Identifying Internet Activity

Computer Forensics Goes To Cyber Space

By Michael R. Anderson

The Internet......friend or enemy? The popularity of the Internet has grown at incredible rates and today it reaches into the hearts of many corporations and households worldwide. The Internet gives computer users access to a wealth of information. It is also a wonderful mechanism for the exchange of E-mail communications and file attachments globally. International boundaries no longer exist when it comes to the exchange of information over the Internet. This new technology has proven to be ideal for international commerce and it has the potential to be a valuable communications tool for exchange of law enforcement and government information. However, the Internet also provides the 'crooks' with communication capabilities that did not exist previously. Through the use of a modem and with just a few clicks of a mouse, criminals can share information world wide. Sad but very true. Cyber crime has become a reality in our modern world.

More and more, law enforcement agencies are encountering computers at crime scenes. These computers are used to store the secrets of criminals and they are also used in the commission of crimes. Internet related crimes are clearly on the rise and abuses of corporate and government Internet accounts by employees are becoming common place. I know of one recent case involving the employee of a large corporation. He was using his corporate Internet account, on company time, to run his side business. What a deal.......thanks to the Internet he had two day jobs. To make matters worse though, he was also using the corporate computers on company time to view and download pornographic images from the Internet. In another case a law enforcement management official destroyed his 15-year law enforcement career when he was caught using a law enforcement computer to download pornography from the Internet. Just a few months ago I received a call from a deputy sheriff who was requesting help in the investigation of the rape of a young girl. The girl had been lured from an Internet chat room to meet the rapist at a shopping mall and the rapist's computer contained crucial evidence in the case.

The law enforcement community is starting to effectively deal with computer related criminal investigations. Funding is finally being focused on the creation of local and state computer crime units. Law enforcement training organizations like the National White Collar Crime Center, Search Group, International Association of Computer Investigation Specialists and the Federal Law Enforcement Training Center are training hundreds of law enforcement computer specialists each year. Some of these training efforts are being directed at Internet related crimes and you will see more training emphasis placed on this important technology issue in the future. By way of example, the University of New Haven is currently involved in the creation of a one day law enforcement training courses which deal specifically with Internet crimes and related computer evidence issues. Other similar courses will be made available through Government Technology Conferences which is affiliated with Government Technology Magazine. Fred Cotton at Search Group, has developed an extensive course on Internet crime issues that will be offered to law enforcement agencies in the future. Things are looking up on the training front for law enforcement.

On the corporate front things are looking up also. New Technology, Inc. of Gresham, Oregon is making specialized computer evidence and electronic document discovery training available to corporations, government agencies, law firms and big 6 accounting firms. Previously, such training was only available to law enforcement and military agencies. However, with the retirement of some of the top government forensic computer scientists and trainers, things have changed. New technologies, Inc. has also made it a priority to create automated fuzzy logic tools that help process huge hard disk drives.

Law enforcement successes in computer related investigations are directly tied to the availability and quality of forensic software utilities. Until recently, law enforcement computer specialists were without specialized forensic tools to deal with Internet related computer evidence. As mentioned, New Technologies, Inc. recognized this deficiency and created a forensic tool to deal with it. One of these new forensic tools is IPFilter IPFILTER which was specifically created to help law enforcement computer specialists identify Internet E-mail and browsing activity. Because of the increase in Internet related crimes, this program has been made available free of charge to law enforcement agencies by New Technologies, Inc. It was created primarily to help investigate cases involving child pornography but it has proven to be a powerful tool for use in the identification of any Internet misuses. As a result, a special corporate version was created and it has been purchased for use by several Big 6 accounting firms and Fortune 500 corporations for use in computer security reviews and internal audits. The corporate sales of the program helps defray the original development costs and provides funding for the continued improvement of the program.

From a computer investigator's standpoint, the Microsoft Windows operating system is a dream come true. After all, DOS and Windows were never designed to be secure. This is particularly true concerning Internet related evidence stored on computer hard disk drives in the form of ambient data. E-mail addresses, content and a history of Internet browsing activity potentially pass through the Windows swap file. Much of this information remains behind waiting for discovery and documentation by the computer investigator. This is essentially true of all versions of Windows and the same information becomes a potential source of computer security leakage for corporations and government agencies.

Computer investigators are fortunate that data fragments remain behind in the Windows swap file. That is the good news. The bad news is that these swap files can be huge and picking out the various URLs can be a time consuming and tedious task. That is where the IPFILTER program comes to the rescue of the computer investigator. It relies upon fuzzy logic concepts to automatically identify patterns of E-mail addresses and URLs. The process takes just a few minutes and the output is a data base file that can be reviewed or analyzed using any popular spread sheet or database application. A copy of the public domain program DM, is provided with the program and it can be used to quickly sort through the database created by IPFILTER and provide meaningful statistical information about prior Internet activity on a specific computer. As a point of clarification, the Internet activity is identified from remnants of data stored on the computer hard disk drive and not from an analysis of web traffic or with electronic sniffers. In those cases where Windows swap files are dynamically created during the work session and then erased, the same information is left behind as a large erased file in unallocated space. Such information can be recovered and easily processed by the IPFILTER program.

The Internet and related computer evidence issues are here to stay! Because of the common belief that Internet use cannot easily be monitored by law enforcement and corporate internal auditors, it is likely that misuses of the Internet will continue in the future. Training and the availability of automated computer evidence processing utilities will be the key to success for law enforcement and corporations in the coming months and years.

IPFILTER Hints & Tips:

The IPFILTER program was created by New Technologies, Inc. to quickly and easily process binary data from Windows swap files, accumulated files slack and/or unallocated space. It relies upon fuzzy logic concepts to identify valid patterns of E-Mail activity and URLs. The output from the program is in the form of a dBASE III file which can be viewed or analyzed by almost any spreadsheet applications and/or database application.

The IPFILTER program (version 2.1) was tested with a 20 meg Windows swap file. Within five minutes it had identified over 455 valid E-mail addresses and URLs. The file slack on the same computer was captured with GetSlack software, by New Technologies, Inc. and the resulting binary file was just over 600 meg. IPFILTER processed the file in within 20 minutes and it identified over 30,000 valid E-mail addresses and URLs. The resulting output from both runs was statistically evaluated and the results of a frequency distribution analysis revealed that the output from both runs tied with known Internet activity of the user of the test computer. However, the larger sample obtained from an accumulation of file slack proved to be the most accurate. Our tests of the IPFILTER program suggest the following:

1. Quick reviews of Internet activity on a specific computer can be done within ten minutes if Windows swap files are copied to external storage devices for processing. Such an analysis my be ideal for law enforcement intelligence gathering or corporate spot checks by internal auditors or security specialists.
2. More valid evaluations of Internet activity on a specific computer result when file slack is dumped and analyzed. This process is more time consuming but it tends to provide more valid results and thus better leads. The process can be performed through the use of Iomega Zip Disks or Jazz Disks and the entire process of capturing the data and processing it can be accomplished within 30 minutes on most computers.
3. Final decisions regarding Internet activity and possible misuses of corporate accounts should not be soley based on the output from the IPFILTER program. It is suggested that suspicious URLs be traced using a forensic text search program. Conclusions should be based on the content of E-mail documents, fragments of E-mail documents and/or graphic files actually found on the computer and as identified by the text search program.

More specific information about IPFILTER is available on this site. It is available free of charge to law enforcement agencies and it can be purchased by government agencies and corporations. Click here for ordering information and software downloads. We have received many favorable comments from law enforcement and corporate users regarding the IPFILTER program.