Menu
  • Home
  • Brett's Blog
  • My Books
  • Courses
  • About Me
  • Contact
  • Home
  • Brett's Blog
  • My Books
  • Courses
  • About Me
  • Contact

Brett Shavers | Ramblings

Brett's Ramblings

Subscribe to blog
Unsubscribe from blog
Settings
Sign In
If you are new here, Register
  • Forget Username
  • Reset Password
Brett Shavers

Brett Shavers

JUN
07
0

Facebook Spoofing: Your Reputation, Investigations, and Massive Data Collection

Posted by Brett Shavers
in  Digital Forensics

A “new” article on imposter Facebook accounts was published today in the Philippines.  I put “new” in quotes because this is not a new issue, but I am glad that more public attention is being given to spoofed social media accounts.

I am referring to imposter accounts as “spoofed”, “faked”, and “imposter”, where the account was not created by the user. Conversely, there are fake accounts created by a user as a multiplier to voice misinformation/disinformation, but not used against a real person. The fake accounts of real people are a different matter.

How does this affect you, aka: TL/DR?

A fake account can affect your personally by:

  • *  Ruining your personal reputation,
  • *  Destroying family relations,
  • *  Getting you fired from your job,
  • *  Having criminal charges filed against you, and
  • *  Creating a risk of being sued.

On the professional side of using Facebook as part of OSINT investigations, you can be led on rabbit trails of false and misleading information whereby you put an innocent person at risk of all of the above bullet points, plus other devasting problems that I probably overlooked. Simply, if you find your suspect's account and use that information as a foundation of fact, you will be chasing an innocent person being framed with disinformation.

I wonder how many alibis have been successfully used with disinformation on social media platforms...

Today’s News is Old News but it is Relevant News for Today

In the Philippines article, students and journalists are the targeted victims with spoofed Facebook accounts created in their name and without any other information, such as personal photos. Fake accounts have been happening for years, so this is not new. However, it is just as relevant today as it was years ago. Perhaps more so now than ever before.

I am using “Facebook” throughout this post as Facebook is this article’s focus, but everything that I say about Facebook can be applied to almost any social media platform.  Social media has been an amazingly positive force in the world for connecting people and sharing information, but just as any tool that has an incredible power to do good, the same tools have the power to do the exact opposite for bad.

https://www.bloomberg.com/news/articles/2020-06-07/philippines-probes-proliferation-of-impostor-facebook-accounts

Found 3 fake Facebook accounts using my name last night. Already down (I think?) after I reported. One good thing about having a unique name is I’m sure the accounts are not owned by actual people with the same name as mine. pic.twitter.com/7TBptLnofU

— Jodesz Gavilan (@jodeszgavilan) June 7, 2020

So what?

With a standard disclaimer that I am not a lawyer, creating fake accounts probably isn’t a crime in most countries, because who cares if a fake account with no information on it was created.  Certainly, fake accounts may violate the TOS (terms of service) of the platform provider and the accounts can be removed by the provider.  

By the way, you can report a fake account to Facebook here: https://www.facebook.com/help/1216349518398524?helpref=hc_global_nav

As far as criminal laws are concerned, the Internet doesn’t create a new world of criminal laws as the Internet only facilitates existing crimes electronically. The laws are basically the same, but have a sexier title like, "computer facilitated". Meaning, harassing someone online with racial or threatening comments is not different than doing the same thing at a workplace. Threats are threats. Identity theft is identity theft. The Internet just makes it easier, faster, and more explosive. Please don’t @ me with laws on Internet crime…I’m speaking extremely broadly on the legal aspect of fake accounts. I want to focus on the more important issues that affect you personally and affect your cases.

Technically, a fake account is just a fake account if it just sits there, right? I mean, I even checked my name in Facebook and found a fake account! No photo or any information, but it is there.. This is a fake Facebook page in my name (again, I did not create this).

https://www.facebook.com/pages/Brett-Shavers/163135850514643
In case you may be thinking that this could be a different “Brett Shavers” with a Facebook page, I highly doubt it.  In fact, this fake page was created with me specifically named based on seeing (1) author under my name since I am an author, (2) Renton Police Department as a related page, which is where I was a detective in my former career, and (3) Amped Software- Forensic as a related page since I am somewhat involved in deeply involved in forensics.

