Digital Forensics

Understanding IP Addresses

All law enforcement investigators need to understand the basics of IP addresses in order to trace users of the Internet to a physical location. Just as a phone number that shows up on a caller ID box from a threatening phone call can provide investigators with a specific starting location for their investigations, an IP address can provide that type of lead in a cyber investigation. By understanding what IP addresses are, how they’re assigned, and who has control over them, an investigator can develop workable case leads.

IP addresses provide a connection point through which communication can occur between two computers. Without getting into too much detail about them, it is important that you understand how to identify an IP address when you see one. These addresses are made up of four 8-bit numbers divided by a “.”– much like 155.212.56.73. The Internet operates under the IPv4 (Internet Protocol Version 4) standard. In IPv4 there are approximately 4 billion IP addresses available for use over the Internet. That number will be expanding in the near future to about 16 billion times that number when the transition to IPv6 is complete. During the initial development of the Internet, IP addresses primarily were assigned to computers in order for them to pass information over the Internet. Computers were very large, extremely expensive, and typically limited to the organizations that controlled the primary networks that were part of the Internet. During this time, an IP address most likely could be traced back to a specific computer. A limited number of large organizations own and control most of the IP Addresses available with IPv4. Therefore, if an investigator has been able to ascertain the IP address of illegal communication, they will also be able to determine which organization owns the network space within which that address is contained. That information alone is often enough since many of these organizations sublease blocks of the IP addresses they own to smaller companies, such as Internet Service Providers (ISP). An investigative follow-up with the ISP will likely provide the best results.

Using an analogy, we can think about IP addresses much like phone numbers, where the major corporations are states and ISPs are towns or calling districts. If an investigator was following up on a case involving a phone number, the area code would narrow the search to a particular state, and the remaining numbers would identify a particular account.

Remember that for Internet traffic to occur, an external IP address must be available to the device. Access to an external IP address is provided by an ISP. ISPs sublease blocks of IP addresses from one or more of the large corporations that control address space and, in return, they sublease those addresses to individual customers. This connection to the Internet is most often done through a modem. Modems come in varying configurations, such as dial-up, cable, and DSL. Depending on when you began using the Internet, you may already be familiar with these devices. The older of the three listed is the dial-up modem, which required the use of a telephone line. When users wanted to connect to the Internet, they would plug the modem installed in their computer into their phone line and then dial one of the access numbers provided by the ISP. The dial-up modem is the slowest of the available devices that can make the transfer of large files a painfully slow process. Therefore, when dealing with cases that require large file transfers such as child pornography, it is less likely that a dial-up connection would be used. A distinct advantage of the dial-up modem is the portability since the connection can be made on any phone line by dialing an appropriate access number and providing valid account information.

More common today is Internet service provided through TV cable or through DSL (Digital Subscriber Line); both of these services provide higher connection speeds, making the transfer of large files relatively easy. When a consumer contacts an ISP about Internet access, typically they are assigned an installation date when a technician comes to the residence to connect the necessary wiring to the home through either their cable provider (cable modem) or phone provider (DSL). With the appropriate wiring in place, an external modem is connected to the line through which the computer in the home will connect. The modem provides the interface through which the home computer can be physically connected to the Internet.

When the home user is connected to the ISP’s physical connection to the Internet, the ISP must still assign the home user’s computer an IP address in order for the computer to communicate over the Internet. IP addresses are assigned two ways, statically and dynamically. If static addressing was used, the technician would configure the computer’s network interface card (NIC) with the specific IP address during installation. Static assignment by an ISP would limit the total number of customers an ISP could have by the total number of external addresses they control. Let’s say that XYZ ISP had subleased a block of IP addresses from a large corporation in the amount of 1,000 unique valid addresses. If that ISP statically assigned addresses to their customers, then the total number of customers they could have on the Internet would be limited to 1,000. Leasing blocks of external IP addresses are very expensive as the demand is high compared to availability. ISPs realize that it is unlikely that all their customers will be on the Internet at the same time, so in order get the largest return on their investment, they use an addressing scheme called dynamic addressing, which allows for computers that are actively connected to the Internet to be assigned an unused IP address. Here’s how dynamic addressing works: XYZ ISP has 1,000 addresses available to its customers. They set up a server, referred to as a DHCP server, which maintains a list of the available addresses. At installation, the technician sets the customer’s computer NIC to get an address assignment through DHCP. When the consumer’s computer is turned on and connected to the network, the NIC puts out a broadcast requesting an IP address assignment.

