Solving Crimes is becoming a very Hi-Tech Field
Ethical Hacking and Digital Forensics
Visit the Evidence Files Facebook and YouTube pages; Like, Follow, Subscribe or Share!
Find more about me on Instagram, Facebook, LinkedIn, or Mastodon. Or visit my EALS Global Foundation’s webpage page here.
Computer technology appears in crimes all the time. In virtually every criminal act, some piece of electronic evidence exists somewhere, whether from mobile devices, CCTV, internet traffic, cellular data, security systems or otherwise. Data from these sources help reveal many things about a criminal, victim, or the crime itself. This can include their location, online activity, user habits, and identities, among many other things. Sometimes the perpetrator doesn’t know much—if anything—about these technologies or what they do; other times the criminal purposely weaponizes them. Criminal investigators use a variety of methods to find and interpret this kind of evidence.
Crime solving isn’t strictly a police function. Companies big and small also employ large armies of talented individuals to conduct investigations. They might be interested in a single employee engaged in suspicious activity, a larger problem such as an apparent data or financial leak, or a huge problem like a network intrusion leading to a data breach or ransomware event. Digital forensics and network analysis go hand-in-hand to trace from beginning to end what happened: where it began, how it occurred, who did it, and what to do to prevent it from happening again.
Let’s examine some of the ways this is done. Keep in mind that this is meant only as an introduction for those who might be interested in entering the field.
Photo and Video Analysis
With the ubiquity of cellphone cameras and CCTV systems, photo and video evidence accompany an enormous number of crimes. Television shows love to fantasize about this kind of analysis. “Zoom and enhance” is such a common trope in cultural media that it has led a lot of people unfamiliar with the process to believe police can take any video or photo, no matter the quality, and turn it into a crisp, clear image. Conversely, in nearly every law enforcement training I have ever attended on the issue (and there have been many), instructors relied on a different phrase: “garbage in, garbage out.” The reality is much closer to the latter phrase.
Generally speaking, accurate enhancements of photo or video are limited by the quality of the original footage, which of course is dependent on the shooting camera. A good analyst, however, can make enhancements because image outputs are designed for the human eye, but often possess hidden features that help uncover items that investigators find useful. Light filtering is just such an example. Many photo and video programs manipulate images in response to the available light sources to try to maximize the quality of the output. Sometimes, this manipulation obfuscates important aspects of an image of interest to investigators. Forensic programs allow analysts to filter various spectrums of light to highlight different parts of an image than those which were emphasized in the output. This might make a gun on a suspect’s belt more visible, or clarify the color of clothing seen deeper in the background, or simply highlight some part of the picture that is not easily noticeable in regular light.
An example of light filtering of a photo taken by the author.
Most mobile phones of the latest generations are equipped with very advanced cameras, but high-quality outputs take up a lot of storage space. To save space, output images tend to be compressed, which lowers the visible quality. There are a number of types of compression, but the greater the compression, the worse the output image appears. To easily see this, compare a thumbnail on a phone or computer to the actual photo. Both are of the same content, but one is obviously better (and not just because it is bigger). Thumbnails are deeply compressed versions of the original photo. Take note, though, that photo programs typically compress even the regular-sized photos stored on phones or other devices. Working from the non-compressed image allows forensic analysts to enhance some features that appear otherwise unavailable. This might represent the closest thing to movie-like “zoom and enhance” because it takes what looks like a rather grainy or color-washed photo and produces far clearer images.
Source: https://www.creativebloq.com/design
The above example shows three levels of compression. The two on the right comprise higher levels of lossy compression, where the overall data size is significantly reduced by eliminating pieces of the image. The more data discarded, the worse the picture looks. On the left you also see a type of lossy compression, but far less data is lost. A photo compressed with lossless compression would appear even sharper. Lossless compression requires much greater storage space, so most common mobile and computer video and image apps employ some level of lossy compression instead.
The depths of technology behind photo and video analysis could fill entire volumes. This section only provides a very brief introduction. Many open-source tools exist to test the waters on photo and video enhancement. To try it out, visit the Forensically Beta tool. NOTE: Always use free online tools with caution. Do not load sensitive or personal information without extensive prior testing. For a deeper understanding, I highly recommend taking classes on the subject!
Computer and Mobile Forensics
Like all the topics in this column, computer forensics invokes such a wide array of skills that I can hardly begin to cover them here. But I will summarize by saying that from my experience as a law enforcement technical analyst, there are four major hurdles to conquer. First is access. This involves conquering encryption or potentially bypassing passwords. Without gaining access to a system, none of the other steps matter.
