Drop the mic...please.

Well...that didn't work out so well, did it?

I had a serious audio problem with the webinar today, from which I learned to mute attendees for the next time that someone doesn't mute their mic.  My fault on the audio, but on to the positive with the webinar: I'm going to make another (two more) presentations.  At the same time, I'm going to make it more in-depth, with more case studies, in more detail, at the same price of free.  Did I mention that I really feel bad about that audio problem.

Details on the upcoming presentations are at: http://courses.dfironlinetraining.com/series/case-studies-placing-the-suspect-behind-the-keyboard. In brief, I may be starting a series of Case Studies based on recent cases I find or cases of mine that I can talk about openly.  With that, this next presentation is Case Studies I - Placing the Suspect Behind the Keyboard (meaning that there most likely will be a Case Studies II, and a Case Studies III, etc...).  I'll provide case documents as I have them available for self-study into the cases that will be discussed.  My intention is to get you thinking like a detective in your cases, regardless of the type of case or importance of the case.  By important, I don't mean that any case is unimportant, but some cases are critical such as those that involve serious threats of harm to persons.  Every case is important to someone, but in some cases, people can be hurt or have been hurt in certain types of cases.

I am limiting the number of attendees to 50 per session and I'll have a promo each time for something neat.  For this upcoming session, I'm giving a promo of $45 (instead of the $799) to the full, 13-hour Placing the Suspect Behind the Keyboard course.  Next time, who knows what it will be and for what.  BTW, the sessions will not remain online past the dates presented as recordings.  These are one-time training sessions not to be repeated.

FAQ (that I've been asked so far...):

Will you keep recordings online for future reference?

Nope.  Either the presentations will be live or delivered as a recording on the day of release only.  

I missed the session, can you extend the promo for me?

Sorry.  The promotions are extremely short-lived for the few hours of the presentation time only because I'm near the point of making the course free when it goes from $799 to $45 (or so).

I missed the session.  Will it be replayed?

Nope. These will be shown once or twice at the most.

Can you put the videos on YouTube?

No Youtube for me.  I'm not a fan of Youtube 'training'.  The presentations I am giving each include a certificate of training attendance in order to give you documented training hours.  Sometimes you need to keep the mother-ship happy with training records, so I aim to help provide those records.  Also, it doesn't hurt to be able to claim training hours when you produce physical documentation instead of saying that you 'learned it on YouTube'. 

The direct link to the case study series is: http://courses.dfironlinetraining.com/series/case-studies-placing-the-suspect-behind-the-keyboard 

531 Hits

If you are a “Self-Proclaimed Hacker” looking for a job in LE…

We are almost fully into the computer-age.   In nearly every aspect of our lives and jobs, computers* in some form or another, are integrated.  This means that if you have the inclination and ability to work with computers, your time has come.  The world is your oyster as the doors are not only open with information security careers, but employers are fighting over you as their next new hire.  This is kinda true with law enforcement, but not so much. 

 <*by “computers”, I mean everything that encompasses technology from writing code to developing the devices>

 Let me give a little personal insight into one small aspect of a future career that is of interest to many: law enforcement.  I’ve never directly hired anyone into law enforcement, although I have participated in the interview process for those wanting to be hired, given my input on specific persons that I’ve known who applied to law enforcement, and I have seen people fired for doing some amazing dumb things as cops (and federal agents).  With that, here is one suggestion on increasing the odds you get hired if you work in information security.

 Be careful if you call yourself a hacker if you are not a criminal hacker.

Without clear context, calling yourself a ‘hacker’ implies calling yourself a ‘criminal’, which will cut you out the hiring process faster than a long-tailed cat running out of a room full of rocking chairs.  The primary mission of hiring in LE is to not hire criminals or anyone with the potential of committing crimes in the future.  Remember…past behavior is the best indicator of future performance and behavior.  Do not think that you will have an opportunity to spend a half hour as to why a hacker may or may not be a criminal.  Thousands of applications are submitted each month and one of the best ways to cut the workload of a background investigator is to dismiss as many applications as possible before doing too much work on them.  The easy ones are first, such as those not meeting the job requirements. Then go the ones with blatant problems (serious drugs, arrests, etc...).  Writing "hacker" on your application is a red flag.

I write this only because fairly recently, I was contacted by a background investigator for my thoughts on a police department hiring someone who is a self-proclaimed hacker on their social media. Having to explain what a hacker is, is not, or could be to someone who is not in the community is not usually productive in less than 10 minutes, especially if they are looking for an easy out to go on to the next application.