The DHCP server responsible for the assignment responds to the request by providing an IP address from the pool of available addresses to the computer’s NIC. The length of time that the computer will use that assigned address is based upon the “lease” time set by the DHCP server. Remember that the ISP wants to have the maximum number of customers using the smallest number of addresses, so the ISP will ensure that any unused addresses are made available to other computers. The lease time determines how long that address will be used before the NIC will be required to send out another broadcast for an IP address. The IP address returned after the reassignment could be the same address used previously or an entirely new address, depending on what’s available in the server pool.

TIP: A number of details about the configuration of a computer’s NIC can be determined in Windows by using the ipconfig command at the computer’s command prompt—most importantly the computer’s IP address over the Internet must have an address.

In a computer crime investigation involving the Internet, it is very likely that the investigator will need to track an IP address to a location—and preferably a person. As discussed earlier, ISPs control the assignment of IP addresses and ISPs can provide the link between the IP address and the account holder. Understanding the distinction between static and dynamic IP assignments is very important because the investigator must record the date/time that the IP address was captured. If the ISP uses DHCP, the IP address assignments can change; investigators need to be sure that the account holder identified by the ISP was actually assigned the IP address in question when the illicit activity occurred. Let’s take a moment and think about this. You’re investigating an e-mail-based criminal- threatening case in which you were able to determine the originating IP address of illegal communication. You were able to determine which ISP controls the address space that includes the IP address in question. If ISPs use dynamic addressing, how are you going to determine which subscriber account used that address if any of a thousand or more could have been assigned to the suspect’s computer? In this case, it would be extremely important for you to also record and note the date and time of the originating communication. The date/time stamp can be matched against the logs for the DHCP server to determine which subscriber account was assigned the IP address in question at that time.

Hostname
Hostnames are the system names assigned to a computer by the system, user, or owner. These names are used to identify a computer in a network in a format that is easiest to understand by people. If there are multiple computers in the network, each could be given unique identifying names, such as Receptionist PC or Dave’s Laptop, to make them more easily recognizable. The naming convention might help to identify the location or user of that system. If, for example, you were investigating a threatening e-mail that had originated from a computer within a network named “Jedi,” might look for people who have access to the network who are also fans of the Star Wars series. Keeping in mind that the names can be changed by the user at any time, the matching or non-matching of a hostname to a suspicious communication or activity is by no means conclusive.

MAC Address
MAC addresses are the identifying number assignment given to NICs that provide network connectivity. That connectivity can be wired or wireless depending on the type of NIC present. MAC addresses are also unique to every NIC and would be most equivalent to a serial number. This means that if an investigator is able to determine the MAC address of the device used in the crime, then the device containing the NIC could be identified specifically.

However, just like a hostname can be changed, MAC addresses can also be changed through a process called MAC spoofing. Whether or not a MAC address matches a particular communication is not in itself conclusive evidence that the computer containing the NIC was or was not responsible.

In the previous Tip, we learned that the ipconfig command can provide some details about a computer’s network interface card configuration. There is a switch that can be added to the ipconfig command that provides more detail about the NIC configuration. At the command prompt, ipconfig /all is used. You will notice that other details have been provided that are not seen in the ipconfig command. These include the computer’s hostname and each of the NIC’s MAC addresses.

Interpersonal communication
As people look to stay connected with friends, family, and co-workers, they are likely to use one or more methods of communication, including e-mail, chat, and blogging—all of which are easily supported on today’s computers and portable laptops, PDAs, and cellular phones. Investigators must be familiar with how these various systems work and how one might be able to retrieve critical case information from stored communications or fragments of previous exchanges. What makes the area of interpersonal communication so important to investigators is that people are inherently very social, routinely discussing their daily lives with friends and even bragging about crimes to others. Being able to capture, decipher, and trace communications to their origin is a critical law enforcement skill.

E-­mail
E-mail communication was present at the start of the Internet and has exploded over the past decade, making it more likely that people will use email in some form or another. E-mail provides another conduit through which people can communicate 24 hours a day, 7 days a week. Unlike a phone conversation that needs the recipient to answer, an active e-mail discussion can be carried out through multiple e-mails spread over time.

Messages are sent and are held in a waiting inbox, to be read at the convenience of the recipient, who will choose when to read the message and how best to respond. Once an email is read, it is usually up to the receiver to decide whether to delete or discard that communication. This provides a unique opportunity for law enforcement investigating crimes involving e-mails since undeleted e-mails are viewable and previously deleted e-mails might be recovered through various forensic methods. There are countless e-mail addresses and accounts in use today. They fall into two major category types. The first is e-mails generated with e-mail programs that reside on the local user’s machine. One of the most common is Outlook or Outlook Express (a Microsoft product), which runs on the user’s machine and can be set up with relative ease, assuming the account holder has an active Internet connection. E-mails sent and received through this type of account will be stored on the user’s machine. If this type of e-mail program is used to generate and send illegal communications, it is likely that evidence of those communications might be recovered from the machine used.

