Digital forensics analysis is the easy part of an investigation. That is not to say that the work of digital forensics is simple, but rather recovering electronic data is a rote routine of data carving and visual inspection of data. Interpreting the data requires a different type of effort to put together a story of what happened ‘on the computer’.  As important an analysis is to determine computer use, it is just as important to identify the user or users and attribute computer activity to each user.  An investigation without an identified suspect is a case that remains open and unsolved..sometimes for years or forever.

In many investigations (civil and criminal), identifying the computer user is obvious through confessions or by process of elimination.  Proving a specific person was at the keyboard is barely a consideration since the person either admitted control of the device or was caught red-handed and the examiner can focus more on the user activity on the computer devices rather than spending time identifying the user.

However, simply accepting the suspect’s identity without further investigation into other aspects of the suspect’s identity may sell the investigation short.  Whether the suspect is known or unknown, compiling a complete identity of the suspect adds important information that is beneficial to a case, such as motives, intentions, and identification of more crimes.  The most important point is that a physical person that has been identified, or even arrested, does not give a complete identity of that person.  It is only the physical identity.  Investigators should strive to compile a complete identity that includes digital identities.

So what’s in it for you?

Building a case against a suspect requires more than just finding evidence.  A case needs evidence to point to a suspect as well as showing motive and opportunity.  Providing evidence of every identified persona of a suspect paints a picture of the suspect, to include intent, desires, motive, behaviors, and overall character to add to the supporting evidence.  In short, you get a better case.

The Complete Identity

A physical identity (aka biometric identity) and digital identity comprises the complete identity of a person.  Biometrical features of a person, such as fingerprints and eye color, are bound to the physical identity and typically permanent to the person depending on the feature.  Although eye color can be temporarily changed with color contacts and hair can be temporarily dyed to a different color, the majority of physical features cannot be changed without drastic injury or surgery. 

Internet users create digital trails of use and subsequently (and without intention) create digital personas based on their unique computer use.  The normal, everyday use of the Internet creates a digital identity that is based on Internet surfing habits (the Websites visited), communications made online through forums, chats, e-mails, blog posts and comments, and through the accounts created for online services to include online shopping.

Compiling the digital identity and physical identity may seem like an obvious and easy task, but assembling the identities is not so simple.  In an ideal case, a suspect has a single physical identity and a single digital identity, but in reality, a person may have multiple physical personas tied to a single physical identity and multiple digital personas.  Some personas may be intentional while others unintentional.  For example, a criminal wanting to travel in a name other than his true name may create or purchase a fake driver’s license. As he goes about using the fake or stolen driver’s license, he creates a persona under the false name.  Although this persona is not truly a ‘physical’ identity, as it is not biometrically tied to a physical body, it is part of his physical identity as he uses the false name as if it were his true name. 

One example of a digital identity is the accumulation of normal Internet and computer use.  A person’s computer use is generally a reflection of that person’s personality, desires, and intentions.  The unique activity of one device is typically replicated across devices under that person’s control.  For instance, given a new computer, a user will configure it by personal preference by arranging icons, colors, sounds, and folder structure to save.  When the user has an additional computer, both computers will have a very similar order of computer activity when used over time and will even look the same, such as the placement of desktop icons and wallpaper choice.  Configurations of the computers will likely be similar, if not exact for some items, and Internet use will most certainly mirror each other by bookmarks and frequently visited Websites.  Merely comparing the type of computer use and configuration between two or more devices can give an indication that the same person used all of the devices. 

Adding to the complexity of finding both digital and physical identity of a suspect is that of multiple aspects of both types of identity.  A person leading a double life may have two spouses and two jobs with one being a false identity.  This person is physically tied to both identities, even if the false identity contains no true information.   Leading a double life is an extreme example of a fake physical identity, and examples that are more common include using a fake ID to make consumer purchases, or using fake names to register at hotels.  The depth of a fake physical identity depends upon the person’s intention and resources. Types of physical identifiers are seen in the following figure.

Digital identities, being far easier to create, generally mean that any one person can have multiple, or even hundreds, of fake digital identities.  A harassment suspect may have dozens of online identities that he uses to harass a single victim or victims through repeated e-mails from different e-mail accounts created to appear as different people.  In any investigation, treat each digital identity as its own identity that will be tied to a physical person at some point in the investigation.  Each identity gives information about a person based on the fake identity, whether the only information is the username of an e-mail or a completely falsified social networking account.

An example of having multiple digital identities is that of one fake identity used to create specific online accounts and a different fake identity used to create other specific online accounts.  In this manner, a person is simply trying to distance himself from something (such as registering for a pornographic Website) by using a fake digital identity while using a different fake identity to distance himself from other aspects of his online life.  An investigator who can identify the fake accounts adds to the case by showing the intentionally hidden aspects of a personality, motive, or intention of the real person based on the real person’s actions under the fake digital identities.  A pedophile whose physical identity has no ties to pedophilia may appear innocent until fake digital personas are found and tied to his physical identity.

