News reporting does an injustice to the work done in cases like these, only because the articles make it sound so easy. But this particular case illustrates placing the suspect behind the keyboard using several methods that are sometimes overlooked (but of course, these methods and more are described in both my online course and book…).
In short, the case is simply that a criminal dark-web administrator (Gal Vallerius) was arrested. The complaint can be read here: https://regmedia.co.uk/2017/09/27/gal_vallerius.pdf
The details of the case of how the suspect was identified and caught are more interesting, and are the things you can do in your cases. One thing of note is that the number of agencies investigating Gal Vallerius included several alphabets (DEA, FBI, IRS, DHS, USPS) and probably several other LE agencies as well. My point is that you can be the sole investigator for a police department of 5 officers and do most, if not all, of the same work on a case with positive results. You just have to be creative, find resources, and use the resources available to you.
Some of the methods used in this case included:
- · Bitcoin account tracing (a book is coming out on how to do it in 2018… “Bitcoin Forensics”)
- · Writing style comparisons of known writings
- · Open source information converted into intelligence (social media: Twitter, Instagram)
- · Digital forensics (recovered log-in credentials to the dark web market, PGP encryption keys, and $500K of bitcoin)
These are just the public methods used for the complaint. Criminal complaints/affidavits do not contain the entire case, the entirety of investigative methods, or even the entirety of evidence obtained. Complaints only contain enough to establish probable cause for criminal charges/search warrants. I can imagine that reading the case will have many more methods used to identify Vallerious, and I would imagine that none of the methods are secretive as typically they never are. Practically, the methods to uncover criminals on the Internet regardless if they were secret or not, and most (if not all) are publicly known. I’m not referring to the NSA/CIA methods, but the criminal investigator methods which require a higher approval of legal authority.
If you are not looking for cases like this to analyze, you are not going to improve in your cases as fast as you could be improving. When I come across a case online that talks about how someone was caught, I review it, line by line. When I come across someone who did a case like this, I buy a cup of coffee and talk about the case. You should too. Debriefing your casework and the casework of others will bring up things that were done wrong and things that could have been done better. Debriefing cases makes future cases better. Sometimes you even have to take a zinger for doing something wrong in order to do it right the next time. It may hurt in the short term, but you’ll be a hero in the long term. Do not ignore mistakes, errors, or omissions. Debrief yourself and improve. This is perhaps the best way to master a skill. Consider that military special operations and law enforcement swat units do this for every mission and every training exercise in order to improve exponentially.
In the next month I will have a live (and free) webinar of about 20 minutes to discuss and analyze a case of placing the suspect behind the keyboard. Stand by for the notification in October via Twitter and this blog.
A point I want to make is my opinion on the investigative aspect of DFIR, or more pointedly, of “forensics”. Digital forensics and investigations tied together as one. An investigator does not have to be a digital forensics analyst in order to use the results of an analysis in a case. A digital forensics analyst does not have to be an investigator in order to identify evidence. However, you need both to pull evidence and apply it in an investigation. One person can do both jobs or many people can do both jobs.
I have been fortunate to have worked as a police detective for years. I took a lot of courses that taught investigations, was assigned hundreds of cases, initiated tons more, and worked with dozens of US and foreign law enforcement agencies on many of those cases. So, getting into digital forensics only required I learn about computers (yes, it’s more than “computers”, but I’m coming to that shortly). I can identify what is evidence, put information into intelligence, compile it all into a case, and wrap it up nicely with a big bow because I have successfully done it so many times before and worked with some very gifted investigators. By gifted, I mean that they must have worked very hard to become very good in their jobs.
I have found that it is easier to learn the technical part than the case-building part, only because outside the LE would, the technical training is everywhere, and the case-building part is not. If a new DFIR person wanted to learn about the Windows registry, in about 3 minutes on the Internet, a dozen websites and videos can be found to show not only how, but with what tools to use. The same can be said for any technical know-how. Try to find case-building information and you’ll come up a bit short. Case-building is not report writing. Without knowing what it takes to build a case, all the best DF work in the world won’t save the case.
When you work DFIR, work it like it’s a case, because it is. Whether or not the ‘case’ goes to trial or to the boss, you really are investigating. The only exception is if you are only pulling out data and then it’s just data recovery. But if you are looking for a smoking gun (which could be a civil matter with document manipulation allegations or a criminal matter with dead bodies), you are investigating by looking for evidence, ergo: forensics. Treat it as such. Put yourself into an investigative mindset. Ask yourself questions as you move forward;
- What do I need?
- How does it relate to the case?
- How do I get it?
- What do I do with it once I get it?
Think: a prefetch file is just a prefetch file unless you can show the relevance to the case.
Don’t just do data recovery. Do DFIR.