The other popular email service is free Internet-based email applications like Google’s Gmail or Yahoo. These services don’t require users to have any special programs in order for them to send and retrieve email in their account. They are able to access email that is stored on servers provided by the provider they use by signing into a previously created account. These services are extremely portable since they can be accessed from any computer with Internet access and a web browser. With an Internet-based account, an e-mail might be traced back to the originating ISP and it may also be possible to determine the IP address of the machine that connected when the account was created. This is, of course, is dependent on whether the service provider maintained those records for a specific period of time. Even with this type of account, remnants of Web-based email may be recoverable as HTML documents in temporary Internet files or drive space that hasn’t been overwritten by newer files.

In all e-mail cases, it is critical that the investigator follows up on the email address associated with the active case he or she is working. Since there are countless email addresses in use on the Internet, it is not uncommon to have hundreds, if not thousands of variations for the same or similar address. John_Smith@domain.com is entirely different than JohnSmith@domain.com. Be sure to match all instances of your suspected e-mail communications with an exact match.

Chat/Instant Messaging
Chat and instant messaging are extremely popular methods of communication. Unlike email, which ends up being loaded on an e-mail server or downloaded onto the receiver computer’s local e-mail program, chats and instant messages are made through direct communication between the two devices. The devices involved exchange communications back and forth in real-time for as long as that “window” is open. Conversations held in chat are not saved by the applications typically used to facilitate this method of communication. This means that for the most part, chat and instant messaging conversations are lost once that session ends. Service providers do not log chat and instant- message traffic, which can be challenging to the investigator in a case in which these applications might have been used. Just like with e-mails, it is extremely important that investigators trace or follow up on the correct screen name or chat ID being used by the suspect(s). There are cases in which an investigator might be able to retrieve chat history, as it is possible that one or all of the parties involved may have turned on the logging feature in the application they use. Remnants of chats might also reside on drive space that has not been overwritten by new files. This is where forensic examination can come in handy if a suspect computer has been seized.

Social Networking and Blogging
Social networking sites, such as MySpace and Facebook, and blogging technologies provide users a conduit through which they can post their thoughts, ideas, and self-expression onto the Internet instantly. For example, MySpace users can create an account for themselves along with a personal Web page through which they can express themselves in any manner in which they see fit, be it through music, video, or written expression. These pages become part of a larger online community with similarly minded individuals being able to link together into what is referred to as a friend’s network.

Since the information entered at account creation is not subject to factual verification, it is possible for people to create fictitious identities in order to pass themselves off as someone they’re not. The name an investigator obtains from a MySpace page might not be the actual identity of the person who created and uses that space. However, it might still be possible to obtain information from the organization responsible for MySpace, such as the IP address information that the account holder used during the original account creation or the IP addresses the account holder used to access the account. That type of IP information might be traced back to a suspected user account.

Even though there are no guarantees that information found on MySpace pages will be factual, but this type of online community provides a very powerful and unique service to law enforcement. If an investigator is able to positively identify an online identity as belonging to a specific suspect, the investigator might also be able to develop additional leads about conspirators based on other identities contained in their friend’s network. It is critical to investigators that they monitor the activity of potential suspects by keeping up with the suspect’s social networking and blog-related activity.

Media and Storage
Media exists in numerous configurations with varying storage capacities. Most people are very familiar with the floppy disk, CD-ROM, and DVD, all of which can store files of evidential value. DVDs have a storage capacity in excess of 8 gigabytes, meaning that perpetrators can save illegal files that previously would have filled up an entire computer hard drive on one silver disk. Finding just the right DVD during a search of a suspect or residence could provide numerous evidentiary files. The trend now within media storage is portability. As if trying to find a CD or DVD wasn’t hard enough, technology advances have brought about flash drives and mini-smart cards. Many flash drives are smaller than a pack of gum and some mini-smart cards are the size of a postage stamp (only thicker) and are capable of holding gigabytes of information. Investigators must be aware of the different types of digital media storage devices and be able to identify the media in the field. The variety, and more importantly the size, of media, must be taken into consideration when applying for search warrants in which digital evidence is suspected as the hiding places for this type of storage are countless.
Summary