There is also a notation (4) of “Unofficial Page”, which Facebook defines as a page that was not created by the named user.  If I want, I can claim this page, or merge it, or ask that it be deleted. If I were to do this, I assume it would begin a game of whack-a-mole.

The interesting thing about me and Facebook is that I do have a personal Facebook page, but I don’t use it. Nothing is on it. I don’t like the concept of Facebook for many reasons. I created it in a futile attempt to prevent someone from creating a fake Facebook in my name.  My effort was completely in vain. My real page looks like this (again, I did create this page).

 

How many fake accounts are out there?

This is one of the unknowns in life, as you can’t know the unknowable. However, Facebook has deleted BILLIONS of fake accounts.  More specifically, Facebook has taken down over 5.4 BILLION fake accounts.  Consider that the planet’s population is about 7.8 billion and that there were at least 5.4 billion known fake Facebook accounts. Still, this is not the most important issue to you as I move toward the juicy stuff!

The juicy stuff!

By now, I know that your brain has already gone through a dozen scenarios of how bad this situation with fake accounts sucks.  I can’t think of a better word than “sucks”, because that is how this feels. To make sure that you covered the most important scenarios in your head, here are a few to think about if you missed one.

What can a fake Facebook account do against you?

  • *  Target you personally
  • *  Target your professional
  • *  Target your criminally
  • *  Target your civilly

These are easy to see. In this world of angry Internet users, any person can be the target of an army of one or an army of many through Internet attacks. A fake account can make you seem to be a far left/right political threat, a criminal peddling some form of criminal evidence (drugs, stolen property, etc..), or use your name/account to post threats to businesses, people, or to a government. None of these are good and all will require substantial resources to remedy, as in, prove your innocence. Also, the permanent effects of personal damage online is…permanent.

Criminals can (do) scope out targets and monitor their social media accounts. Creating a fake account in their target's name takes this one step and a million miles further. Imagine a fake Facebook account in your name that friends one of your friends. In minutes, your entire life’s connections can be mapped out with friends of friends and friends of those friends, and so forth. One fake account and you are completely exposed to an attacker. Before you are made aware, the account can be removed and you now your attacker has a complete dossier on you for their mission of destruction.

Not cool at all.

How can fake Facebook accounts affect your investigations (criminal or civil)?

  • *  Misleading information
  • *  Disinformation

For those who use OSINT (open source intelligence) as part of your job with either civil or criminal investigations, any criminal can create a fake account to throw you off their trail and on the trail of an innocent person. Imagine finding someone admit to a crime on Facebook, in their name, with their photo! That breaks the case!  But if it was fake, you may or may not figure it out, and if not, an innocent person could end up charged and convicted of a crime that they did not commit.

Regardless if you can figure out if the account was faked, the effort involved to verify and corroborate the information wastes valuable time in any investigation. Your casework is affected nonetheless.

A bigger threat?

  • *  Facebook data collection
  • *  Government collection from third party Facebook

Facebook collects personal data. And it sells it to other businesses. And it gives it to governments. We expect that now. The surprise no longer exists that Facebook is a data collection machine that makes money off its users’ personal information. But that is not the issue, because if you don’t want to be part of that machine, you can avoid creating a personal account. Right?

Wrong. Facebook might make a personal page for you anyway without telling you anything about it. If they don’t make a personal and public page for you, they are certainly collecting your information anyway, even if you have never ever visited a www.Facebook.com website..ever.

Packet Storm wrote an amazingly important article in 2013 that describes basically your personal is collected by Facebook through friends and family on Facebook. Many in the security field are aware of this, where John Doe will post on his Facebook page about Jane Smith. Jane Smith might not have a Facebook page and is doing everything to avoid being online, but now her friend John just outed Jane to the Internet world.

Take this a step further. When John logs into the dozens of social media accounts through his mobile device or computer, he will usually give access to his contacts to the social media platform. Now, dozens of social media platforms have Jane’s contact information, even though Jane has no account on any of these platforms.  Eventually, these contacts are collected by Facebook through the same manner of allowing access to the user’s contacts, and Facebook practically has the contact information of every person on the planet who has an email address or name.

Facebook has been questioned about “shadow” accounts or “invisible” accounts and claimed that the collection of this information was a technical glitch. This bug was, in effect, mapping the world regardless if everyone had a Facebook account.

The bigger threat, even more important than being targeted by criminals, is that of being wrongfully targeted by a government.  Let’s take the Philippine’s situation as an example.

