It is 11:00 p.m. and after a quick pause and look around, the team begins to approach the building where the target suspect offices. Circling the parking lot, the car headlights are turned off as not to draw attention in the muggy moonlit night. Confidence builds after spotting no cars or anyone burning the late-night oil. A long-awaited productive evening lies ahead.
The car slowly pulls to a stop. The doors are opened and closed in a gingerly fashion to avoid noise that could filter through the cool blackened night air. Entering the building with ease, the team utilizes their privileged access and master keys to begin a stealth and secret assignment. Hearts begin to beat faster as we check cubicles nearby to make sure there are no potential witnesses who could ruin the day.
Standing at the office door of our person of interest, an examination of the area begins. Any scotch tape on the door and jamb? A common technique used to reveal unauthorized entry. No tape and the coast is clear. A check of the door handle and review of the office condition is made. Door unlocked? Check. Lights on? Check. Chair turned 45 degrees. Check. Blinds open? Check.
The blinds are closed and a rapid fire of flashes stream across the room as multiple pictures are shot with a digital camera making an inventory of the scene and location of articles that may get shifted during the search. Before anyone leaves, a check of the images are compared to the room condition to ensure everything is returned to the way it was found.
You can’t help but think about the Watergate burglars and how they must have felt during their illegal search. This, however, is not a burglary or an unauthorized or illegal search. This is the start of a forensic seizure that is now becoming all more common place in the world of electronic crimes investigation.
The target computer is found, and the serial, make, and model numbers are noted. The power cord is removed from the back of the computer to freeze the hard drive in its original state. Training teaches the importance of not shutting down the computer through the operating system because doing so changes the evidence, which can cause a potential problem in court.
A duplicate drive that has been sterilized via a wipe utility to erase any lingering data from previous use is readied. The forensic examiner’s experience and training dictates the importance of creating an exact working copy of the suspect drive. Using a specialized field imaging unit designed specifically for forensic examination seizures, an exact duplicate of the suspect drive is made for analysis later in the forensic lab.
The imaging unit is designed to create a one-way stream of data onto a duplicate drive while not changing the state of the original hard drive. This duplication process is critical in the course of a computer forensic exam. The MD5 hashing method is used on the drive to ensure an exact copy is made by comparing the digital signature keys of the original and target drives.
Just before leaving, the power cords of computers in cubicles and offices nearby are pulled and replaced, giving the impression in the suspect’s mind that it was just another overnight Florida lightning storm that caused their computers to reboot.
It’s another good night as we leave to head back to the forensic lab, which is located in a separate building across campus. It is 1:00 a.m. when we quickly log the suspect drive into evidence at the lab and head home. The forensic examination and analysis will begin in a few hours, once the official work day begins.
An Epidemic of Electronic Crimes
Electronic crimes investigation has evolved over the past decade to such a degree that it has shifted from the paradigm of conducting email searches and IP address tracing to developing sophisticated and complex investigation units.
Why the need for sophisticated software and complex hardware for electronic crimes investigation? The simple answer is that those people we investigate are utilizing these sophisticated tools, and therefore we are required to level the playing field.
Consider the BTK murders and how it took police over thirty years to catch the killer. It was computer forensics that finally brought the perpetrator to justice. Imagine how much more easily computer criminals, who leave behind millions of bytes of digital evidence, can be caught, as opposed to the BTK murder, whose primary tools were his hands, rope, and a bag to cover the faces of his victims.
Pick up almost any newspaper today and you are sure to find an article about electronic crimes, including identity theft, phishing*, and corporate espionage. In one survey it was reported that 43 percent of the participating companies faced a breach of their information systems, and 85 percent of those breaches were caused by employee espionage.
In 2003 the losses to American corporations reached over 45 billion dollars in lost revenue. Why is it becoming an epidemic? You can answer this question simply by looking at the explosive growth of technology. Eighty percent of households today have a computer and of those households, 73 percent also have an Internet connection.
If you are an e-commerce retailer, you can appreciate the dynamic growth in on-line sales. For example, in 2002 e-commerce sales reached an estimated $2.2 billion in sales where annual sales in 2006 are expected to exceed over $12.8 billion.
With this expected growth comes an increase in the number of e-crimes that we face in the course of conducting our business. There are over 242 million Internet users…and potential customers…in the Asia- Pacific region alone. Nobody knows the potential number of users around the world who may want to commit e-crimes against retailers and American corporations.
Around the World and at Home
But American businesses don’t have to look around the world for potential criminals. Unfortunately, many of our own employees are possible electronic criminals.