My opinion is that many times, we may call ourselves “hackers” but for all practical purposes, are actually “counter-hackers” or “anti-hackers”.   In the most commonly accepted perception of a hacker, the public sees a hacker as someone who steals their ID by hacking into their computers.  Regardless of how much you may try to explain that you are using “hacker” as a marketing slogan or that not all hackers commit crimes, it does not matter because you most likely will not be hired because of the perception and perception is reality for all intent purposes.  The liability of hiring someone into law enforcement who openly claims to be a hacker is not something a government agency will want to take on as a full-time employee.  Sure, maybe some contract work while you are escorted around the building while you work on a limited project, but not as a full-time, badge carrying, free to roam anywhere you want officer.  Do I agree with this?   It doesn’t matter because liability and the perception of future liability is what matters.

So, if you want a better chance of being hired in law enforcement, be careful with calling yourself a “hacker”.  I can promise you, without hesitation, that everything you put online, say at a conference, write in a blog, or speak to a future job reference, will be looked at by the agency that is considering hiring you.    Law enforcement needs better technically proficient cops, so get that job by marketing yourself as such.

 

569 Hits

Case study - Placing the Suspect Behind the Keyboard

Not too long ago, I read an article where the state’s largest cocaine bust happened because the driver was stopped for speeding.  The first thing I thought was, “Speeding…yeah, right”.   So, I called a good friend of mine who I worked some cool drug cases with and asked if that was his case.  But of course it was.  The article read like cases we worked together for some years.   The case is public knowledge today, but in short, a year of investigative work resulted in ‘taking off’ lots of drugs and cash using pre-textual traffic stops as wall cases to keep the core case going.  We did that a lot and it was a lot of work.

My point in the story is that when you see a simple case publicized, there is usually a lot more that has happened behind the scenes that most people will ever know.  Some of this is intentional, such as when a small part of a case is ‘walled off’ to protect the core of an investigation and other times the work is so intensive that to start talking about it will (1) bore the listener to death and (2) talk a week to flush out the details.

So here comes a really cool case I just found to illustrate these points.  In brief, this case is a cyberstalking case that was righteous in all aspects in that the cyberstalker truly needed to be caught and that the work done was awesometacular.

I’ve taken a few snippets from the affidavit to discuss some of the notable investigative aspects of the case.  As a reminder, that what you read in the affidavit is like seeing the tip of the iceberg of a case.  There is so much more in a case like this that is not in the affidavit.  Having written more search warrant affidavits than I can count, I cannot imagine how much work was done on the case based on what was included for the affidavit.  Very cool.

Side Note:  Read the entire affidavit when you get a chance.  Flesh it out.  Read it like a novel.  What would you have done differently or better?

https://www.justice.gov/opa/press-release/file/1001841/download 

 

This is a key point. Either iCloud was hacked (as in a technical hack) or someone had access to the account physically (as in, someone who knew the victim and could have accessed her devices).  Eliminating the suspects who could hackers is impossible.  Eliminating suspects who are known to the victim is possible.

The suspect, “Lin”, erred in using variations of his name in social media accounts.  It’s only a clue, but important to build upon.  In all cyber cases, keep track of user names.  Sometimes there is a reason a username was chosen and perhaps clues to other information.   For each online service, such as Instagram, also consider that accessing each service can be done using many different devices from many different locations on many different occasions.  With each connection, the suspect risks being discovered either by his mistakes or service provider.  That means for you to look at every connection of every message, text, email, or login.

 

 Not much was mentioned in how the anonymity was obtained, but again, each communication is a potential disclosure due to a suspect’s mistake.  Considering that the false flag in the Matthew Brown is known by the victim, the assumption is that the suspect is known to the victim and/or Brown.  This can narrow the list of potential suspects down.

I threw this in just as a reminder for employers (and to remind your clients!) to backup/image departing employee devices for a set time period, just in case.  This is also a reminder to employers that even if they think nothing is left on the computer, usually there is something.  I’ve come across this multiple times and in one case, the entire case was closed with a single forensic analysis on a reinstalled OS from a departing employee.

At this point, it’s easy to see that the suspect (Lin) is probably the guy.

The similarity in style and content from multiple accounts can be tied together, at least as being too similar to be a coincidence.  By itself, not enough to prove a crime/incident, but when taken in totality of all evidence, it is very important.

This would be called a “slip up” by the suspect.  When details known only to a few people are discussed, the list of potential suspects gets very short.

Again, if physical access is needed to commit a crime, the list of suspects can be shortened.

Never give up on uncovering someone because of technology being used for anonymity.   Keep at it.  Keep looking.  Keeping thinking.  Time and effort works for you.  Time works against the suspect.

Technically, this is called, “the suspect screwed up”.   But it took getting the records from Google, which required having the idea to do along with the labor to gather legal cause to request it.

 

Social engineering by the suspect.  Very creative.  However, it required the suspect to create a social media account, email account, and obtain a phone number.  Again, consider how many times he would need to connect to the Internet, from one or more devices, from one or more locations in order to do this.  Each act is a potential windfall of evidence when the suspect makes a mistake. You just have to check every connection known and find the mistake. It is there.  You have to look.