“This was first reported by U.P. Cebu’s official student publication Tugani, which said it found fake accounts of student activists who were arrested in an anti-terrorism bill protest on June 5.” - https://www.bloomberg.com/news/articles/2020-06-07/philippines-probes-proliferation-of-impostor-facebook-accounts

It seems that students who were protesting and subsequently arrested, discovered fake Facebook accounts in their name. What would the purpose of that be, other than tracking people critical of their government? Over the course of human history, every group of people has had their turn of being critical of their government. Everyone takes their turn. Some nations allow public critiques without interference and other governments execute dissidents on the spot, in the street, for all to see.

3rd Party Access Trumps 4th Amendment protection

But the United States has the 4th Amendment! Come back with a warrant, bro! This is true, and generally, the Constitutional protections are followed by the US government (all levels).  I say “generally” because there is always an instance of abuse that occurs inadvertently or intentionally.

Most people aren’t intimately aware of Constitutional Rights, and when asked, will usually recite something that they remember from a Hollywood movie or TV show. They don’t get it right often. Those “in the know” know that Facebook’s data is not protected by the Constitution. Your home and everything in it is protected from unreasonable search and seizure, but the data collected by Facebook (or any 3rd party) is not.  That means knocking on Facebook’s door with a written request for data bypasses the wall between your data and the government.

The issue is when the data with your name on it is not your data but is tied to you. Or perhaps it is your data, collected and curated by Facebook that your entire life is memorialized in a neat zip file. Hopefully, the information collected was not disinformation by a competitor or criminal or scorned lover wanting to set you up for a fall.

All Existing Data is at Risk to be Breached

Social media platforms and any company that collects data are under varying degrees and sometimes opposing requirements of data preservation and data destruction. Some types of data is required to be maintained for a certain number of years and other data is mandated to be destroyed in a different number of years or months. Some providers swear to not keep any data.

The thing is, no one really knows how long data is kept or destroyed. Personally, I have written affidavits for data that should exist but told that it does not. I have also received data that should have been destroyed but was “overlooked”, resulting me getting extra information… On top of that, I have personally seen corporations not even know the data that they were maintaining that they certainly should have destroyed (legally) a decade earlier.

This data, all of it, including the fake accounts, are ripe for the taking by anyone with access to the data. Access does not only imply “legal” access, but any access to include hackers. It’s bad enough for your real data to be stolen, but it may be much worse if fake data is stolen and attributed to you.

What can you do?

Unfortunately, it is whack-a-mole with your private data and doubles with the fake accounts that might be attributed to you. At one point, I made a Keybase account, where you can verify the platforms and websites under your control. I verified everything in hopes that if a fake account was made (which there are a few for me…..), I could easily point to a verification site to disprove the fake news.

But, Keybase was purchased by Zoom, and with Zoom’s security problems, I deleted my keybase. The good news is that Keybase doesn’t allow me to recreate my account with my same name. That in itself is a good security feature for you. I recommend creating a keybase account and then delete it in order to prevent someone from creating a keybase account in your name. Of all fake accounts, Keybase would be a bad one to have made in your name as it professes to the world that you are you. Another example of platforms communicating (ie, sharing) data between each other is Zoom's iOS app sending data to Facebook as reported in Motherboard. The funny part? Even if you don't have a Facebook account, Zoom sends it to Facebook anyway. Add to this that Zoom purchased Keybase. Before you start spiraling out of control in conspiracy theories with social media platforms, keep in mind that I am only focusing on the fake Facebook accounts.

A personal story

Way back when, when I was a new patrol officer, my wife made a website.  This was really incredible at the time. To give you a hint of when this was, it was during dialup, and websites were made by straight typing HTML. WYSIWYG wasn’t a thing yet, but she taught herself and made a site on one of the free platforms at the time. It was a family website and because I was in law enforcement, I stressed to not use our names or personally identifiable information, especially as our kids were young at the time. Anyway, her website became popular and made it into several print magazines in Japan. Oh yeah, the website was in Japanese. This will be important to know shortly.

The punchline is that one day in patrol, dispatch sent me a message on my MDC (mobile computer) and said something to the effect of, “Hey. I found a website with pictures of you and your family on it. Did you know that?”

Long before the Internet searching became really easy, a dispatcher somehow found me online with my family, on a website that was in Japanese. My wife took the site offline when I told her.

