Presentation on theme: "Internet Investigations COEN 252 Computer Forensics Thomas Schwarz, S.J. 2006."— Presentation transcript:
Internet Investigations COEN 252 Computer Forensics Thomas Schwarz, S.J. 2006
Investigation investigations derive evidence from: Internal data; Headers. Contents. External data; Server logs. Sending machine itself As we will see.
Investigation Header Analysis: Most recent entries are on the top of the header. Resolve all inconsistencies of information. Resolve all IP addresses. Create timeline. Allow for clock drift between different sites. Compare entries generated (allegedly) by known servers with previous ones.
Investigation Law Enforcement (LE) can use subpoenas for investigation of log files. The same is true for private entities through the use of John Doe lawsuits.
Phishing Investigation Find the true URL to identify the server with which a potential victim interacts. Difficult since phishers change sites frequently. Using network tracer when accessing a website can speed things up. Use subpoena process to obtain log records of Contact infos for web-sites, redirection services, etc. Try to obtain information amicably as often as possible. Outside of US. To guard volatile information
Case Examples: 1. A Kornblum, Microsoft A. Kornblum: Searching for John Doe: Finding Spammers and Phishers Used John Doe lawsuit to obtain sub- poenas for phisher that became active in September 2003.
Case Examples: 1. A Kornblum, Microsoft Originating s Traced ultimately to ISP in India, from where not enough data could be obtained. Traced websites: At each round, a subpoena request would yield the IP address of a controlling website. Hosting company in San Francisco. Another hosting company in San Francisco. Redirection Server in Austria. Owner did not like spammers and handed out record voluntarily. IP controlled by Quest. 69 year old quest customer in Davenport, Iowa. Who had grandson Jayson Harris living with him. MS involved FBI who raided household and obtained three machines. MS sued Jayson Harris and obtained a 3M$ default judgment against him. Criminal charges are pending.
Case Examples: 2. Highschool Death Threads Blog sites allow comments by anonymous friends. Death threads were made on a high- school related blog anonymously. XPD (name altered) was informed by principal.
Case Examples: 2. Highschool Death Threads XPD contacted blog site, but owner/operator did not have valid contact data. However, blog site operator gave out the IP address from which the comment originated. XPD went to ISP to obtain the address of the computer to which the IP was assigned at the time of the thread. XPD obtained a search warrant for the premises of the owner of the address. The owner was a respectable, older community member. XPD assumed that there was a grandson involved.
Case Examples: 2. Highschool Death Threads Search warrant was executed at 7 am. No sign of high school student in the house, but the owner was running an unsecured wireless access point. XPD convinced the owner to keep the access point running, but to set up logging. Using google maps and addresses of all high school students, they also identified a suspect. Case is still pending.