 

And yet another Internet service to add (TextNow) to your investigation.  This is a good thing.  I have heard complaints from investigators about the number of leads to add to the list of things to do in an investigation every time something else comes up.  For me, I love it.  A dozen social media accounts? Cool.   A hundred social media accounts?  Even better.

 




Like I said, the more the merrier.  Most suspects do not realize that everything they do is not separate from each act.  There is usually some connection. It might be the same device used.  Or it might be the same IP address used. Or it might be the same service provider used.  The above would make a cool timeline to visually show the connections.

Again, when you have the “same” of anything in a case, do not discount it as a coincidence.  The same IP or the same email or the same username or the same style of writing can all point to the same suspect.

Search the devices to which you have access to either confirm or rule out suspects.  In this case, searching Lin’s previous workplace computer found evidence that linked him to the crimes he was committing using other devices.

Not conclusive, but when you put all the evidence together, no one will see anything other than Lin as the suspect because of being overwhelmed with the little things, like this, that point to him.

 

Past behavior is a good indicator of future performance/behavior.  In Lin’s case, based on his past behavior, I would say that this is what he is: a cyberstalker.  Once you read the entire affidavit, you’ll see what I mean.

Here’s my take on the case. 

The timespan was lengthy, and there isn’t a lot you can do about that.  I don’t know the details of how many people or agencies worked the case, but I can imagine that there were a few (maybe one or two) who spent a lot of time on it, bantered back and forth on the best way to work it, suffered through a lot of investigative failures and wasted time*, and worked hard to get resources to put the case together.

I can imagine the number of court and administrative orders to obtain the records of all the social media services, ISP records, and phone logs being overwhelming at times.  That is the way it is, so in that aspect, don’t feel like any one case is getting you down more than another case.  I would hope that every user account that the suspect used was investigated, including the “anonymous” accounts.   Other cases have shown that even when a third-party provider promises anonymity, they don’t really mean it.  You will never know until you ask and you will never know what great evidence you can get without asking for it.

I’m not plugging the books I wrote for these types of cases, but if you get these kind of cases, check out the books for some tips.  They are in a lot of libraries, easy to buy online, and the main point I work to get across is to find the one thing that will make your case


On Oct 17, I am giving a short webinar on Placing the Suspect Behind the Keyboard.  If you stick around for the entire half hour, you’ll get a printable cert of attendance that you can take back to your employer for training credit to justify the time to join during work.   And also, if you stick it out to the end (it’s only a half hour…..), I’m giving a discount to the 13-hour online course that is the biggest I’ve ever done.  $45 for the entire $799 course.   But the promo will only be good for an hour after the webinar, and only for 100 attendees in the webinar; meaning that you’ll have to sign up right away if you want the course. 

Be sure to add your name to the webinar here: Register


If you are like me, you like to dig.  You like to find out whodidit.  You want to put together a good case.  And most importantly, you want to stop bad people doing bad things to good people.  Isn’t that the point of all this?

 *Sarcastically I said “wasted time”. I mean that time spent without a positive result may seem like wasted time, but it is not, since you have to spend time investigating and much of it results in not much forward movement of the case.  Accept the time spent feeling like you are running in circles as part of what it takes to get it done.

795 Hits

Free Webinar - Tips and Case Studies on Placing the Suspect Behind the Keyboard

I had coffee with a detective (ie...consulted on a case....) to discuss his case where tying a person to one specific device was necessary for criminal charges in an overly complex investigation.  There were a few things I learned and a few things he learned because of our talk.  I think it would beneficial to talk about some of the things we discussed in a webinar to pass along tidbits that can help others.

Not to take up a lot of your time, but how about a half hour of talking about placing a suspect behind a device?   I want the webinar to be live in order to take as many questions as I can squeeze in, while also packing in as much as I can in half an hour.  If you'd like to attend, register here: http://brettshavers.cc/index.php/events/event/23-webinar-free-placing-the-suspect-behind-keyboard-tips-and-case-studies.  SIDE NOTE:  There will be a bonus in the webinar that most likely be of interest to you.

 

The webinar is scheduled for Oct 17 at 11:00am (PST).   The webinar will be limited by virtue of the platform I'm using so if you want to get in, register early.  Given enough registrations, I may do a second webinar on the same topic afterward.  And if you do register, have some questions ready or even send them in advance (email: This email address is being protected from spambots. You need JavaScript enabled to view it.) so I can be sure to cover as many of the questions as I can.  Or just listen in.  This topic applies to both criminal and civil cases, so whether your job is to have a person arrested (or vindicated) or an employee fired (or retained), the tips apply equally.

As I have always said and believed, keep looking for that one thing that can make your case or save you minutes or even weeks of work.  Once you find that one thing, you will crush your cases as if they were Styrofoam cups.  Tip: that "one thing" is different for everyone, but we all need it to be successful.  Those are the things I want to talk about and share.