What makes computer crime so fearful to some and intriguing to others is the unknown. As investigators learn to deal with and investigate a crime involving computers, many are quick to label any crime with a computer presence as a computer/cybercrime. Many investigators and prosecutors believe that computer crimes are a new category of crimes, but criminals and criminal enterprises have shown the ability time and time again to adapt to new technologies. It is reasonable to question whether computer crime is just a generational phenomenon caused by a gap in computer understanding and acceptance by many older Americans that did not have the same opportunities to use and learn on computers as the younger generations. Is it likely that this problem will correct itself over time? In the future, computer crime, as it is viewed today, will become nonexistent—not because crime won’t exist in the future, but because computer-related crimes will be viewed for what they really are: crime. It will become more likely that fragments of information will be left behind in these cases. These fragments can be located by law enforcement during investigations.

Understanding IP Addresses

1. All law enforcement investigators need to understand the basics of IP addresses in order to track users of the Internet to a physical location;
2. In a computer crime investigation involving the Internet, it is very likely that the investigator will need to track an IP address to a location—preferably to a person; and
3. Investigators need to record the date and time that an IP address was captured to ensure the captured IP was actually assigned to the suspect identified—dynamic addressing can cause the assigned IP addresses to change.
   

The Explosion of Networking

1. The investigator who traces an IP address back to a network will need to do more case follow up at the location to determine if there is more than one possible computer involved. Hostnames and MAC addresses can be used as investigative tools to help identify a computer on a network.
   

The Explosion of Wireless Networks

1. The proliferation of interconnected and overlapping wireless networks allows criminals to be more portable;
2. The anonymity provided by free Wi-Fi access in hotspots and stolen Wi-Fi, also known as wardriving, highlights the importance of good police work to mitigate the impact of the technology on the investigation; and
3. Investigators need to consider that wireless storage devices will be used by suspects, and efforts to detect and find these devices must be part of the overall search planning.
   

Interpersonal Communication

1. People are inherently social and routinely discuss their daily lives with friends and may even brag about crimes to others. Being able to capture, decipher and traceback communications to their origin is a critical law enforcement skill.
   

Solutions FastTrack
Demystifying Computer Crime

1. The explosion of computer technology and acceptance has opened up a whole new world of opportunity to the criminal element that constantly looks for new ways to exploit people through time-proven scams and tactics.
2. The key for investigators is to gain at least some basic computer knowledge and skills to put you ahead of the average computer user, skills that allow you to apply traditional policing skills and procedures to the case.
3. There is a direct correlation between the ease of use by the end-user compared to the complexity of the underlying code that is required for the application to run.
   

I. Metadata
Metadata is structured information that describes, explains, locates, or otherwise makes it easier to retrieve, use, or manage an information resource. Metadata is often called data about data or information about information.

What Does Metadata Do?
An important reason for creating descriptive metadata is to facilitate the discovery of relevant information. In addition to resource discovery, metadata can help organize electronic resources, facilitate interoperability and legacy resource integration, provide digital identification, and support archiving and preservation.

1. Means of creation of the data;
2. Purpose of the data;
3. Time and date of creation;
4. Creator or author of data;
5. Location on a computer network where the data was created; and
6. Standards used
   

For example, a digital image may include metadata that describes how large the picture is, the color depth, the image resolution, when the image was created, and other data. A text document’s metadata may contain information about how long the document is, who the author is when the document was written, and a short summary of the document.

II. Photographs
Metadata may be written into a digital photo file that will identify who owns it, copyright & contact information, what camera created the file, along with exposure information and descriptive information such as keywords about the photo, making the file searchable on the computer and/or the Internet. Some metadata is written by the camera and some are input by the photographer and/or software after downloading to a computer.

However, not all digital cameras enable you to edit metadata this functionality has been available on most Nikon DSLRs since the Nikon D3 and on most new Canon cameras since the Canon EOS 7D.

Photographic Metadata Standards are governed by organizations that develop the following standards. They include, but are not limited to:

1. IPTC Information Interchange Model IIM (International Press Telecommunications Council);
2. IPTC Core Schema for XMP;
3. XMP – Extensible Metadata Platform (an ISO standard);
4. Exif – Exchangeable image file format, Maintained by CIPA (Camera & Imaging Products Association) and published by JEITA (Japan Electronics and Information Technology Industries Association); and
5. Dublin Core (Dublin Core Metadata Initiative – DCMI)
   