Later, in my undercover days, my threat level substantially increased. I flew around the country and internationally, many times unarmed (dumb in-country rules...), and hung out with organized crime. My conversations were talking to people about people that they killed or had killed, informants that were tortured, corrupt cops, smuggling humans across borders, and all things drugs and guns. I had cars drive slowly in front of my home, been followed on more occasions than I want to remember, and bumped into targets while off duty while with my family.  During this time, I found that a relative of mine was posting pictures of me and my family online, even knowing the job that I was doing. I blame the ignorance of security more than anything, but to be unaware that photos you send to friends and family end up on their social media platforms is uncool without asking permission. Then at a point, I had threats and guns stuck in my belly added to the mix.  Having a gun stuck in my belly and also my personal information exposed online, I can say that the Internet exposure was worse. Oh yeah, my ID was stolen with all of this too.

I have more of these types of stories than any one person should have, but the point is that the Internet is a dangerous place for not only those with intelligence or law enforcement jobs, but for any person who somehow gets in the crosshairs of an angry person, or someone who needs a scapegoat for their crimes. Fake social media accounts are a serious concern, and for you, the IT, Infosec, or DF/IR pro, your first responsibility is to protect your family. Protect the world as a secondary task as you get to it.

Stay safe.

 

Billions of fake accounts: Who's messaging you on Facebook?

https://bigthink.com/politics-current-affairs/facebook-banned-accounts?rebelltitem=1#rebelltitem1

Philippines Probes Proliferation of Impostor Facebook Accounts

https://www.bloomberg.com/news/articles/2020-06-07/philippines-probes-proliferation-of-impostor-facebook-accounts

Facebook has shut down 5.4 billion fake accounts this year

https://www.cnn.com/2019/11/13/tech/facebook-fake-accounts/index.html

DOJ to probe sudden surge of fake Facebook accounts

https://www.cnnphilippines.com/news/2020/6/7/DOJ-probe-fake-Facebook-accounts.html

Shadow profiles: Facebook has information you didn't hand over

https://www.cnet.com/news/shadow-profiles-facebook-has-information-you-didnt-hand-over/

Facebook: Where Your Friends Are Your Worst Enemies

 https://packetstormsecurity.com/news/view/22713/Facebook-Where-Your-Friends-Are-Your-Worst-Enemies.html

Facebook admits year-long data breach exposed 6 million users

https://www.reuters.com/article/net-us-facebook-security/facebook-admits-year-long-data-breach-exposed-6-million-users-idUSBRE95K18Y20130621

Zoom + Keybase

https://keybase.io/blog/keybase-joins-zoom

ZoomiOS App Sends Data to Facebook Even if You Don't Have a Facebook Account

https://www.vice.com/en_us/article/k7e599/zoom-ios-app-sends-data-to-facebook-even-if-you-dont-have-a-facebook-account

 

  4847 Hits
Tweet
Share on Pinterest
4847 Hits
JUN
04
0

You do not want to work in DFIR.

Posted by Brett Shavers
in  Digital Forensics

 

The fantasy

So many people ask how they can start a career in the DF/IR field, which is completely understandable. The glamour is there. Hollywood shows vivid and dynamic computer screens depicting the fascinating work of forensics and incident response, from James Bond flicks to any of the CSI tv show series.

And the money! There is so much money to be made! WHAT A GREAT JOB!

The reality

You need to know computers. I mean, you really need to know about computers, from the basic fundamentals of how a computer works physically with hardware through how software works on that hardware. You need to be a generalist and a specialist. The time spent to learn what you need to learn requires more than you can imagine and at that point, you will still be incompetent for working in this field. You’ll just know that you don’t know enough.

Then when you feel like you have learned “enough” to do the job, if you haven’t kept up with technical aspects of the field every day, you will realize that you have fallen behind in competence faster than a boulder plummeting down a high cliff.

After you read a dozen books on the topic, spend thousands of dollars in courses and conferences, practice with all types of software, your climb to the hill of knowledge will feel like the hill is growing and you are not making any headway. 

Every device that you touch will seem like Groundhog Day because not only will it be a different scenario than the prior device, but your objectives will be different, and the software that you once used might not work for what you need this time. That means learning a new tool to handle a new device on a new case, all the while, trying to keep up with the changes that were made in an operating system from last week.