And here is one tip you can use:  Get your mind in the game.  This is easier said than done.  You can tell yourself every day to do it, but it won't work unless you know how to do it.  Just saying it doesn't work.  But once you do get your mind in the game, you will be the master of that game.  By 'game', of course I mean your job or the task at hand.  When you can create laser beam focus on a task, you will own it.   I drill this concept with the ways to do it in every talk I do.  It's that important because if your mind is in the game, you can do anything.

**** Update -Oct 17 *****

I'll have one more webinar session, limited to 50 attendees.  Details to be posted soon.

 

786 Hits

Placing the Beard Behind the Keyboard

http://www.miamiherald.com/news/nation-world/article175557206.html

News reporting does an injustice to the work done in cases like these, only because the articles make it sound so easy.  But this particular case illustrates placing the suspect behind the keyboard using several methods that are sometimes overlooked (but of course, these methods and more are described in both my online course and book…).

In short, the case is simply that a criminal dark-web administrator (Gal Vallerius) was arrested.  The complaint can be read here: https://regmedia.co.uk/2017/09/27/gal_vallerius.pdf

The details of the case of how the suspect was identified and caught are more interesting, and are the things you can do in your cases.  One thing of note is that the number of agencies investigating Gal Vallerius included several alphabets (DEA, FBI, IRS, DHS, USPS) and probably several other LE agencies as well.  My point is that you can be the sole investigator for a police department of 5 officers and do most, if not all, of the same work on a case with positive results.  You just have to be creative, find resources, and use the resources available to you.

Some of the methods used in this case included:

  • ·         Bitcoin account tracing (a book is coming out on how to do it in 2018… “Bitcoin Forensics”)
  • ·         Writing style comparisons of known writings
  • ·         Open source information converted into intelligence (social media: Twitter, Instagram)
  • ·         Digital forensics (recovered log-in credentials to the dark web market, PGP encryption keys, and $500K of bitcoin)

These are just the public methods used for the complaint.  Criminal complaints/affidavits do not contain the entire case, the entirety of investigative methods, or even the entirety of evidence obtained.  Complaints only contain enough to establish probable cause for criminal charges/search warrants.  I can imagine that reading the case will have many more methods used to identify Vallerious, and I would imagine that none of the methods are secretive as typically they never are.  Practically, the methods to uncover criminals on the Internet regardless if they were secret or not, and most (if not all) are publicly known.   I’m not referring to the NSA/CIA methods, but the criminal investigator methods which require a higher approval of legal authority.

If you are not looking for cases like this to analyze, you are not going to improve in your cases as fast as you could be improving.  When I come across a case online that talks about how someone was caught, I review it, line by line.  When I come across someone who did a case like this, I buy a cup of coffee and talk about the case.  You should too.  Debriefing your casework and the casework of others will bring up things that were done wrong and things that could have been done better.  Debriefing cases makes future cases better.  Sometimes you even have to take a zinger for doing something wrong in order to do it right the next time.  It may hurt in the short term, but you’ll be a hero in the long term.  Do not ignore mistakes, errors, or omissions.  Debrief yourself and improve.  This is perhaps the best way to master a skill.  Consider that military special operations and law enforcement swat units do this for every mission and every training exercise in order to improve exponentially. 

In the next month I will have a live (and free) webinar of about 20 minutes to discuss and analyze a case of placing the suspect behind the keyboard.  Stand by for the notification in October via Twitter and this blog.

A point I want to make is my opinion on the investigative aspect of DFIR, or more pointedly, of “forensics”.  Digital forensics and investigations tied together as one.  An investigator does not have to be a digital forensics analyst in order to use the results of an analysis in a case.  A digital forensics analyst does not have to be an investigator in order to identify evidence.    However, you need both to pull evidence and apply it in an investigation.  One person can do both jobs or many people can do both jobs.

I have been fortunate to have worked as a police detective for years.  I took a lot of courses that taught investigations, was assigned hundreds of cases, initiated tons more, and worked with dozens of US and foreign law enforcement agencies on many of those cases.  So, getting into digital forensics only required I learn about computers (yes, it’s more than “computers”, but I’m coming to that shortly).  I can identify what is evidence, put information into intelligence, compile it all into a case, and wrap it up nicely with a big bow because I have successfully done it so many times before and worked with some very gifted investigators.  By gifted, I mean that they must have worked very hard to become very good in their jobs.  

I have found that it is easier to learn the technical part than the case-building part, only because outside the LE would, the technical training is everywhere, and the case-building part is not.  If a new DFIR person wanted to learn about the Windows registry, in about 3 minutes on the Internet, a dozen websites and videos can be found to show not only how, but with what tools to use.  The same can be said for any technical know-how.  Try to find case-building information and you’ll come up a bit short.  Case-building is not report writing. Without knowing what it takes to build a case, all the best DF work in the world won’t save the case.

