminal
The scenarios given in each following section are fictional, but much of the content has been taken from cases I’ve worked on. Each scenario has a referenced case (“Case in Point”) for a real-life example of a high-profile case. Most of these can be found online through open source or court records to read detailed information on the investigative methods used.
As an investigation can be comprised of one independent incident or a multitude of crimes over a period of time, utilizing different operating systems and versions of operating systems, your investigation processes and methods will need to flow with your evidence. Some of the investigative tips discussed in this chapter will work with some cases, others will not.
1.2.1 Backdating Documents
Scenario: A business purchase agreement document in PDF format is alleged to have been altered to benefit one party in the agreement. Certain verbiage is claimed to have been changed as has the date of the agreement. Both the plaintiff and defendant claim their version of the document is accurate and the other document version is a manipulated copy.
Case in Point
Paul D Ceglia v. Mark Elliot Zuckerberg, and Facebook Inc, 2012
This case hinged on the authenticity of a contract between Ceglia and Zuckerberg as it related to the development of Facebook. A forensic analysis was conducted resulting in conclusions that electronic documents and e-mails were manipulated and backdated.
Investigative tips: Antedating is creating files with intentionally inaccurate time stamps. A common antedating action is backdating of electronic documents. Backdating documents is changing the date of a document, such as a business contract creation date changed to an earlier date to gain a benefit. The benefit could be to cover knowledge of a crime or to benefit financially in a business dispute. Another example of backdating could be to create a suicide message after the fact, using a computer in an attempt to cover a murder. The printed date on a document is easy to manipulate and difficult to validate. The electronic time stamp is a different story.
Firstly, examining the metadata of an electronic file gives a baseline of information, whether or not the dates and times are authentic. Each copy or version of the documents under investigation will need the metadata extracted for comparison to create a historical timeline for each document.
In any document backdating investigation, being able to examine the machine on which the document was created may be the most beneficial source of information. Secondary items of evidence that the document may have been copied onto or e-mailed are also important as comparisons.
Documents which have been e-mailed as attachments create a credible source of information in the e-mail headers. A document showing a creation date after an e-mail date would be suspected of being modified. This example would be easy of course, but more important is building the timeline of historical relevance for the documents using all available information, including e-mail header time stamps.
One method of manipulating document time stamps is through the use of software intended for altering metadata. Whether used for legitimate file management or nefarious purposes, these applications enable computer users with average skills to manipulate the time stamps on electronic files. One such example is seen in Fig. 1.1, showing the dialog box for Stexbar, an open source extension for Windows Explorer. This particular extension can be downloaded from http://code.google.com/p/stexbar/ and easily installed. Once installed, computer users can change the metadata time stamps on any file by right clicking the file, choosing “properties”, and selecting the TimeStamps tab to alter the metadata.
Fig. 1.1 Stexbar, a Windows Explorer extension allowing an easy method of altering a file’s time stamps.
If the evidence in question is a file absent in its respective computer on which it was created, validating the time stamps is problematic. More information is needed to validate the metadata. By examining the computing system, one can recover time stamp information from the master file table, which will contain the time stamp of when the last modification of the file occurred (“Entry Modified”) and when the file’s attributes have changed, along with information on other actions affecting the evidence file.
Changing the computer time before creating an electronic document is another method of antedating, as the metadata for the newly created electronic file will be based on the incorrect setting of the system. Antedating using more than one means only complicates an analysis. Once there is doubt to the validity of any file’s time stamp, the computer system must be analyzed to correlate dates and times as well as determine if a suspect manipulated the system.
Internet web browsers are full of time-stamped records from reliable sources such as from an Internet service provider or web site. These can be compared to files on the system in relation to the evidence files. Event logs in Windows are also a great source of information to determine if antedating occurred, such as the system logging a computer clock change. Other log files, like antivirus program logs, may also have time stamps to help correlate activity on the system.
Generally, antedated documents are made with a substantial gap in the actual date and time compared to the altered date and time. For these situations, the differences are obvious. For situations where the time gap may be small, finding the differences requires attention to minute detail. Also, the time stamps of files do not change consistently. Depending upon how a file was copied or moved will affect which time stamps are modified. Time stamps can be updated when extracted from a zip file, downloaded from the Internet, or moved to a folder when using the command line. Conversely, simply moving a file from one folder to another will not update the Create time.
The versions of software used to create a document give an indication if a file has been antedated. An example would be an evidence file, such as a Microsoft Word document which has been produced as authentic evidence in the file format of “.docx,” yet the claim is the document was created and not modified since the year 200...
Table of contents
- Cover image
- Title page
- Table of Contents
- Front Matter
- Copyright
- Chapter 1. Case Studies