You will quickly learn that CSI on TV has it all wrong. You won’t be solving anything in the timespan of a primetime TV show and will be explaining to your boss or client constantly that Hollywood has forensics all wrong, and that you have to do research on the analysis. Then your confidence will fall because you will feel that you should have already learned how to do analysis on this particular device, but you have to now do research and figure it out like it’s the first day on the job.

Once you get the hang of this career, for as long as you want to be competent, you will be constantly seeking out training, reading, practice, and research. If you didn’t realize it before, you just learned that the process to keep up is never-ending!

Your reality

If you still want to work in DFIR after all of that, then you might be made for it. This may be your path.  I spoke about much of this with Jessica Hyde of Magnet Forensics this week, and I stand by everything I said about trying to talk someone out of a difficult profession because there are some jobs that require more effort than other jobs in terms of preparation and sustainability.

For each of us, there are jobs that we could not be paid enough to do. Those same jobs where we would never work are the same jobs that some people would pay to have. Each person is different as each job to each person is different, and there is a sliding scale for career preferences.

Any and every job is honorable. No job is beneath any of us. And if we are fortunate in this life, we can choose a job that fits both our wants and needs. DF/IR is no different in that aspect with any other profession.

The one aspect where DF/IR is different is the effort required to get started. Compared to a job where minimal skill is required, or where the skill is fairly easy to obtain, DF/IR  is not only not easy, it is laborsome. With that comes making a commitment to carry through just to get a chance of working in the field. If you are not committed, you are not going to make it.

If you ever competed in anything, from music to sports, you know that it takes many hours of perfect practice, many errors, and extreme focus just to be able to be competitive against everyone else. You can tell in seconds those who have prepared from those who have not. There is no competition when there is no preparation.

On the visual below, if DF/IR is not on the far green end of the arrow for you, you might not make it because it is too easy to give up on anything, let alone something that you are not fully committed to do.

Boot camp is not what you think

If DF/IR sounds like a military boot camp to you, then you got the picture that I am trying to get across. It is boot camp for your brain. You need endurance. You need focus. You need to learn to walk all over again and eventually you are running.

Side note: Boot camp is not bad. It is physically challenging. It can be self-demoralizing as you flounder about learning things that you can’t learn anywhere else. But you know the goal, want to work toward that goal, and when you achieve it, have earned the respect of putting forth your efforts. Same with DF/IR. It is the sacrifice of effort and time in exchange for learning skills.

Few things in life are more frustrating and defeating than not getting what you worked for.  We are impatient. We want what we want when we want it and not a second later. If you are lucky, you get what you want when you want it. For the rest of us, it will take time, effort, failure, time, effort, failure, time, effort, failure, and eventually success. Time = days or years, different for everyone and everyone’s personal situation.

Excuses are like…

During my first week in Marine Corps Boot Camp, a drill instructor was yelling at a recruit who had just given an excuse for failing at a task. The DI yelled "Excuses are like assholes. Everyone has one and they all stink!"  I don’t believe DIs can swear anymore by the way..but the point was well made to me and I was really glad to learn it by not being the recruit being yelled at. Don’t worry. I was given my fair share of being yelled at every day.  The point is that everyone has excuses and they get in your way if you let them get in your way.

There are some factors that will eliminate you from a specific job. For example, to be a firefighter, you need to be able to physically carry firehoses upstairs to put out fires. If you cannot physically do that for any reason, you won’t get that job. Same with being a house painter. If you blind, painting houses isn’t going to be possible. If you are able to perform a job, then the odds are good that you can get that job with effort.

Barring circumstances that physically prevent you from doing DF/IR, you can do this job. That might make it sound like anyone can do this job, but that is far from the truth. The only people who can do this job are the ones who dedicate themselves to continual education to keep up and learn. For those who DF/IR is for them, keeping up with the field is more entertaining than watching an action movie because it is exciting and challenging. For those who struggle with spending the time to prepare, learn, and keep up, DF/IR is not for them.

You cried?

If you didn’t get into the school of your choice for the DF/IR degree of your choice or were turned down by the job that you really wanted, or failed to pass a certification that you studied weeks for, or couldn’t figure out something that you believe to be simple for everyone, then you are probably still on the right track. This is normal. 

And if you sat in the middle of your room and cried about your choice of working to get into DF/IR, that is ok too. You are probably still on the right path. If you consider quitting to do something else, you are even still probably on the right path.