To bypass passwords, analysts have several options, depending upon the circumstances. If the password is a mere gateway that does not involve encryption, the analyst might simply access the data through another operating system or platform. This often works when acquiring data from PCs and laptops where Windows requires a password, but it merely unlocks the system. If the user did not set up full-disk encryption, typing in or bypassing the password makes little difference; the data remains unencrypted and therefore accessible. Booting into a separate operating system often allows the analyst access to the stored data without dealing with the password at all. In other cases, there is little choice but to defeat the password. Many methods exist to do so. Brute Force attacks essentially try every possibility until reaching the correct one. Dictionary attacks do the same, but focus on common words as a starting point. Another method is Password Spraying, where the analyst (or attacker) will test against a database of known passwords first. For attackers, these come from stolen passwords obtained from previous data breaches. For an analyst, this might include a list of passwords associated with the target or victim, sometimes provided by family, friends, or other sources. Rainbow Table attacks test hashes to look for password matches.
For more on passwords generally, see this article. It also discusses in greater detail how hashing is used in password storage and breaking.
The second hurdle is system navigation. In most cases, the relevant data is there, the analyst simply needs to know how to find it. This means understanding the details of the evidence operating system, file system, directory organization, recycle bin, and system functions. With so many platforms out there—Apple, Android, Windows, Linux, etc.—this requires extensive continued learning and a great deal of research. The third hurdle is putting the suspect at the keyboard. Uncovering a trove of incriminating digital evidence does little good if the analyst cannot tie a user to the activity. In my courses I teach several ways to accomplish this, from associating user IDs to specific activity or authorship metadata, to psychological indicators such as password hints or cached browser activity. Fourth is validation and reporting. Courts are increasingly treating digital forensics like a science—and properly so. A good scientist should be able to present his or her findings in such a way that another can verify them and reproduce them. Reporting should include hashing of evidence files from disk to file level, detailing the tools used in the analysis, articulating the analytic process, narrating any difficulties or anomalies, and of course explaining the relevance of the findings. Another way many analysts will have to report is through testimony. Testimony requires threading a fine line between sounding smart and making difficult issues understandable to non-technical people (i.e., juries, judges, supervisors, or lawyers). Good report writing requires training and practice. Mock courts and other forums enable trainees or students to sharpen their testifying skills.
Cellular and Location Data
As mobile devices contain critical evidence, especially in criminal cases, analysts must learn to understand the various datasets that help piece together an incident. Data of this sort comes from two primary sources, the device itself or the telephone carrier. With their extensive tracking capabilities, data on mobile devices may provide crucial information about what a victim or suspect might have been doing in the time leading up to a crime. Such data also applies in private sector analyses of corporate espionage, hardware intrusions, or other incidents. Mobile devices track location through a wide variety of methods including GPS, Bluetooth, Google Web & App Activity, FindMy (Apple and Android), Advertiser IDs, and others. Data collected by many of these programs resides directly on the device. Thus, an analysts needs to be aware of it and know where to look for it.
Mobile devices also keep call detail records (“CDRs”). These indicate time and date, type (call, SMS, MMS, etc.), ingoing or outgoing, recipient and sender, phone numbers, and other data. Analysts compare these records to the CDRs received from telecommunication companies, which also typically provide tower information as well as location data. This can help an analyst create a timeline of the people a suspect or victim might have spoken to in the moments leading up to an incident. Robust CDRs also enable the creation of location maps showing (roughly) where a device was at various times. Reading CDRs and understanding their benefits and drawbacks requires a lot of experience and training. Location data often needs contextual tower data to confirm its validity or narrow down the range field. Contextual data of this kind might include antenna type, broadcast direction, azimuth, power, and more. American courts, at least, draw the line on how “granulated” the testimony about these records can be based on the training and experience of the person testifying about them. The answer, as always, is training, training, training.
Network Analysis
Analysts use network analysis to investigate a variety of crimes: data breaches, ransomware attacks, online trafficking, stalking, intellectual property theft, embezzlement… the list goes on. How such analyses are done depends on the purpose, but may include examining network devices, servers, and traffic. Intruders often use social engineering and phishing techniques to gain initial access to a network. For details on how attackers execute phishing attacks, check out this article.
Reverse engineering the attack vector enables analysts to find the intrusion point, which may then require forensic email analysis if, as usually happens, it started with a phishing attack. Other forms of attack include Man in the Middle (MITM), Distributed Denial-of-Service (DDoS), and Password attacks. Another method implemented toward predicting, preventing, or solving crimes is link analysis. This type of analysis looks at “relationships and connections in a dataset” to piece together potential criminal networks of two or more people or organizations. Packet analysis studies individual pieces of data sent or received on a network (the “packets”) to determine what activities occurred over a certain period of time. Other ways an investigator might explore network evidence include router analysis, email forensics, WLAN reports, and more. Network analysis is a key part of uncovering the methodology of a specific crime or incident. Sometimes, that leads to Malware Analysis.
Malware Analysis
So, the analyst has discovered suspicious software sitting on a network or device. What happens next? Many investigations start with analyzing the primary piece of evidence, the software used to conduct the crime. Malware analysis means trying to figure out what exactly a piece of suspicious software does, and how it got there in the first place. Static analysis involves reading the available code to determine what happens upon execution. Publicly available tools help with this process. Static analysis does not run the code, so it is a preliminary step in the investigative process. Dynamic analysis means running the code to see it in action.