III. Key Twitter and Facebook Metadata Fields Forensic
Authentication of social media evidence can present significant challenges when you collect by screenshots, printouts or raw HTML feeds from an archive tool. This is just one reason why social media data must be properly collected, preserved, searched and produced in a manner consistent with best practices. When social media is collected with a proper chain of custody and all associated metadata is preserved, authenticity can be much easier to establish. As an example, the following are key metadata fields for individual Twitter items that provide important information to establish the authenticity of the tweet, if properly collected and preserved:

Meta Field Description

1. created_at – UTC timestamp for tweet creation
2. user_id – The ID of the poster of a tweet
3. handle – User’s screen name (different from the username)
4. retweet_id – The post ID of a retweet
5. retweet_user – The username of the user who retweeted
6. Reply – Indicates if this tweet is a reply
7. direct_message – Indicates if this tweet is a direct message Hashtags List of all hashtags in the tweet
8. Description – Up to 160 characters describing the tweet
9. geo_enabled – If the user has enabled geo-location (optional)
10. Place – Geo-location from where user tweeted from
11. Coordinates – Geo-location coordinates where tweet sent
12. in_reply_to_user_id – unique id for the user that replied
13. profile_image_url – location to a user’s avatar file
14. recipient_id – unique id of the direct message recipient
15. recipient_screen_name – display name of the direct message sender
16. screen_name – display name for a user
17. sender_id – unique id of the direct message sender
18. Source – an application used to Tweet or direct message (i.e., from an iPhone or specific Twitter app)
19. time_zone – a user’s time zone
20. utc_offset – the time between the user’s time zone and UTC time
21. follow_request_sent – Indicates a request to follow the user
22. Truncated – If the post is truncated due to excessive length
    

Any one or combination of these fields can be key circumstantial data to authenticate a single or group of social media items. US Federal Rule of Evidence 901(b)(4) provides that a party can authenticate electronically stored information (“ESI”) with circumstantial evidence that reflects the “contents, substance, internal patterns, or other distinctive characteristics” of the evidence. Many cases have applied Rule 901(b)(4) to metadata associated with emails and other ESI. But you will not get all this key metadata from a printout, screen capture, or even most compliance archive tools.

Facebook and LinkedIn
Facebook and LinkedIn items have their own unique metadata but are generally comparable. Here are some key metadata fields for each Facebook entry. (These fields provide important evidence, investigation context and circumstantial evidence to establish authenticity, if properly collected and preserved. Facebook changes its APIs from time to time; we will report any such changes and updates when they occur.)

Meta Field Description

1. Uri – Unified resource identifier of the subject
2. item fb_item_type – Identifies item as Wall item, News item, Photo, etc.
3. parent_itemnum – Parent item number-sub item is tracked to parent
4. thread_id – Unique identifier of a message thread
5. recipients – All recipients of a message listed by name
6. recipients_id – All recipients of a message listed by user id.
7. album_id – Unique id number of a photo or video item
8. post_id – Unique ID number of a wall post
9. user_img – URL, where user profile image is located
10. user_id – Unique id of the poster/author of a Facebook item
11. account_id – unique id of a user’s account
12. user_name – display name of poster/author of a Facebook item
13. created_time – When a post or message was created
14. updated_time – When a post or message was revised/updated
15. To – Name of user whom a wall post is directed to
16. to_id – Unique id of user whom a wall post is directed to
17. Link – URL of any included links
18. comments_num – Number of comments to a post
19. picture_URL – URL, where picture is located
    

As mentioned earlier, you will not get all of this key metadata from a printout, screen capture, or even most compliance archive tools. Best-practices technology specifically designed to collect, preserve, search and produce social media for eDiscovery is required.

E-­mail Investigation (IP headers)
Detection

Cyber-crime is the latest and perhaps the most specialized and dynamic field of cyber laws. Some cybercrimes, such as network intrusion, are difficult to detect; however, crimes like retail theft, e-fencing, auction fraud, and intelligence gathering can be detected and investigated through following steps after receiving this type of mail:

1. Give the command to the computer to show full header of mail;
2. In full header find out the IP number and time of delivery of number and this IP number always different for every mail. From this IP number we can identify who the Internet service provider is for that system from which the mail had come;
3. To know about the Internet Service Provider from an IP number it takes the service of a search engine like nic.com, macffvisualroute.com, apnic.com, arin.com;
4. After opening the website of any of above-mentioned search engine, feed the IP number and after some time name of ISP can be obtained;
5. After getting the name of ISP we can get the information about the sender from the ISP by giving them the IP number, date and time of sender; and
6. ISP will provide the address and phone number of the system, which was used to send the mail with bad intention.
7. After investigators know the address and phone number, they can often apprehend the perpetrator by using conventional police methods.