The defining point is that after you do that once or twice or a hundred times, you stand up, crack open the book, and get back to it. If you keep doing that, you will be fine. Do not let yourself get in the way of what you are working toward.  Quitting is simply what happens when you find out that what you thought you really wanted, you didn’t want bad enough. No matter how often you fail, it is only failure when you stop trying.

Yes, it does take time.

Timing is everything. If you are lucky (I am not….), by the time you are qualified to do DF/IR, the demand is so great that you have the pick of where you want to and how much you will accept to be paid.  You might not have any downtime between qualified to work and actual work.

For many others, it might take years to get where you want to go. Actually, it probably will take years to end up where you want to be. This is not only ok, but to be expected. Achieving what you want sooner than expected is nice but do not let this be your measure of success.

I get it

Sometimes the timing is not right for what you want. Maybe you are too early or too late for what you are after. Sometimes there are things out of your control that can prevent you from walking one path, but that does not mean you cannot walk another path that might end up being the better path for you.

Life happens to all of us. We hope to avoid life’s tragedies, but the tragedies are waiting on your path just as they are on the path of everyone else. We confront what we confront when it is time to confront them. We don’t choose when they happen, but we choose how to react.

With that, for anyone wanting to sincerely step off the DF/IR path because of any reason, I fully support the decision, because that decision to quit is probably the right decision. By the right decision, I mean that quitting means you weren’t meant for that path, but also means there is another path more fit for you.

But for those who are on the spectrum that they would pay their salary to work in this field, to learn the bits and bytes of data, and to spend whatever energy is required to get there, I am right behind you making sure you keep going.  You can cry along the way or even toss your laptop against the wall in frustration as long as you decide to keep moving forward. Cry. Wipe off the tears. Get back to work. You will be fine.

Hang on…you’re already in DF/IR?

If you do this job already, by now you should have encouraged at least one person who had a spark of DF/IR to move forward (maybe one of those folks was me!). Be an inspiration to the next generation. We now live in a world of the most negative social media, call out and cancel culture, where anyone can be brought down publicly for no reason at all. This is our world, the electronic world, the “cyber” world, and by virtue of our job, we are responsible for safety of all people. Be the force of good and make your name one to be remembered for helping someone, not tearing them down.

The experiences of anyone in this field are awesome! They are even more awesome when you can ignite a small spark of inspiration in someone who may use these skills to change the way we do business, change the way we think about DF/IR, and potentially change the world.

Don’t think this doesn’t apply to you, regardless of where you sit. You have more power to inspire someone to make discoveries in this field that would not be possible except for the spark you lit in someone. That’s pretty cool in my book.

  4982 Hits
Tweet
Share on Pinterest
4982 Hits
APR
25
0

COVID-19’s Investigative Impacts on Digital Forensics/Incident Response (DFIR). AKA: All burners are now burned.

Posted by Brett Shavers
in  Digital Forensics

The meat and potatoes

A bit is still a bit and a byte is still a byte. COVID-19 cannot change that, which means that the technical aspects of the work has not changed. But what about the investigative aspect?  Oh yes. That part of DFIR has certainly changed. The key change is geolocation, and it is more important than you may realize at first glance.

The full meal

Every investigation with any aspect of an electronic device has been affected due to COVID-19 and its consequence of stay-at-home/work-at-home. As far as investigations are concerned, device geolocation is perhaps the biggest impact. There are also other subtle aspects of the quarantine to take advantage of in your investigations, whether you are involved in civil or criminal investigations or corporate matters. The benefits are there to be had. Individual privacy is yet another issue but let us start with investigations.

For the most part, the impact of COVID-19 is positive for investigators. Actually, it is practically only positive.  I will be breaking down the pros and cons by way of using the below four broad categories. These are "broad" because overlap exists and it is near impossible to have a clean break from every aspect of DFIR. Every person fits in one or more of those boxes, including the privacy category.

Digital Forensics (DF) & Incident Response (IR)

Criminal & national security investigations

Breaches, ransomware

Electronic Discovery (ED)

Civil litigation

Corporate/internal matters

Open Source Intelligence (OSINT)

Related to any/all investigations and privacy

Not related to any/all of these items

Privacy & Surveillance

A separate, but just as important consideration

Includes, government, corporate, and personal

 

Digital Forensics (DF) & Incident Response (IR)

How does COVID-19 affect DFIR investigations?