Summary please…

When you work DFIR, work it like it’s a case, because it is.  Whether or not the ‘case’ goes to trial or to the boss, you really are investigating.  The only exception is if you are only pulling out data and then it’s just data recovery.  But if you are looking for a smoking gun (which could be a civil matter with document manipulation allegations or a criminal matter with dead bodies), you are investigating by looking for evidence, ergo: forensics.  Treat it as such.  Put yourself into an investigative mindset.   Ask yourself questions as you move forward;

  • What do I need?
  • How does it relate to the case?
  • How do I get it?
  • What do I do with it once I get it?

Think: a prefetch file is just a prefetch file unless you can show the relevance to the case.

 

Don’t just do data recovery.   Do DFIR.

692 Hits

Some of your cases probably already have cryptocurrency evidence in them...

subway

The Bitcoin Forensic book is moving forward with a fantastic addition of a tech editor: Heather Mahalik!.  I could not be more honored than to have Heather as the tech editor.  If you are reading this, you already know who Heather is in the DFIR community, but if not, take a look here: Heather's Bio.

A few things about the book.

Yes, it is tentatively titled “Bitcoin Forensics”, but the subtitle is “Cryptocurrency Investigations”.  The intention is to not only cover Bitcoin, but the alternative coins (altcoins) as well.   Coins such as Litecoin and Monero will be in the book because few investigations will have only one coin involved since converting from one coin to another in attempts to launder proceeds will most likely occur in every fraud investigation.  I've had a few conversations about the anonymous coins, where tracing transactions is 'impossible'.   There is always something you can do that benefits a case, even when something is seemingly impossible.  The book will cover those difficult cases too.

Another thing…most analysts and investigators have not yet come across cryptocurrency in their investigations.  Consider that if you are not looking for it, you will not find it, and by not looking for it, this will be the biggest hole in your investigation.  Even if you find evidence of fraud/money laundering with cryptocurrency, you can easily miss important evidence that may not be found until later, if ever (such as this case).  Our current lack of competence in this area only makes it easier for criminals to succeed.  For the forensic analyst, you need to know not only the artifacts of cryptocurrency evidence, but also that what amounts to evidence (ie: what is evidence).  

If you don’t believe Bitcoin (as in all types of cryptocurrency, not just Bitcoin) isn’t going to be a major method of financial transactions and part of most every money laundering, fraud, and IP theft case, consider that it already is, you just don't know it yet.  The Bitcoin Forensics book will show the forensic artifacts along with the 'how money laundering works with cryptocurrency' in order to walk you through your first case and the next case and the next case and the...

As to cryptocurrency adoption in everyday life....it is already here.

 

https://cointelegraph.com/news/first-bitcoin-only-real-estate-transaction-completed-in-texas 

A suggestion: You may want to buy a little Bitcoin to start your foundation of what you will be coming across in your cases...

If you haven't got into cryptocurrency yet and want $10 of free Bitcoin, use this referral link to sign up for a Coinbase account: https://www.coinbase.com/join/57c8a8bcded4fa009924eae5 .  

 

Tags:
594 Hits

“Forensically Sound”.  One of those phrases that is commonly used, misused, unused, and abused.

Disclaimer: This is my opinion, which is not a legal opinion. I call it Brett's Opinion.  But along with that, I have identified, seized, analyzed, requested analysis, checked-in/out, transferred/assumed custody, and had entered into court cases thousands of items of evidence from electronic data to brain matter.   

This short post is to give my opinion on the use “forensically sound”.  The reason I want to mention this is because I witnessed a DF expert state in public that capturing live (volatile) memory is not forensically sound because you can’t reproduce it or enter it as evidence.  I think we must be careful about some things we say.  

In the most basic sense, any “thing” that is accepted by a court as evidence is forensically sound, since the court accepted the process used and admitted the "thing" as evidence.

We get caught up when performing computer science work in digital forensics and tend to forget that every situation is a bit different from the next situation, in either minor or major ways.  The general processes we use are similar for each situation, but of course we vary a little depending on what we come across.  The situation we approach dictates how we proceed.

There was a time when pulling the plug on a computer to image the hard drive with a hardware write blocker was the only forensically sound method accepted.  Doing it any other way meant you ruined the evidence.  This belief persisted for years even after realizing volatile memory is also valuable evidence (sometimes even more valuable than data on the drive).  Sure, sometimes you need to pull the plug and sometimes volatile memory has nothing to do with what a specific case may need.  That goes to the point of every case being different.  For the must-always-use-a-hardware-writeblocker crowd, I’m not sure what they do with the computers that the hard drive cannot be removed for a multitude of reasons.  Situation dictates choices.

