Knowing “how-to-do-it” is important, but first you need to know “what-to-do”.

My first months as a narcotic detective sucked.  My partner (ie. the senior narc) was less helpful than a doorknob on the ceiling.  The initial On-the-job training basically consisted of “figure it out” and “I am not going to help you figure it out”.   In time, I figured it out.  It took nearly being killed on occasion and suffering through a few investigations.  Did I mention my first months as a narc sucked?

Here is what I learned with that experience: Knowing what you have to do is more important than the how to do it, because if you don’t know the what-to-do, the how-to-do-it doesn’t matter.   It’s like registry forensics.  If you learn all about how to do it, but you have no idea of why you should in one case but not in another, then you are missing the what.

Let’s consider one registry item.  There are probably dozens of software applications that will deliver you straight to USBStor in the registry where you can pull out data on USB devices.  You can spend a week in a registry course working one specific software and then self-learn a dozen more registry tools all for the effort of pulling out registry information. But, so what?  Being able to pull out registry information willy nilly is useless if you don't know what to do with it (or why).

The what is having an objective and purpose to go into the registry for that specific data.  You need to know what you need for evidence to prove or disprove an allegation.  You need to know what you need to make the case.   The what is going to be a lot more than pulling out a registry key.  

Then, after pulling the data out that you determined is necessary to make your case, you need to tie the data to a person.  And you need to articulate how the data you found is relevant and that it is evidence which relates to a person.  Simply finding that a flash drive was plugged into a machine does not make a case if you can’t articulate the connection, no matter how great of a forensic job you did to ‘recover data’.

I bring this up so that when you take a training course in forensics, ask the instructor to also cover the what in addition to the how.  Learn the individual skills, but also learn when you need to employ those skills and why; otherwise, spending a full workday in the registry just because you know how isn’t going to make your case if you don’t know what you need to do in your case. 

The what is the forest.  The how are the trees.  You really do need to see the forest.

Going back to my narc years, as soon as I figured out what makes a good case, my effectiveness (and workload...) skyrocketed.  I initiated more than a dozen international organized drug trafficking cases (aka: OCDETF), seized over a ton of drugs, worked several wiretaps, solved murders, recruited into a federal task force, uncovered terror training cells, and traveled internationally working undercover.  All it took was seeing the big picture in what was needed for a good case. 

The skills? Those are the easy things to learn.  That's why I push the big picture so hard with the training I give and the things I write because once you get it, your effectiveness will skyrocket and you can focus on learning the skills that you know you will need, not skills for sake of having skills.

As a side note, I used this concept when getting into forensics more than a decade ago.  It worked out just fine (but that first month of narc work still sucked).

677 Hits

Compiling Identity in Cyber Investigations

Digital forensics analysis is the easy part of an investigation. That is not to say that the work of digital forensics is simple, but rather recovering electronic data is a rote routine of data carving and visual inspection of data. Interpreting the data requires a different type of effort to put together a story of what happened ‘on the computer’.  As important an analysis is to determine computer use, it is just as important to identify the user or users and attribute computer activity to each user.  An investigation without an identified suspect is a case that remains open and unsolved..sometimes for years or forever.

In many investigations (civil and criminal), identifying the computer user is obvious through confessions or by process of elimination.  Proving a specific person was at the keyboard is barely a consideration since the person either admitted control of the device or was caught red-handed and the examiner can focus more on the user activity on the computer devices rather than spending time identifying the user.

However, simply accepting the suspect’s identity without further investigation into other aspects of the suspect’s identity may sell the investigation short.  Whether the suspect is known or unknown, compiling a complete identity of the suspect adds important information that is beneficial to a case, such as motives, intentions, and identification of more crimes.  The most important point is that a physical person that has been identified, or even arrested, does not give a complete identity of that person.  It is only the physical identity.  Investigators should strive to compile a complete identity that includes digital identities.

So what’s in it for you?

Building a case against a suspect requires more than just finding evidence.  A case needs evidence to point to a suspect as well as showing motive and opportunity.  Providing evidence of every identified persona of a suspect paints a picture of the suspect, to include intent, desires, motive, behaviors, and overall character to add to the supporting evidence.  In short, you get a better case.

The Complete Identity

A physical identity (aka biometric identity) and digital identity comprises the complete identity of a person.  Biometrical features of a person, such as fingerprints and eye color, are bound to the physical identity and typically permanent to the person depending on the feature.  Although eye color can be temporarily changed with color contacts and hair can be temporarily dyed to a different color, the majority of physical features cannot be changed without drastic injury or surgery. 