For criminal investigations, the geolocation impact is most dramatic. Compare the “before” and the “current” geolocation investigative aspects of COVID-19 (specifically criminals using mobile devices and Internet access points).

 

Before COVID-19

Current COVID-19

#1

Devices traveled 24/7.

Devices are at home.

#2

Multiple devices of one criminal shared the same (multiple) geolocations of other criminals who also carry multiple devices.

The criminal’s devices are sharing one geolocation mostly (only) with family or no others.

#3

“Burner” devices may or might never be turned on or used at “home”.

Burner devices need to be on at home to be used.

#4

Burner devices might not be used at the same geolocation as non-burner devices.

Both burner and personal devices will share the same geolocation (home).

#5

Public wireless access points were used for communication and online criminal activity.

Personal or nearby accessible access points are being used.

#6

Face-to-face meetings to conspire were common.

Electronic communications are now more necessary.

 

In the above comparison, “home” is where a person lays their head. Investigators who pursue criminals focus heavily on the “home” of a criminal, which tends to be the location where the criminal spends most of their time, stores and creates physical evidence, and where they are most vulnerable to arrest. Even one of the most primary and basic goals of law enforcement surveillance is to follow criminals and ‘put them to bed’, which simply means, follow them to their home. COVID-19 makes this much easier since everyone, including criminals, must be home, or at least be at home more than usual.

Side note: An investigative truism for the vast majority of crimes is that criminals must communicate to plan, conspire, and commit crimes. The most convenient and commonly used investigative method to capture communication is focusing on communication devices. Quarantine makes this easier.

COVID-19 Benefits Investigations

--Mobile devices

---Easier to find the home of the owner (suspect) since the device will be home more.

---Easier to identify other devices of the suspect since personal devices are also home with the suspect.

---Cell tower dumps near a crime scene will have fewer devices connected, lowering the list of possible suspects.

---“Burners” are now burned. They now travel less and are quarantined with their owners. Burners can now be easily tied to a ‘home’ and to its owner at that home.

---“Burners” will now always be near their owner’s other devices, tying them together.

---Subsequent forensic analysis post-seizure will have fewer GPS points to investigate. This is good for the purpose of fewer false alibis.

---Higher usage of all devices (burners and personal) results in more data and more evidence. There is also a higher use since face-to-face communications are less due to quarantine/stay-at-home.

--IP Addresses

---Higher use of personal Internet accounts being used.

---Higher use of borrowing neighbor’s Internet access.

---Higher chance of protective measures (VPNs, Tor, etc…) being inadvertently misconfigured or neglected for one or many communications.

With criminals being home more than usual, identifying their devices, tying the devices to them, and identifying the “homes” of criminals has never been easier.  As long as you have either the device information (ex. the phone number) or the home address, tying both together is simpler than pre-COVID 19. Consider that a mobile device, including the ‘burners’, will be living at their owner’s home for longer hours per day than before, because the owner is at home for long hours. Where cautious criminals won't turn on a burner at their home, they don't have much choice now.

  • A home address can be assumed and later confirmed by using mobile device geolocation, such as from GPS coordinates obtained from service providers.
  • Device information can be obtained by having the home address, such as examining cell tower dumps, or other technical means to obtain mobile device signal connections.

Another side benefit of COVID-19 for investigations is that of increased usage of electronic devices to communicate. Criminals must still leave their homes to commit traditional, non-computer crimes, but the use of mobile device communications still increases. More calls to more phones help build a more thorough link analysis of criminals and their co-conspirators. Traditional policing is also made easier with fewer cars on the road and fewer places for criminals to blend in with the public (such as at a crowded restaurant or park).

Cell tower dumps in the area of a crime, where pre-COVID 19 could result in hundreds of devices per one tower might now only have a few devices which greatly narrows the list of potential suspects of a crime.

Successful criminal hackers take great pains to hide their true identity and location. Whether it be using VPNs or Tor, one of the basic premises is to not connect to the wire with anything that ties to your home or work. For the most part, the quarantine forces the use of a home Internet connection or a nearby neighbor’s connections. One error made in complacency or technical failure can expose everything.  Investigators should take advantage of the increased possibility of tracking a criminal hacker to their home as compared to tracking to any one of thousands of public WiFi spots found at libraries, coffee shops, and throughout entire cities with public WiFi.