Of note is that each person has a true physical identity and a true digital identity.  Typically, the true digital identity shows the real information, such as a real name, and is easily tied to the physical person.  However, every identity and persona (real and fake, digital and physical) should be compiled together to show the complete identity of a person.  False information is just as important as the true information to build a complete picture of a suspect.

A great example of tying a physical identity to a false persona is in the Silk Road case where the creator of Silk Road (Ross Ulbricht) used his public e-mail/forum (rThis email address is being protected from spambots. You need JavaScript enabled to view it.) account on the open Internet to market the Silk Road.  One simple post eventually tied his legitimate physical identity to a secret, false, and criminal persona on the Dark Web site, the Silk Road.

Identifying the digital identity becomes easier as Big Data continues to grow exponentially through massive data collection by government and corporations.  Social media sites contribute to identifying digital identities as the connectivity between sites exists through single usernames, using the same e-mail address across online accounts, and algorithms created to ‘find’ friends based on relationships and Internet use.  The digital identity is the sum of all electronic information of a person.  Corporations have been compiling digital identities of consumers in order to focus on advertising efforts.  Investigators should focus on compiling digital identities of suspects to determine motive and opportunity.

Any investigation benefits by compiling the complete identity of suspects.  Whether the identities contain true information about a suspect is not as relevant as tying the identities and personas to a person. Motives and intentions are clearer with a complete picture of a person in both the physical and digital worlds. 

Now that you know the ‘why’, become competent in the ‘how’ in each investigation with thorough research to find the connection between each identity in order to place your suspect at the keyboard.  Digital forensic skills are necessary and important, but solid cases usually need some old fashioned, gumshoe detective work too.

I was part of an interesting and product online podcast today.   You can check it out at: http://nopskids.com/live/

The topics ranged from hacking, forensics, how to catch hackers, and a little on how criminals sometimes get away with it. Although I didn’t give any tips on how to get away with a crime, other than DON’T DO IT, I did speak a little on some of the things that can be found forensically on a hard drive.  Actually, I think I only had time to talk about one thing (the Windows registry) for a few minutes and nothing of which that has any impact on a criminal using the information to get away with a crime.

The one thing I wanted to stress that even if every top secret, secret squirrel, spy and investigative method was exposed, criminals would still get caught using the very techniques they know.  Proof in the pudding is seeing cops being arrested for committing crimes.  You’d figure they would be the most knowledgeable of not getting caught, but they get caught. Same with accountants being arrested for fraud, and so forth.  I’ve even arrested criminals when they had in their possession, books on how not to get caught.   The most diligent criminal can be identified and arrested by simple mistakes made and sometimes by sheer massive law enforcement resources put on a single case to find a criminal or take down an organization.

With that, I learned a few things from the podcast too.  One of the moderators was actually a case study in my latest book (Hiding Behind the Keyboard).  To be an expert, to be knowledgeable, and to be more than just competent requires talking, listening, and sharing.  That doesn’t mean sharing trade secrets or confidential information, but it does mean having conversations to learn your job better.

When I worked as a jailer, I talked to every person I booked (at least the sober arrestees and those cooperating with the booking process).  I asked personal questions like, “how did you get started with drug use?” and “how did you start doing X crime”?  I learned a lot after hundreds of bookings.  I learned so much that when I make it to patrol and hit the streets, I had a big leg up on the criminal world, in how it worked with people.  That directly helped me in undercover work.  I spoke to so many criminals, both as a police officer and as an undercover (where they didn’t know I was a police officer), that I learned how to investigate people who committed crimes.  I was darn effective.

The point of all this is that talking to “the other side” is not a terrible idea.  Working on the law enforcement side, I promise that if you have a conversation with a criminal defense expert, you will learn something to help win YOUR case.  If you talk to a hacker, you will learn something to help figure out YOUR cases.  The best part, like I said, nothing you give will make a criminal’s job easier.  In fact, anything you say will only make them worry and make more mistakes.

If you are more-than-competent, you can do your job like a magician.   My first undercover case was buying a gram of meth from a cold phone call of a guy I didn’t even have a name for.  As soon as we met, I recognized the meth dealer as someone I arrested a half dozen times when I was in patrol.   Luckily for me, he didn’t recognize me and believed my UC role.  Arrested, booked, and convicted.  This was a career criminal with dozens of arrests who probably met more cops that I ever did at that time.  Still, he was arrested, by me, because I was more-than-competent in my job.  Digital forensics work is no different.

Talk to everyone and share.  I promise you will get more than you give.  And there is no shame in learning that you don't know it all, because none of us do.

I had the amazing honor of speaking before a full room at Enfuse this week.  This was not only my first time speaking at Enfuse, it was my first time at Enfuse. The conference was put together well.  Kudos to poolside event coordinator.  Those who know my forensic tool choices also know that I do not use Encase as my primary forensic tool.  However, I have a license for v7 and have used Encase since v4 (with sporadic breaks of use and licensing).