Internet users create digital trails of use and subsequently (and without intention) create digital personas based on their unique computer use.  The normal, everyday use of the Internet creates a digital identity that is based on Internet surfing habits (the Websites visited), communications made online through forums, chats, e-mails, blog posts and comments, and through the accounts created for online services to include online shopping.

Compiling the digital identity and physical identity may seem like an obvious and easy task, but assembling the identities is not so simple.  In an ideal case, a suspect has a single physical identity and a single digital identity, but in reality, a person may have multiple physical personas tied to a single physical identity and multiple digital personas.  Some personas may be intentional while others unintentional.  For example, a criminal wanting to travel in a name other than his true name may create or purchase a fake driver’s license. As he goes about using the fake or stolen driver’s license, he creates a persona under the false name.  Although this persona is not truly a ‘physical’ identity, as it is not biometrically tied to a physical body, it is part of his physical identity as he uses the false name as if it were his true name. 

One example of a digital identity is the accumulation of normal Internet and computer use.  A person’s computer use is generally a reflection of that person’s personality, desires, and intentions.  The unique activity of one device is typically replicated across devices under that person’s control.  For instance, given a new computer, a user will configure it by personal preference by arranging icons, colors, sounds, and folder structure to save.  When the user has an additional computer, both computers will have a very similar order of computer activity when used over time and will even look the same, such as the placement of desktop icons and wallpaper choice.  Configurations of the computers will likely be similar, if not exact for some items, and Internet use will most certainly mirror each other by bookmarks and frequently visited Websites.  Merely comparing the type of computer use and configuration between two or more devices can give an indication that the same person used all of the devices. 

Adding to the complexity of finding both digital and physical identity of a suspect is that of multiple aspects of both types of identity.  A person leading a double life may have two spouses and two jobs with one being a false identity.  This person is physically tied to both identities, even if the false identity contains no true information.   Leading a double life is an extreme example of a fake physical identity, and examples that are more common include using a fake ID to make consumer purchases, or using fake names to register at hotels.  The depth of a fake physical identity depends upon the person’s intention and resources. Types of physical identifiers are seen in the following figure.

Digital identities, being far easier to create, generally mean that any one person can have multiple, or even hundreds, of fake digital identities.  A harassment suspect may have dozens of online identities that he uses to harass a single victim or victims through repeated e-mails from different e-mail accounts created to appear as different people.  In any investigation, treat each digital identity as its own identity that will be tied to a physical person at some point in the investigation.  Each identity gives information about a person based on the fake identity, whether the only information is the username of an e-mail or a completely falsified social networking account.

An example of having multiple digital identities is that of one fake identity used to create specific online accounts and a different fake identity used to create other specific online accounts.  In this manner, a person is simply trying to distance himself from something (such as registering for a pornographic Website) by using a fake digital identity while using a different fake identity to distance himself from other aspects of his online life.  An investigator who can identify the fake accounts adds to the case by showing the intentionally hidden aspects of a personality, motive, or intention of the real person based on the real person’s actions under the fake digital identities.  A pedophile whose physical identity has no ties to pedophilia may appear innocent until fake digital personas are found and tied to his physical identity.

Of note is that each person has a true physical identity and a true digital identity.  Typically, the true digital identity shows the real information, such as a real name, and is easily tied to the physical person.  However, every identity and persona (real and fake, digital and physical) should be compiled together to show the complete identity of a person.  False information is just as important as the true information to build a complete picture of a suspect.

A great example of tying a physical identity to a false persona is in the Silk Road case where the creator of Silk Road (Ross Ulbricht) used his public e-mail/forum (rThis email address is being protected from spambots. You need JavaScript enabled to view it.) account on the open Internet to market the Silk Road.  One simple post eventually tied his legitimate physical identity to a secret, false, and criminal persona on the Dark Web site, the Silk Road.

Identifying the digital identity becomes easier as Big Data continues to grow exponentially through massive data collection by government and corporations.  Social media sites contribute to identifying digital identities as the connectivity between sites exists through single usernames, using the same e-mail address across online accounts, and algorithms created to ‘find’ friends based on relationships and Internet use.  The digital identity is the sum of all electronic information of a person.  Corporations have been compiling digital identities of consumers in order to focus on advertising efforts.  Investigators should focus on compiling digital identities of suspects to determine motive and opportunity.

Any investigation benefits by compiling the complete identity of suspects.  Whether the identities contain true information about a suspect is not as relevant as tying the identities and personas to a person. Motives and intentions are clearer with a complete picture of a person in both the physical and digital worlds. 

Now that you know the ‘why’, become competent in the ‘how’ in each investigation with thorough research to find the connection between each identity in order to place your suspect at the keyboard.  Digital forensic skills are necessary and important, but solid cases usually need some old fashioned, gumshoe detective work too.

1599 Hits