My point is that we all have best intentions and rely upon generally accepted processes; however, we need to also be aware of what evidence is and what evidence is not.  If you can get a ‘thing’ admitted into court that can prove or disprove an allegation, then you have evidence.  Forensically sound more aptly applies to the technical processes and methods, but does not really define whether or not a ‘thing’ is evidence or not or that a court will accept it or not.

Another holdover from days past is that of being able to exactly reproduce an analysis in order to be forensically sound.  On a hard drive that was shut down when you approached it, imaged through a hardware write blocker, and verified using a software that everyone else uses – easy peasy.   On anything else, good luck.   Live memory changes as you capture it.  Shutting down/pulling the plug on a computer changes the data.  Waiting to decide whether or not to shutdown or pull the plug or image live changes the data (it changes as you watch and think about what to do!) A crime lab that tests the content of a drug destroys a portion of the drug that it tests.  An autopsy on a body damages and changes the body (as does the passage of time with decomposition).  A burning building destroys evidence of the cause of the fire, as does the efforts to put out the fire.

When teaching court admissibility of digital evidence, be careful if you are unsure of what is forensically sound, especially when talking about evidence.   You’d be amazed at the types of evidence that can be admitted in a trial along with the evidence that doesn’t.  Best answer: do your best with the evidence seizing situation you encounter, admit it as evidence, and let the court decide if it was forensically sound.  Personally, I believe anyone working in a job where you look at data should be versed in 'evidence'.  Cops have it easy.  They deal with it every day until it becomes second nature.  For everyone else, a short class in 'what is evidence' can make or break a case later.

Then there is the sliding scale of veracity…but that’s another story.

1090 Hits

When “intent” is an element of the crime, you better find the intent.

planning

Proving intent can give you the dickens of a time.  It’s easy to prove what happened.  And it is mostly easy to prove how it happened.  Many times you can even prove who caused it to happen.  But the stickler is always the why (aka: intent or reason).

A murder-for-hire case I solved some years back required finding the intention of the hired gun (so we could arrest him!).  The investigative plan was to not only prevent a murder, but gather enough evidence to arrest and charge the murderer-to-be without having a murder occur.  We had about an hour to find the hit-man before he was on his way out the door to kill the victim-to-be.

This particular case was a husband (Suspect #1) who hired a hit-man (Suspect #2) to kill Suspect #1’s ex-wife.  The hit-man's girlfriend wanted to turn in both #1 and #2.  Suspect #1 paid $5,000 to Suspect #2 to kill the ex-wife in a very specific and explicit manner that included a Corona beer bottle, duct tape, and a few other specific items.  You can imagine the rest.  If the girlfriend didn’t come forward at the last minute, it would have been a murder case instead of a murder-for-hire case.

Anyway, we found where the hit-man was holed up and arrived just as he was preparing to leave for the murder.  When I approached him, guess what he had on him (besides the meth pipe between his lips)?   He had a Corona beer bottle, duct tape, and the few specific items that he was told to use in the murder. 

The point of the story is that the items he possessed spoke volumes of his intention.   

I also found a printed Google map of the victim-to-be's home address….added to the computer search artifacts on the computer.  So yeah, we had intention all over the place.  The end result of this case was the hit-man fessed up, agreed to cooperate against Suspect #1 by making a recorded call about the murder-for-hire (in return for nothing but him begging for forgiveness), and both #1 and #2 were arrested, charged, and convicted.

A side note to this story was that Suspect #1 was mistaken in the address of his ex-wife.  He had Google’d his ex-wife’s name and clicked a link to a woman with the same name in the same city, but….it was a completely different person.  I called this case my “Sarah Connor Case”. 

Back to intention.  With any crime or civil matter where you need to know the why, find the little things that imply the why.  You can’t ever get the real answer, even when told by the suspect because you can’t read a person’s mind.  But you can get the inferences based on the implications of evidence you find.  Examples are Internet browsing forensic artifacts such as searching for a person, searching for a hit-man, and searching for how to cover up a murder.  Add that to the physical items you may come across and you start to overload intention onto the defense.  

Here comes the Amazon Bookstore.

I thought about finding intention today (everyday actually) when I checked out the Amazon bookstore, and I mean the actual brick-and-mortal Amazon bookstore, like a real bookstore.  I saw that the books had 3x5 cards with bar-codes.  A salesperson showed me the Amazon app to scan the bar-code and immediately be taken to the Amazon.com website to order the book.  The interesting part is that the Amazon app works with just about anything you can take a photo of.  Take a photo of a pressure cooker and you’ll be directed to the Amazon URL to purchase the pressure cooker directly from your phone.   This is great for Amazon’s business.  Take a photo of practically any object and your phone’s browser will open to the Amazon.com page with that item. Works well enough to be more than impressive.