Take for instance the case at AOL, where an employee stole a customer list and sold it to a spammer. It was very easy for this employee to commit this e-crime. In this particular case, the employee had easy access to a centralized database once past the log-on security. This problem is one most of us face because we store data in a centralized repository in contrast to a more secure decentralized approach that takes more time, resources, and money. This made the e-crime easy because it allowed for one-stop hopping—one data center and one source for the information.
Access to the Internet also makes it easy. You can virtually sell anything on the Internet. Internet sales are typically anonymous and secret, so the employee committing espionage against you has the opportunity (the first part of the fraud triangle) to sell this information.
Next, consider the multiple access points within your company. Think about how easy it is for you to log on to your company’s email or intranet systems. You can access these systems via a blackberry device or broadband connection from your hotel or dial up from home.
These multiple access points make our business lives easier. They also make the lives of dishonest employees easier as well.
Finally, the threat can be costly. It may not be merchandise or money, but it is critical information—customer data, corporate financials, source code, employee passwords, sales data, private employee data, and strategic planning documents. Theft of some of this information can be much worse than the loss of merchandise or money, as it can result in customers turning away from your stores, customer and employee lawsuits, falling stock prices, and, perhaps most importantly, the loss in brand equity.
“It’s not like I’m Stealing Merchandise or Money, Right?”
How and why are employees who we entrust committing e-crimes against us?
Espionage and fraud is virtually the same beast. In fraud we understand the fraud triangle where there is pressure, opportunity, and rationalization. In espionage we have employees that seize the opportunity to sell or post information on the Internet. In espionage there is external peer pressure on employees to post on message boards. In espionage there is rationalization that they feel what they are doing is justified because it is only information—“It’s not like I’m stealing merchandise or money, right?”
Employees are moving information everyday for a variety of reasons outside of the scope of the business need and through a variety of communication channels, including voice communication, mail systems, and IP-based protocols, such as the web, instant messaging, FTP (file transfer protocol), IRC (Internet relay chat), Usenet, and Internet message boards.
Employees use a variety of methods to keep from getting caught, such as steganography (the art of hiding messages in pictures), file deletion, encryption, proxy avoidance, and anonymizers. All of these methods can be detected by a trained computer forensic investigator. Some are more difficult than others, depending on the level of sophistication and technique applied.
For example, there are many levels of protecting data, from simple password protecting a Word document to more robust measures, such as using 128-bit encryption. The Word document in this case would be easily cracked in the course of an investigation, while the later may eventually be cracked, but would require many other resources and software to do so.
Another example is file deletion. If an employee hoping to hide information simply used the computer’s normal deletion function, the computer forensic investigator can easily recover the file. However, he may not necessarily be able to do so if the suspect employee used a specialized wipe utility.
In both of these examples, policy is the key. Does your company have a policy that prevents employees from downloading or installing unauthorized software, such as a wipe utility or encryption program? If not, then now is a good time to begin a partnership with your information security department and draft a policy to manage the desktops of your deployed systems. If nothing else, hopefully this article will prompt you to begin a partnership between loss prevention and information security to begin addressing these issues.
Spy vs. Spy
Espionage is defined by the Merriam-Webster dictionary as “the practice of spying or using spies to obtain information about the plans and activities of a competing company.”My definition of electronic crimes investigation is “the practice of spying or using spies to obtain information about the plans and activities of persons committing e-crimes via electronic methods.”
In other words, electronic crimes investigation pits spy vs. spy.
How do you get started in this world of electronic crimes investigation (ECI)? You begin by getting the buy-in from key stakeholders, including legal, human resources, information technology, information security, and perhaps your internal audit or compliance office, in order to draft policies that address the risk.
First, you will need a terms-of-use policy. This is critical in ensuring that your employees understand that when they are using company assets, such as their assigned computer, intranet, and Internet access, that there is no expectation of privacy. You will need your policies to support everything from the practical use of those IT resources to the protection of passwords and the protection of confidential data.
To combat the problem with employee espionage and other electronic crimes, we employ a model of an electronic crimes unit that includes four main branches—surveillance, first response, evidence repository, and computer forensics, which is the backbone of the ECI unit.
Surveillance provides a practical and proactive approach to e-crimes investigation. These tactics include the use of many electronic monitoring solutions that enable us to filter through network traffic to look for policy violations, such as employees surfing to eBay or pornographic web sites.