One negative with COVID-19's quarantine is not being able to physically place the co-conspirators together by way of geolocation, such as having two devices being at the same place at the same time. In cases that I have had, each time that I could identify the date and place that a group of conspirators would meet to talk, such as at dinner or a parking lot, being able to identify every device in the area was a good operation. This was really beneficial as not every person in an organization will call every person in that organization, so tying devices together requires more labor. Conversely, in the quarantined world, everyone in the organization will need to call more of those in the organization to communicate.

As far as when the quarantine is lifted and we reach the new normal, the historical geolocation data available will still benefit future cases, both with device forensic analysis and with third-party service providers holding the geolocation data.

Electronic Discovery (ED)

Compared with criminal and civil investigations, COVID-19 poses more risk to businesses. Companies who are allowing remote work at their employees’ homes without appropriate precautions are now creating a situation of intermingled personal and business data.

Employees who know have open access to their employer’s systems using personal devices might be the biggest risk to employers in the past decade. On one hand, data mingling can cause a substantial legal issue in litigation, where company data might be intentionally or inadvertently saved onto personal computers. Additionally, personal computers that may have outdated anti-virus or unsupported operating systems could increase the chances of a company being compromised through an employee’s personal system.

Companies that had been supporting remote work by way of providing systems that are maintained by internal IT staff and using protected connections (not simply directly connecting to the network…), have no concerns that they did not have before COVID-19. For the rest, I can foresee some problems.

Open Source Intelligence (OSINT)

OSINT is fun for the curious. It is also an effective investigative method as well as an effective victimization tool. With COVID-19’s quarantine, the impact is that for those who want to remain semi-private regarding their homes, yet still remain socially available online, they will be more at risk of exposure.

Being at home more means most photos to be posted on social media will be those taken from the home. More family photos. More photos of a home’s interior and exterior. All of which can build upon safety concerns for some.  

For investigators, applying OSINT to cases where suspects are using social media simply means gathering more relevant and home-based geolocation data.

Privacy & Surveillance

Being anti-crime does not mean that you must be anti-privacy, but most governments will try to convince you otherwise. All of the above-mentioned benefits of COVID-19 as it relates to investigations to solve crimes have a perverted relationship in potential loss of personal privacy. The key questions are who is being watched, for what reason, and for what justification.

Right behind any government are the many tech companies with the ability to collect personal data from its users, privacy be damned. The intention is for the public good as it is primarily, if not solely, used as a revenue source (your data is sold and sold and sold again). Now, we are online more because we are home more (practically 24/7), which creates more data to be collected on the websites we visit, the online shows that we watch, the videos, and online purchases.

A government’s view of “data hoarding” is for the public’s benefit.

A corporate’s view of “data hoarding” is for corporate benefit.

Now comes COVID-19 and there is a merge between the two. Corporate tech giants (small tech too!) are partnering for both the public good of tracking people via mobile devices and certainly the sale of the data. The most effective way to convince anyone to give up a bit of privacy is to promise a chunk of security in exchange.  In times of panic or worry, not only is this easy to accomplish, but it is more of an exchange of a large piece of privacy for a false hope of security.

https://www.apple.com/newsroom/2020/04/apple-and-google-partner-on-covid-19-contact-tracing-technology/

Post COVID-19

I can expect to see the mobile apps being developed today that track infected persons and their interactions with non-infected being more commonly used. The Apple-Google efforts of using Bluetooth technology to track people in the name of public safety can be easily applied to many other things, much like the dating apps and other friendly location sharing apps do as well.

For the investigator, these data sources have always been treasure troves used to place a suspect at a scene but will now jump into hyperdrive in doing more by collecting data with willing user-consent, default configurations of apps, and covert monitoring.

Summary

Forensic analysis is the same. Investigations have (temporarily) changed. Good investigators continually look for breaks in a case, are always open to a break in a case, ready to exploit a break in a case, and are creative in trying to find a break in a case. Don't let COVID-19 be anything else other than a potential way to solve a case. For the business owners and managers, it is not too late to update computer use policies to protect how employees connect to the company's data.

Committing crimes today is not as easy as yesterday. Neither is keeping your privacy.

  18444 Hits
Tweet
Share on Pinterest
18444 Hits
    Previous     Next
4 5 6 7 8 9 10 11 12 13

DFIR Training

Be sure to check out my DFIR Training website for practically the best resources for all things Digital Forensics/Incident Response related.


Brett's blog

© 2023 Brett Shavers