I’ve begun using the following explanation to help investigators so that they appreciate context and relationships between Internet identifiers – domain names, IP addresses, or Autonomous System Numbers (ASNs) – and criminal acts and actors.
People and networks use Internet identifiers to name or number individual computers (hosts) so that these can communicate. These identify location, for example, in the most basic interpretation:
- IP addresses identify Internet’s streets and house numbers
- Autonomous System Numbers identify the Internet’s “neighborhoods”
- Domain Names provide user-friendly ways to remember addresses, e.g., “My friend Matt’s house”.
Let’s imagine that you are investigating a complaint about illegal content (counterfeit goods, child abuse material, etc.). The complaining party gives you a domain name or URL. You use the DNS to identify an IP address that is associated with that domain name. This is the location where the content is being hosted or published, or perhaps the location where a spam or phishing email originated.
Some investigators are tempted to associate this IP address with the person whose published the illegal content in the same definitive manner as one might associate a fingerprint collected at a crime scene with an alleged perpetrator (or person of interest). Both of these are presumptive conclusions; for example, even in cases where a single fingerprint is collected at a crime scene, more evidence is necessary to prove without reasonable doubt that the person whose fingerprint matches the one found at the crime scene committed the crime. In many crime scenes, multiple fingerprints may be collected. This increases the list of persons of interest, and investigators must gather additional evidence to place a particular person of interest not only at the scene, but also at the scene at the time of the crime.
This is also true for an IP address. Different individuals can use an IP address at different times (at a public library or Internet cafe). Often, many individuals using a public or private network that uses network address translation (NAT) may share a public IP address. Thus, IP addresses pose additional hurdles for investigators:
- They can be spoofed, i.e., a criminal actor can forge an IP address and thus “leave some other person’s fingerprints”
- A criminal actor can relocate his illegal content from one IP address to another, or host that content from multiple IP addresses and thus leave lots of fingerprints over time.
Even if your person of interest uses a public IP address and the illegal content remains at this address as you pursue your investigation, you are in most cases confronted with – and about to be confounded by – the problem of associating this “fingerprint” with an actual individual. The situation an investigator most often encounters is similar to taking a fingerprint from a crime scene and finding no match among all the available crime databases:
- The provider of the service where the content is hosted (or where the content is originating from) has inaccurate or fraudulent contact data, or the contact data is accurate but further investigation reveals that the criminal forged, hijacked or impersonated an innocent party or exploited an innocent party’s resources (e.g., a web site).
- The IP or Domain registration data (Whois) has inaccurate data or fraudulent contact data, or (again), the registration data are accurate, but further investigation reveals that the criminal forged, hijacked or impersonated an innocent party’s identifiers (e.g., a domain name).
- The contact data in any of the above scenarios is “privacy” protected and the party that provides this confidentiality service won’t cooperate with the investigator (without a court order).
- You can’t serve a court order because any of the above party’s do not recognize your jurisdiction.
All these hurdles reinforce the following: gathering the addresses or names allegedly associated with a criminal activity is necessary but not sufficient evidence collection to “identify the criminal”. A law enforcement colleague I contacted agrees, noting that, “Knowing the shot that killed John F. Kennedy came from Book Directory wasn’t enough to prove Lee Harvey Oswald was the shooter.”
What do you do next?
My law enforcement and private sector colleagues all give me the same answer:
Revisit the crime scene. In a real world investigation, you’d look for camera footage, shell casings, and fiber remnants. Are there any data that you haven’t yet used but might use to find evidence by flexing your google-fu? Your person of interest may be no different than any other Internet user. He may use social media and perhaps may brag about or unwittingly share his “accomplishment”. Have you searched Facebook, Twitter, or other social media using digital trace evidence you found? Have you canvased the digital neighborhood? You may find and associate other addresses or domain names with the crime, and registration or other data associated with these may reveal more about your person of interest or his conspirators. Can you single out individuals who associate with your person of interest and among these, can you identify potential informants, or turn a co-conspirator? Was malware associated with the crime? Bomb makers have unique signatures and often, so do malware authors. And the obvious: can you question the person of interest and obtain a confession?
Many crimes today have both real world and online components, and no small part online investigations involve the same police work and investigative methods as real world investigations.
It’s tempting to imagine that there’s a silver bullet of evidence among the identifier data you collect but it just isn’t so.
Criminals haven’t adopted online crime to make finding them easier.
A special thanks to my colleague Mert Saka for inspiring this post.