But I think differently.  Yes, it’s cool to be able to be in a department store, take a photo of a high-priced item, and have Amazon show you their less expensive price; however, if you investigate anything, you probably already thought about what I am about to say.

Photos are good.  Online shopping is good.  Physical shopping is good.  Shopping for elements of a crime and taking photos of them is super!

I blogged about photos before in the manner of placing the suspect behind the camera.  In that post, I mentioned that the content of the photo may be relevant to the crime. Maybe it is a photo of the crime scene, victim, witness, or even the suspect as a selfie.  But it may also contain elements of a crime or future crime in regards to the tools of the trade.  Perhaps photos of houses or a business that are the potential targets of a robbery or burglary.

As another example, I assisted in a unique gang case, where one gang member took a photo of a car that was similar to a rival gang member’s car.  That single photo was sent to all gang members with an order to find the car and then do something not-so-nice to the rival gang member, which they eventually did.  The photo content was evidence of course, but more so, the intention implied by the photo and text.  This type of evidence screams confession without the suspect ever having to speak a word.

More to the point is that you already know that Internet search terms can imply intent.  Now you know that shopping can imply intent and you can get shopping habits not only from Internet search terms, but smart phone photos, like the ones you can take with the Amazon app.  Imagine finding photos in a case, where the content somehow matches the evidence in the case.  It may not be photos of the evidence, but perhaps photos of items that resemble your evidence, much like a gang member taking a photo of a car that is looks like a car of someone he wants dead.

Remember now…tools don’t commit crimes. People do.   Apps are just apps, but boy do they hold some gold nuggets of evidence.  In your cases, keep asking yourself, "how can I show intention and prove the suspect did it?".  You'll be surprised at the little things you can find when you ask yourself about the little things.

 

722 Hits

Luck has nothing to do with it if you are good at what you do.

luck

When the bad guy is caught because the bad guy made a mistake, that does not mean bad luck for the bad guy or good luck for the good guy.   It just means that the investigator not only caught the mistake, but ran with it.  This takes effort and skill, not luck.   If you want to see luck (good or bad), watch a Roulette table or throw some dice in Vegas.  Granted, I have seen bad guy mistakes that truly dropped into the lap of an investigator, but that is typically not typical, and even then, if you don't recognize it for what it is, you'll miss out on a freebie.

A good case study you can see on Youtube is Ochko123 - How the Feds Caught Russian Mega-Carder Roman Seleznev

One of the really good statements from the presentation is “…mistakes just happen…and if law enforcement sees that one mistake it’s something to run on…”.

The trick in seeing that one mistake resides in only three questions to ask yourself (today, ask yourself these questions today):

1.  What kind of mistakes happen?

2.  Where do I look for those mistakes?

3.  What do I do when I find one?

Use three simple questions to solve the most complex of cases, whether it is a hacking case or a murder case or a fraud case or an employee theft case.  Any case.  I harp on this concept often, only because it is so important. I harp on it enough to write books about it, teach it, and do it myself.  The concept is the same.  Know the mistakes that the bad guys make, find the mistakes, and know what to do with the mistakes when you find them.  

The old adage of the bad guy has to be right 100% of the time and the police only need to be right once is true in that you only need to find the one mistake to break the case.   Looking back on my biggest cases that were overwhelmingly complex on the surface, I can reflect on the first little cracks in the cases that were all tied back to an error by the suspect.  Every single one of them.  It took effort to find the mistakes, but they were there.

Solving cases has always been this way.   There is no magic in solving a complex case other than the illusion of magic that you create for everyone who watches you run circles around them as you close cases.   When you meet someone who always has a difficult time of closing a case, it is because they are not finding the errors that are being made by the suspect.  That’s it.  For whatever reason, the mistakes are not being caught or if they are, the mistakes are not being exploited by the investigator to break the case open.  Anyone who says that mistakes don't happen anymore are mistaken.  Mistakes happen, have always happened, and will continue to happen.  Human nature and technology failures will continue to allow investigators to solve the unsolvable cases.

You still have to work hard even after being skilled at finding mistakes made by the suspect.  There is no way around that.  When I was a young patrol officer, I made a lot of arrests.  I'm talking a lot of felony arrests.  My department had a tad bit over 125 commissioned officers, but in one year alone, I made more felony drug arrests than the rest of the department...combined.  I was called "lucky".  I was asked constantly, "How are you so lucky?".   My answer was always something to the effect of "I'm just lucky I guess."   In reality, I worked hard.  I talked to a lot of people on the street (citizens and not-so-much-citizens).  I watched drug houses every minute I could.  I simply worked hard and it appeared that I was "lucky". Luck has nothing to do it.  You need the effort and you need to know what you are looking for.  I brought that same luck with me when I made detective.  I bring it whereever I go.  You can see this concept in business where a business makes a mistake and a competitor exploits the heck out of it.  You can do it too with your cases, regardless of the type of case, size of case, or importance of the case.

