How Digital Forensics Can Help Reveal Online Fraud
Digital forensics helps criminal investigations unearth emails, texts and other digital data as evidence.
CREDIT: Nata-Lia | Shutterstock.com
As people live more of their lives online, digital forensics has begun to take on a larger role in investigations and court cases. Much of the evidence in the Rutgers bullying and suicide case, for example, includes records of the digital chatter between college students. On March 26, Facebook's lawyers asked for the dismissal of a case that claims Facebook CEO Mark Zuckerberg inked a deal in 2003 that gave a 50 percent claim to Facebook to a New York man named Paul Ceglia. A portion of Facebook's evidence comes from digital digging on the emails between Zuckerberg and Ceglia, including some emails lawyers say Ceglia forged. How do forensic scientists gather digital evidence, and how do they detect instances of fraud?
Tracing digital breadcrumbs
Often, digital forensics scientists need to recover deleted data, said two practicing analysts InnovationNewsDaily contacted. It's possible because when someone deletes a file on his hard drive, that data doesn't actually disappear right away. Instead, the computer marks that place in its memory as available, but doesn't overwrite what was there before until some new file gets saved to that same place. Data isn't generally recoverable once its space is reallocated, however. "You can't go back and find out what was there before, not generally," said Gary Kessler, who owns a consulting company and works as an examiner for the Vermont Internet Crimes Against Children Task Force.
The files analysts do gather are marked with much more than whatever content the file's creator typed in. Emails, in particular, contain a wealth of information hidden in what are called headers. Other major file types, such as PDFs, also have headers. "The headers track 'When was it sent?' and 'What service was it sent through?'" said Andrew Hoog, an Illinois-based analyst who co-founded a security and computer forensics company, viaForensics. As an email journeys from its sender to its recipient, the servers it encounters along the way add their own information to the header. Digital forensic scientists dig through those headers and look for anomalies.
It's difficult for criminals to recreate the entire trail of breadcrumbs an email leaves as it's sent from one person to another. Many people who try to forge or alter emails will change details in one or two locations where the email is saved. But between the sender's computer, the server the email is sent through and the receiver's computer, an email may be saved in dozens of places, Hoog said. It's a big red flag if an email exists on one person's computer, but not anywhere else. Facebook's lawyers say that the emails they contend Ceglia forged don't exist on Harvard University's servers.
Missing and encrypted data
Analysts don't always have access to all the places an email or another file goes, however. The sender or recipient may have deleted the email and discarded his older computer. Usually, the server only keeps copies of emails for a couple months, though private companies may keep copies of their emails for longer. Generally, analysts don't have all the data they need to trace an email's entire journey, Kessler said. Then the message's authenticity is more difficult to determine.
Barring missing data, most people's devices are easy to peer into, for someone with the right tools and an authorized search warrant, Kessler said. He uses commercially available tools to scrape and sort through the data in a computer or smartphone. The Amazon.com description of a book Hoog authored about analyzing Apple devices says direct messages on Twitter, searches for directions entered in mapping apps, banking information from banking apps and some deleted text messages can all be recovered from smartphones.
On the other hand, a "technically aware, technically astute" person can encrypt data so it's harder to reach for law enforcement, Kessler said. People can learn some techniques just by searching the Internet. "It's not rocket science," he said. In the case of encrypted or password-protected data, different jurisdictions in the U.S. have varying laws about whether people must turn over their passwords during an investigation.
The future of digital data sleuthing
Coming digital trends will have different effects on the different aspects of a digital investigator's job.
If people save their data in "the cloud," or remotely operated servers that offer more memory than individual computers, analysts won't be able to recover files deleted there, Kessler said. The space that the cloud frees when someone deletes a file is quickly taken by someone else. On the other hand, larger memory devices mean space freed by deleted files is less likely to get overwritten soon. "I've got a thumb drive — a very large thumb drive, to be sure – where we found [deleted] pictures taken in 2008," Kessler said.
Some newer digital data have very short life spans, which makes them difficult for investigators to find. Servers don't save tweets for long. The contents of texts are difficult to verify if both the sender and recipient don't have copies on their phones. Service providers only have evidence that a text was sent, not what it said.
And devices are tracking more and more data than ever. "The sheer quantity of information we're finding, particularly on mobile devices, is a challenge," Kessler said. There's also debate in the field regarding how much people expect investigators can find in a mobile device and whether investigations are fair if they don't align with people's understanding of their devices. For example, smartphone owners may not be aware that a warrant that allows analysts to search a whole phone – depending on the case, analysts may only have access to some parts of a device's memory – will unearth thousands of GPS points their phones have recorded over time.
But all that data doesn't necessarily make investigations easier, Kessler said. Nondigital sleuthing is still needed to connect a device with a perpetuator. "It's relatively easy to show that a computer has been used to, say, hack into a bank, but much harder to put my fingers on the keyboard of the computer," he wrote in a later email to InnovationNewsDaily. "So, we're gathering more information than ever before, but that information comes with its own complexity."