Dusting for Digital Prints at Cybercrime Scenes

The most enduring principle of detective work is Locard’s exchange principle. Developed by the father of Forensic science, Dr. Edmond Locard (1877-1966), it states that a perpetrator of a crime will both take something from the scene of the crime as well as leave something behind. Whether a fingerprint, a cigarette butt, a bloody glove, or the murder weapon itself as in the literal “smoking gun,” most criminals slip up and get sloppy in the commission of their crimes. Fast forward over one hundred years and Locard’s exchange principle endures in the practice of computer forensics.In today’s post, we’ll examine a few of the common and some not so common digital fingerprints that cybercriminals leave behind in computer files. We’ll examine the common file types and how they are often manipulated to hide data using various techniques. Finally, we’ll take a look at a recent case where the digital version of Locard’s exchange principle outed the perpetrator of a high-profile cybercrime.Time is of the essence when coming upon any crime scene, both traditional and digital. Watch enough CSI-type dramas on TV and you’ll quickly gain an appreciation for the need to preserve a crime scene. It’s no wonder the lead detective gets cranky when the press starts traipsing all over his/her crime scene. Preserving evidence in computer forensics requires the same degree of urgency.The ultimate goal is to make a case using evidence taken from the crime scene so that it can then be presented in a court of law in a criminal trial. Preserving evidence and maintaining its integrity utilizing imaging and hashing is the first order of business. A chain of custody of the evidence must be established and maintained throughout the investigation up to and including the analysis and prosecution phases. This is serious business and with so much riding on the outcome, sloppiness and slip ups can’t be tolerated.The analysis phase of a computer forensics investigation is where the skills and creativity of the investigator are challenged and also allowed to shine. Incriminating evidence in the form of data can be found in a number of places, both in digital and physical form. Thumb drives have been found hidden in lamp shades and in ceiling tiles, left there by former employees and contractors who missed the opportunity to retrieve them. Data can also be hidden in files intentionally in the case of steganography or by obscuring the file extension.Steganography is the practice of hiding information in data files using extraneous bytes within image or audio files to squirrel away information from prying eyes. This tactic is used by those trafficking in child pornography to hide illicit image files and by terrorists and spies to send secret messages to confederates. Various techniques and software tools exist to sniff out this kind of hidden data. Here’s a comprehensive list of free computer forensics tools for you to check out.Another form of data hiding is masking the file extension. Changing a text file to a .jpg file is easy enough to do and even easier to uncover. Double clicking on such a modified file will result in the OS throwing up an error message stating that the file appears to be corrupted. In Windows, this technique can be taken a step further. You can easily merge a document with an image file using the command line. A secret .pdf file could be merged with an innocuous .jpg file so that when the file is opened, the image file is displayed. Anyone wanting access to the secret .pdf would then simply change the filename to the original .pdf file. Searching for this kind of hidden data requires a more comprehensive search method.Finally, there’s the digital equivalent of dusting data files for prints. The Meta data of common file types offers up a wealth of information. Language and keyword settings have identified the place of origin for both malware and other files uncovered in a cybercrime. A recent example provides an instructive and somewhat humorous example of this type of analysis in practice.When it was revealed that the computer systems of the DNC had been hacked during the US Presidential Primary season a great deal of speculation arose around who was behind it. Initially, a middle-aged hacker of rather modest skill from Romania came forward to take the credit. He even produced several documents to prove his claim. Suspicions quickly arose and the hacker and cybersecurity community undertook a crowd-sourced effort to delve further into the case.This group of independent investigators quickly uncovered evidence implicating Russian involvement with the hack. The website created to host the stolen documents, dcleaks.com was traced back to Russia along with analysis of Meta data in some of the files associated with the breach. But perhaps most incriminating, was the discovery of the Russian version of the smiley emoticon ))) in some of the files associated with the hack. This is actually the Russian equivalent of laughing. As it turns, out Russian smileys have no eyes. The reason for this deformity varies and is often attributed to the awkwardness of having to type shift + 6 to type a colon. This entertaining Quora.com article has more about this topic.Computer forensics is a fascinating field. It combines technology, human psychology, legal and police work together with a dogged determination to see a case to the end. If you’re like me and you enjoy a good detective story, then maybe a career in computer forensics is your ticket to an exciting and rewarding career. As always, we’ve got all your IT and cybersecurity certification training needs covered right here on Cybrary.it!