These monitoring solutions include network sensors that use analytics to detect unauthorized credit files being transmitted through a firewall. Mailbox and desktop monitoring allows us to view the mail from both internal and external mail systems, such as a Yahoo email system. A well-developed mail review program also enables us to filter out competitor email and other email to specific domains that may be of concern for further examination and study.
In addition to using the many new technologies for monitoring computer systems, we also employ traditional methods such as CCTV, office sweeps, and access control systems.
By developing a strong partnership with our information security resources, we have enabled many other tools and techniques too sensitive for publication. The partnership with information security is key to building a strong ECI unit.
First responders are virtually everyone that would normally respond to a criminal incident. These would include your information security team or CERT (Computer Emergency Response Team), loss prevention managers, store managers, corporate managers, and others who could potentially be involved with an investigation.
The primary mission of the first responders is to preserve evidence. First responders are trained to document and photograph the scene, seize hardware, and collect information related to the digital evidence. This information may include the serial, make, and model number of all hardware seized and inventory of other digital evidence, such as thumb drives, floppy disks, CDRs, and DVDs.
It is the mission of the first responder to freeze the evidence in the state in which it was found. First responders document, preserve, and protect the chain of evidence so the forensic investigator may properly take the chain of custody to complete the cycle of the investigation. It goes without saying that the first response team requires detailed training. Training is crucial since the result of the e-crimes investigation process will be challenged in a court of law. The use of new technology and procedures will require a substantial amount of knowledge that is not regularly attained in traditional loss prevention roles.
Evidence repository is the third branch to the ECI unit. We not only store items of evidence related to electronic crimes, but we also support other investigations where a computer may have been involved, including unemployment claims, Sarbanes-Oxley investigations, business continuity, and patent-infringement claims to name a few. By supporting a variety of investigations outside of the traditional role of loss prevention, we continue to add value to the organization by providing these valuable services to other departments, such as HR, legal, risk management, and information security.
The critical key to the success of managing evidence is maintaining the chain of custody. When handling electronic evidence, such as computer disk drives, one needs to understand that this particular kind of evidence is susceptible to the environment and can be easily damaged or destroyed. For example, we use specialized containers lined with antistatic bubble wrapping and antistatic collars when handling this type of evidence to prevent discharge of static electricity.
Another threat to electronic evidence is the simple fact that the data can be easily changed or manipulated, unlike hard evidence such as stolen merchandise. To prevent the unauthorized manipulation of evidence, we use tamperproof bags and tape along with securing the evidence in an access controlled environment requiring entry through the use of proximity photo ID badges. The access-control system not only ensures that only permitted individuals are granted access, but also logs the event so that you may use this log as evidence during the course of any litigation that may arise.
Finally, documentation and training is required for a sound evidence repository program. Not only is it important to document the evidence, assign control numbers, and case numbers alike, but you need to have a trained custodian who can follow procedure as well as speak to the procedure and its meaning if ever challenged in court.
Computer forensics is the heart of the operation. As mentioned before, computer forensics requires specialized hardware and sophisticated software. A computer forensics operation will require the expertise of a trained computer forensics investigator who not only can perform a forensic analysis, but more importantly can testify in court as to what that process is and how it was conducted.
Computer forensics is defined as “the preservation, identification, extraction, and documentation of computer evidence.” In the course of computer forensics, several steps are taking to preserve the evidence. A simplistic view of the process begins with the example at the beginning of this article, where the suspect drive was duplicated in such a way that there is an exact copy made so that the evidence is never touched during the exam and is filed away for a later date.
Second, the duplicated evidence is processed by specialized software that indexes every byte of data found on the drive in a physical manner. This is different than how the operating system views data in a logical manner.
For example, logically speaking the operating system views deleted data as no longer available. But when computer forensics techniques are performed, every byte, including those that have been flagged for deletion, are recovered and viewed as part of the chain of evidence.
Complex Crimes Require Complex Solutions
It is true that electronic crimes investigations are complex operations with associated costs. It is also true that there are significant costs in hiring a third-party contractor to conduct just one investigation. When you review the value that a program such as this can add to your overall loss prevention program, the benefits are obvious and, at least in our case, far out way the costs.
Identity theft, phishing, and corporate espionage are the new age of e-crime that is attacking American business on a daily basis. The explosive growth of technology is here and retailers must quickly adapt to the ever-changing world in which we conduct our business.
We have both legislation that supports us as well as new tools that enable us. Now is the time to develop a key partnership with your information security department and begin an electronic crimes investigation program to protect your company against this growing threat.