The Internet, often referred to as the “information superhighway,” has opened a medium for people to communicate and to access millions of pieces of information from computers located anywhere on the globe. No subject or profession remains untouched by the Internet, and this is so for forensic science. A major impact of the Internet will be to bring together forensic scientists from all parts of the world, linking them into one common electronic community.
The Internet can be defined as a “network of networks.” A single network consists of two or more computers that are connected to share information. The Internet connects thousands of these networks so all of the information can be exchanged worldwide. Connections can be made through a modem, a device that allows computers to exchange and transmit information through telephone lines. Higher speed broadband connections are available through cable lines or through DSL telephone lines.
Computers can be linked or networked through wire or wireless (WI-Fi) connections. Computers that participate in the Internet have a unique numerical Internet Provider (IP) address and usually a name.
The most popular area of the Internet is the World Wide Web. It is considered a collection of pages stored in the computers connected to the Internet throughout the world. Web browsers allow the user to explore information stored on the Web and to retrieve Web pages the viewer wishes to read. Several directories and indexes on the Internet, known as search engines, are available to assist the user in locating a particular topic from the hundreds of thousands of web sites located on the Internet. Commercial Internet service providers connect computers to the Internet while offering the user an array of options. A keyword or phrase entered into a search engine will locate sites on the Internet that are relevant to that subject.
The service that is most commonly used in conjunction with the Internet is electronic mail (e-mail). This communication system can transport messages across the world in a matter of seconds. Extensive information relating to forensic science is available on the Internet. The types of Web pages range from simple explanations of the different fields of forensics to intricate details of forensic science specialties.
Evidence of Internet web browsing typically exists in abundance on the user’s computer. Most web browsers (Internet Explorer, Netscape, and Firefox) utilize a system of caching to expedite web browsing and make it more efficient. This web browsing Internet cache is a potential source of evidence for the computer investigator. Portions of, and in some cases, entire visited web pages can be reconstructed. Even if deleted, these cached files can often be recovered.
To appreciate the value of the “cookie” you must first understand how they get onto the computer and their intended purpose. Cookies are placed on the local hard disk drive by the web site the user has visited. This is, of course, if the particular web browser being used is set to allow this to happen. A cookie is used by the web site to track certain information about its visitors. This information can be anything from history of visits or purchasing habits, to passwords and personal information used to recognize the user for later visits.
Most web browsers track the history of web page visits for the computer user. This is probably done merely for a matter of convenience. Like the “recent calls” list on a cell phone, the Internet history provides an accounting of sites most recently visited, with some storing weeks worth of visits. Users have the availability to go back and access sites they most recently visited, just by accessing them through the browser’s history. The history file can be located and read with most popular computer forensic software packages
Another way users can access websites quickly is to store them in their “bookmarks” or “favorite places.” Like a pre-set radio station, Internet browsers allow a user to bookmark websites for future visits. A lot can be learned from the bookmarked sites of a person. Perhaps you might learn what online news a person is interested in or what type of hobbies he/she has. You may also see that person’s favorite child pornography or computer hacking sites bookmarked.
Computer investigations often begin or are centered around Internet communication. It may be: a chat conversation amongst many people, an instant message conversation between just two individuals, or the back and forth of an e-mail exchange. Human communication has long been a source of evidentiary material. Regardless of the type, investigators are typically interested in communication
In our earlier discussion, it was stated that in order to communicate on the Internet a device needs to be assigned an Internet Protocol (IP) address. The IP address is provided by the Internet Service provider from which the device accesses the Internet. Thus it is the IP address that might lead to the identity of a real person. If an IP address is the link to the identity of a real person, then it would quite obviously be very valuable for identifying someone on the Internet
IP addresses are located in different places for different mediums of communications. E-Mail will have the IP address in the header portion of the mail. This may not be readily apparent and may require a bit of configuration to reveal. Each e-mail client is different and needs to be evaluated on a case by case basis. In the case of an Instant Message or Chat session, the particular provider (the one providing the mechanism of chat - AOL, Yahoo, etc.) would be contacted to provide the users IP address).
Finding IP addresses may be difficult. E-mail can be read through a number of clients or software programs. Most accounts offer the ability to access e-mail through a web-based interface as well. Often the majority of chat and instant message conversations are not saved by the parties involved. Each application needs to be researched and the computer forensic examination guided by an understanding of how it functions.
Unauthorized computer intrusion, more commonly referred to as hacking, is the concern of every computer administrator. Hackers penetrate computer systems for a number of reasons. Sometimes the motive is corporate espionage and other times it is merely for bragging rights within the hacker community. Most commonly though, it is a rogue or disgruntled employee, with some knowledge of the computer network, who is looking to cause damage. Despite the motivation, Corporate America is frequently turning to law enforcement to investigate and prosecute these cases.
Generally speaking, when investigating an unauthorized computer intrusion, investigators will concentrate their efforts in three locations: log files volatile memory network traffic
Logs will typically document the IP address of the computer that made the connection. Logs can be located in several locations on computer network. Most servers that exist on the Internet track connections made to them through the use of logs. Additionally the router, ( the device responsible for directing data) might possibly contain logs files detailing connections. Similarly, devices known as firewalls might contain log files which list computers that were allowed access to the network or an individual system.
Many times, in cases of unlawful access to a computer network, some technique is used by the perpetrator to cover the tracks of his IP address. Advanced investigative techniques might be necessary to discover the true identity. Where an intrusion is in progress the investigator might have to capture volatile data (data in RAM). The data existing in RAM at the time of an intrusion may provide valuable clues into the identity of the intruder, or at the very least the method of attack. In the case of the instant message or chat conversation, the data that exists in RAM needs to be acquired
Another standard tactic for investigating intrusion cases is documenting all programs installed and running on a system. By doing this the investigator might discover malicious software installed by the perpetrator to facilitate entry. This is accomplished utilizing specialized software designed to document running processes, registry entries, and any installed files.
The investigator may want to capture live network traffic as part of the evidence collection and investigation process. Traffic that travels the network does so in the form of data packets. In addition to containing data these packets also contain source and destination IP addresses. If the attack requires two-way communication, as in the case of a hacker stealing data, then it needs to be transmitted back to the hacker’s computer.
To get there, the destination IP address is needed. Once this is learned, the investigation can focus on that system. Moreover, the type of data that is being transmitted on the network may be a clue as to what type of attack is being launched, if any important data is being stolen, or types of malicious software, if any, that are involved in the attack.