Obviously, executing malicious code is playing with fire, so analysts do so in a sandbox for protection. A sandbox emulates the user-to-network environment, but does not expose the real network to the negative effects of the malware. Many commercial sandboxes run automated reverse engineering programs to rebuild the code for deeper analysis. Analysts still must exercise extreme caution using sandboxes because more sophisticated attackers utilize dormant code to evade them, meaning that their malicious program will wait until it is in the right environment to launch its attack. As many—maybe most—attackers tend to use existing malware for attacks, rebuilding the code for careful examination frequently leads to an affirmative identification of the malicious program. New malware programs, or those that use novel methodologies of attack, exploit what are known as zero-day vulnerabilities. These are vulnerabilities that had previously gone undetected; a recent example is BlueKeep. Sometimes, savvy cyber researchers uncover these types of exposures, which enable developers to fix them before they are exploited. When discovered as the result of an attack, however, analysts must resort to studying the infiltrating program to pinpoint the vulnerability and patch it.
Malware sample; credit: David Bombal
Malware analysis is used in investigating events that already happened, but also can be leveraged against potential attacks. Such functions include developing threat alerts, bug hunting, or pre-incident dissembling. To excel at the various types of malware analysis, analysts must become adept at reading and understanding computer code.
OSINT
Perhaps the most under-utilized tool in any technical analyst’s cache is OSINT—Open Source Intelligence. Computer geeks, nerds, and tech enthusiasts love to share their work. The secretive world of hackers as displayed on hit TV shows like Mr. Robot is misleading in my experience as these kinds of people, too, love to share their work. Many people create incredible videos, blogs, and other forms of tutorials on all matters related to any of these topics. Moreover, techies create tools to do all kinds of extremely useful functions and make them available online—often for free. Cybersecurity and digital forensics professionals, regardless of their specialty, should keep an ongoing, up-to-date repository of OSINT tools. My current database contains over 3,000 tools and hundreds of informational video channels or websites. It undoubtedly barely scrapes the surface. To economize space, I will list just a few of my favorites to help those new to the field get started compiling their own. (I obtain no benefit from any of these companies, products, or sites). I said it earlier, but let me re-emphasize: OSINT tools should not be used for sensitive or personal information without very careful vetting. USE THEM AT YOUR OWN RISK. If you have specific questions, feel free to ask them in the comments where I will answer them for everyone’s benefit.
Reverse photo searches: Google; Tineye; Bing
Other photo tools: Exif; Sherloq; Foto Forensics
Video: VLC Media Player; Video Artifacts; Kinovea
Computer Forensics: Autopsy; FTK Imager; SIFT Workstation
Email Forensics: MXToolbox; Mail Pro+; Mozilla Mbox Viewer
Forensic Tool Boxes: Central Ops; Eric Zimmerman’s Tools; Cyber Chef
Learning: Bendo Brown; David Bombal; Free Code Camp; John Hammond
Vulnerabilities Catalog: CISA (CVE database)
Hackers and Hacking
On a last note, I refrained from using the term “hacker” throughout most of this article. The term drips with connotations, largely generated by Hollywood. Hacking simply describes performing operations that identify or exploit weaknesses in a system for some purpose. That purpose can be either nefarious or well-intentioned. Some people describe this division of intent as “black hat” and “white hat” hackers. In any case, what “white hat” or “ethical hackers” do is a critical part of keeping society functioning. Bug hunters, penetration testers, malware analysts, and other folks constantly battle against those who seek to take advantage of weaknesses for ill-gotten gains. Without expert people in these fields, the internet and all of its component parts (the credit card system, email, online chats, social media, etc.) would not exist for long. These industries—ethical hacking and digital forensics—are in my view among the most noble professions out there. What these professionals do plays such a critical part in keeping modern society functioning and keeping people safe from all manner of bad acts. It is an honor to be a part of it.
***
I am a Certified Forensic Computer Examiner, Certified Crime Analyst, Certified Fraud Examiner, and Certified Financial Crimes Investigator with a Juris Doctor and a Master’s degree in history. I spent 10 years working in the New York State Division of Criminal Justice as Senior Analyst and Investigator. Today, I teach Cybersecurity, Ethical Hacking, and Digital Forensics at Softwarica College of IT and E-Commerce in Nepal. In addition, I offer training on Financial Crime Prevention and Investigation. I am also Vice President of Digi Technology in Nepal, for which I have also created its sister company in the USA, Digi Technology America, LLC. We provide technology solutions for businesses or individuals, including cybersecurity, all across the globe. I was a firefighter before I joined law enforcement and now I currently run the EALS Global Foundation non-profit that uses mobile applications and other technologies to create Early Alert Systems for natural disasters for people living in remote or poor areas.
***
For a breakdown of Rainbow Tables, see below.