This year at Enfuse, I did not speak on any forensic software (or hardware) at the conference. I gave a snippet of two recent books I published (Placing the Suspect Behind the Keyboard and Hiding Behind the Keyboard).  I say “snippet” because one hour is not even near enough time to talk about the investigative tips in the books.  I was able to give a few good tips that I hope someone will be able to take the bank and boost case work.   I could spend weeks talking about investigative methods of not only finding suspects that are using computers to facilitate crimes, but also to place them at a specific device with both forensic analysis and traditional investigative techniques.   

After my talk, I received emails from some who did not or could not attend my Enfuse talk; I am providing my slidedeck for them and others who may want to see high-level notes from the Powerpoint slides.  However, I removed a number of slides that had personally identifiable information to avoid any embarrassment from Google searches and cases.  I did not get to a few slides in the presentation due to time (only one hour!), and I removed them as well.   Nonetheless, the meat and potatoes of the presentation is in the below PDF. (slidedeck removed).

A few toughts on digital forensic skill development and giving away investigative secrets

Forensic examiners/analysts generally follow the same path in skill development, with some exceptions of course.  For most of us, the tools are just plain neat and we initially focus on the tools.  High tech software and using the type of hardware that you cannot find at Frys turns work into play.  We dive into the box, swim around in it for days, weeks, or even months, and then we pull out every artifact we can to write a report of what happened ‘in the box’.  Writing a report usually means pushing the "Create Report" button. I suggest that every examiner go through this stage quickly and move forward.  Get it out of your system as soon as you can. There is more to digital forensics than the toys, I mean, tools.

Digital forensics investigators must investigate, unless your job is solely looking at data because someone else is investigating the case.  This is where leaving the stage of ‘playing with high-tech toys’ turns the new forensic examiner into a real digital forensics crime fighter.  When an examiner can integrate data recovered from ‘the box’ with information collected from ‘outside the box’, using any tool and investigative method available, we have a competent and effective digital forensics investigator, not just a tool user.

I have always believed that a good digital forensics investigator can practically use any software, as long as the software can do the job, without relying on the software to do the complete job.  Pushing a button to find evidence, then pushing another to print a report does not a forensic analysis make.  Just as Picasso could paint a masterpiece only using an old paintbrush and watercolors, a good forensic examiner can make a great case with only using a hex editor and gumshoe detective mindset.  The high-tech tools should be used to make the work easier and faster without becoming a crutch.

And that was the inspiration of why I wrote Placing the Suspect Behind the Keyboard and Hiding Behind the Keyboard, boiled down in two simple intentions:

1) To push forensic examiners out of the high-tech toy reliance into becoming a well-rounded, effective, efficient, and competent investigator.

2) As a reminder to the former investigator-turned-forensic-analyst to get back into the investigative mindset.

If you are currently in the ‘gotta-have-the-most-expensive-tools-on-the-planet’ stage while at the same time not working outside the CPU, don’t fret. It happens to most everyone, and not just in the digital forensics field.  When I was a young Marine, I went to the local army surplus store and base PX to buy every cool tool I could think that would help me in the field.  I had so many ‘tools’ that my ALICE pack looked like a Christmas tree dangling a five years' worth of trinkets from New Orleans’ Mardi Gras parades.  After one trip to the field, I realized how much money I wasted on unnecessary gear (if you could actually call some of those things I bought "gear"..) and focused on using only the things that work and making things work for me.  Digital forensics work is no different.  Consider yourself DFIR SEALTeam 6 once you can work a case using ANY computer and ANY tool.

Giving away trade secrets?

There is a long-standing problem in the digital forensics world: Sharing, or rather, lack of sharing.  Yes, experts and practitioners share their work, but many do not.  I completely understand why.  When you share your ideas and research to the public, there is a fear that the bad guys will see it and use it for their benefit.  The fear is that once the methods are known to the criminal world, the methods become ineffective.

In short, that thinking is incorrect.

First off, cybercriminals and criminals, in general, share information with each other.  They share the methods when they work together to commit crimes, they share it online,  and they share it during their stays in the big house.  Still, they get caught.  Still, they make mistakes. Still, the methods work against them.  I have even arrested drug dealers when they had in their possession, books on 'how not to get caught dealing drugs'.  Cybercrime is no different.  An entire website can be written on how to get away with crime on the Internet and read by every cybercriminal, and yet, they can still be identified, found, and arrested.  

Second, lack of sharing only hurts us all. If you were to find a better way to find evidence, but keep it to yourself, the entire community stagnates.  But when shared, we push ourselves ahead in skills.  Do not be afraid that the bad guys will get away with crimes if they know how you catch them.  Just as watching a Youtube video on Marine Corps boot camp does not make boot camp any easier, criminals that know how we place them behind a keyboard does not negate the process that can place a suspect behind a keyboard.  In fact, the more they know, the more chance they will slip up more than once out of sheer fear of how easy it is to put enough investigative resources to find a criminal that cannot be countered with any amount of preparation.