If you are looking for a headstart on answering the three questions, I’ll give you  50% off the Placing the Suspect Behind the Keyboard online course, plus two free books (PSBK and HBTK) to go along with the course.  $399.50 for 13 hours of (1) what mistakes are made, (2) where to look for the mistakes, and (3) what to do when you find one.  But hurry, you only have a few days before the promo expires on 8/31/17.

784 Hits

Kicking in the wrong doors

I like reading Brian Krebs’ blog.  Brian is awesome at tracking hackers and writing about it.  While reading his latest post, Blowing the Whistle on Bad Attribution, my internal response was to keep repeating, “yes yes yes”.

I’m not going to get into his blog post other than recommend it as a good read about attribution.  Now…about kicking in the wrong doors….

My #1 concern as a police officer and detective was arresting the right bad guy.  The last thing I ever wanted was to arrest the wrong person (aka.. an innocent person).  I took more steps to verify that probable cause existed than was probably legally required to arrest the right person, but arresting the wrong person is way worse than missing the right person.  Police work was my entry into attribution.  

I experienced the effects of wrongful attribution in police work by other investigators.  On one occasion, a detective in a task force I was assigned had worked a drug case that was at best described as a disaster.  This detective that I shall not name typed up an affidavit, swore to it, had the judge sign the search warrant, and gave that search warrant to the SWAT team to serve on an early morning.  After the SWAT team secured the house, I went in to help with the search.  Guess what.  Wrong house.  Wasn't even close.   I could tell as soon as I walked inside.  The ‘right’ house was a block away.

This particular case was due to a single and sole factor of not doing a good job.  The detective never visually identified the right house (and never even looked at the wrong house either).  The work was lazy; the detective assumed that she had the right house because the informant told her it was the right house.  The funny thing was…the informant gave the correct address but the detective even got that wrong and never corroborated the right address or the wrong address.  Didn’t even check any records to see who lived at the address to which the affidavit attested or even the right address. 

And yes, a friend of mine who was in a different drug unit presented me with a sarcastic, yet humorous, certificate for the detective’s work in the drug case…I still have it as a reminder to never let this happen to me.

Oh well…that doesn’t happen much..right?

Turns out that I saw this happen on more than a few occasions, where the wrong door was kicked in, or the wrong person was arrested, or evidence that was seized and used against someone actually turned out not to be evidence at all.  It happens, but it really shouldn’t.  I know a prosecutor who had been chilling after work in her living room when her door was kicked in by police error...whups.  Bad attribution with a quick legal settlement.

On the cyber aspect of attribution, the job is way harder than a traditional criminal case such a bank robbery or burglary.  Traditional crimes require the physical person to be physically present to physically commit the crime on a physical person or physical item of property.  The amount of evidence left behind ranges from fingerprints to security camera videos that captures the entire crime as it happens.  With digital crimes, not so much.  With digital crimes, we get deep in guesswork without the benefit of getting our hands on the tools used in the crime, other than the electronic data we can find.

Let’s get to the point.

Wrongful attribution is more than just wrong; it is dangerous. Attribution of digital crimes is also easy to get wrong, because not only is there less evidence, but the evidence left behind can be intentionally or inadvertently misleading.  A malware that looks Russian does not mean that Russia did it.  Maybe "Russia" did, maybe they didn’t.  Even then, to broadly state that a nation-state, organization, group, or specific person did it, cannot be taken as totally accurate without a lot of corroborating evidence.  Maybe the allegation is correct.  Maybe it is not.  

Even if attribution is spot on (in that you guessed correctly), unless you have the actual devices used and the person in cuffs admitting to it, you really only have assumptions that are difficult at best to prove or disprove.  IP addresses can be misleading or intentionally deceptive.  MAC addresses can be spoofed.  Caller ID can be spoofed. Malware can be modified to appear to originate from a specific person or organization.  Online claims can be false (where someone else takes the credit to get ‘street cred’ or fake online accounts can be created to point to innocent persons taking the blame).  

At best, we can only say things like, “Based on what we found, the incident points to Suspect A”, and certainly should not state that “Suspect A did it because our electronic evidence proves it”.   Proving a crime was committed by a specific suspect is a leap beyond believing that a specific suspect did it if you don't have enough direct and circumstantial evidence that can convince a judge or jury of peers.

I don’t fault anyone making bad attributions as long as everyone knows that without hard evidence, we are only making assumptions. It’s only human nature to assume, especially if emotions and bias is involved.  I can’t remember the number of times where a victim told me that he knew who victimized him but in actuality, the victim was only assuming who did it based on his emotion of who he thought did it, not on any evidence.  If police officers ran out and arrested people based on their feelings or mere suspicions, we’d be living a way different country.  We shouldn’t be doing that in the cyber cases either.

 

705 Hits