Digital Evidence and Computer Crime, Second Edition

5.5 Reporting

Writing a report is one of the most important stages of the investigative reconstruction process because, unless findings are communicated clearly in writing, others are unlikely to understand or make use of them.

The two types of reports most commonly associated with an investigative reconstruction are Threshold Assessments and Full Investigative Reports. A Threshold Assessment is an investigative report that reviews the initial physical evidence of crime related behavior, victimology, and crime scene characteristics for a particular unsolved crime, or a series of potentially related unsolved crimes, to provide immediate investigative direction. This type of report is more common because it requires less time and is often sufficient to bring an investigation to a close. Although a Threshold Assessment is a preliminary report, it still involves the employment of scientific principles and knowledge, including Locard's Exchange Principle, critical thinking, analytical logic, and evidence dynamics.

A Full Investigative Report follows the same structure as a Threshold Assessment but includes more details and has firmer conclusions based on all available evidence. A full report is useful in particularly complex cases and can be useful when preparing for trial because it highlights many of the weaknesses that are likely to be questioned in court. Additionally, a Full Investigative Report provides the foundation for further analysis such as criminal profiling.

A common format for these reports are provided here:

1. Abstract: summary of conclusions;

2. Summary of examinations performed:

   • examination of computers, log files, etc.

   • victim statements, employee interviews, etc.

3. Detailed Case Background;

4. Victimology/Target Assessment;

5. Equivocal Analysis of others' work:

   • missed information or incorrect conclusions;

6. Crime Scene Characteristics:

   • may include offender characteristics;

7. Investigative Suggestions.

Two fictitious Threshold Assessments are provided here to demonstrate their structure and purpose. The first involves a homicide involving computers, very loosely based on The Name of the Rose by Umberto Eco. The second involves a computer intrusion.

5.5.1 Threshold Assessment: Questioned Deaths of Adelmo Otranto, Venantius Salvemec, And Berengar Arundel

Complaint received: November 25, 1323

Investigating Agencies: Papal Inquisition, Avignon, Case No. 583

Report by: William Baskerville, Independent Examiner, appointed by Emperor Louis of Germany

For. Abbot of the Abbey

After reviewing case materials detailed below, this examiner has determined that insufficient investigation and forensic analysis have been performed in this case. That is to say, many of the suggested events and circumstances in this case require verification through additional investigation before reliable inferences about potentially crime related activity and behavior can be made. To assist the successful investigation and forensic analysis of the material and evidence in this case, this examiner prepared a Threshold Assessment.

Examinations Performed

The examiner made this Threshold Assessment of the above case based upon a careful examination of the following case materials:

• IBM laptop and associated removable media formerly the property of Adelmo Otranto;

• Solaris workstation belonging to the Abbey, formerly used by Venantius Salvemec;

• personal digital assistant formerly the property of Adelmo Otranto.

• mobile telephone formerly the property of Venantius Salvemec;

• various log files relating to activities on the Abbey network;

• interviews with the abbot and other members of the Abbey;

• postmortem examination reports by Severinus Sankt Wendel.

Case Background

All deaths in this case occurred in an Abbey inhabited by monks who cannot speak, having sworn an oath of silence before cutting off their own tongues. On November 21, Adelmo Otranto went missing and his body was found on November 23 by a goatherd at the bottom of a cliff near the Abbey and postmortem examination revealed anal tearing but no semen. Biological evidence may have been destroyed by a heavy snowfall on the night of his disappearance. On November 26, Venantius Salvemec's body was found partially immersed in a barrel of pig's blood that swineherds had preserved the previous day for food preparation. However, the cellarer later admitted to finding Salvemec's corpse in the kitchen, but moved the body to avoid questions about his nocturnal visits to the kitchen. A postmortem examination indicated that Salvemec had died by poison but the type of poison was not known. On November 27, Berengar Arundel's body was found immersed in a bath of water but the cause of death appeared to be poison versus drowning.

Victimology

All victims were Caucasian male monks residing at the Abbey in cells, working in the library translating, transcribing, and illuminating manuscripts. Details relating to each victim obtained during the investigation are summarized here.

• Adelmo Otranto

• Age: 15

• Height: 5' 2"

• Weight: 150lbs.

• Relationship Status: According to written statements made by Berengar Arundel, he pressured Adelmo into having sexual intercourse the night before his body was found at the bottom of the cliff.

• Social history: According to the abbot, Adelmo had problems socializing with children his own age.

• Family history: Unknown

• Medical and medical health history: Adelmo was known to chew herbs that induced visions.

• Lifestyle risk: This term refers to ... Based on even the limited information available to this examiner, Adelmo was at a high overall lifestyle risk of being the victim of sexual exploitation. In addition to taking drugs and being sexually active in the Abbey, Adelmo participated in relationship-oriented online chat and communicated with adult males who were interested in him sexually. During these sexually explicit exchanges, he revealed personal, identifying information including pictures of himself. At least one adult on the Internet sent Adelmo child pornography in an effort to break down his sexual inhibitions.

• Incident risk: High risk of sexual assault because fellow monks and adults via the Internet were grooming him. Unknown risk of exposure to poison without understanding of how poison got into his system.

• Venantius Salvemec

• Age: 16

• Height: 5' 5"

• Weight: 145 lbs.

• Relationship Status: According to interviews, Venentius accepted presents from older monks and received packages from individuals outside the Abbey. Additionally, he received frequent messages and photographs on his mobile phone, some of a sexual nature.

• Social history: Well liked by all and close friends with Adelmo and Berengar.

• Family history: Unknown

• Medical and medical health history: None available

• Lifestyle risk: Insufficient information available to determine lifestyle risk

• Incident risk: Medium to high risk of sexual assault and poisoning given his close friendship with the other victims, older monks, and individuals outside the Abbey.

• Berengar Arundel

• Age: 15

• Height: 5' 4"

• Weight: 130 lbs.

• Relationship Status: Sexually active with other young monks in the Abbey

• Social history: According to the abbot, problems socializing with children his own age.

• Family history: According to interviews with other monks, Berengar lived alone with his mother prior to coming to the Abbey. Berengar expressed disdain for his parents and was sent to the Abbey after setting fire to a local landlord's barn. His father moved away from the area after being accused of physically and sexually abusing Berengar.

• Medical and medical health history: According to Severinus Sankt Wendel, Berengar made regular visits to the Abbey infirmary for various ailments. Severinus believes that Berengar had Attention Deficit Disorder (ADD).

• Lifestyle risk: Based on the likelihood of sexual abuse by his father, sexual activities with other monks, and behavioral and medical problems, Berengar was at a high overall lifestyle risk of being the victim of sexual exploitation.

• Incident risk: Medium to high risk of sexual assault and poisoning given his close friendship with the other victims, older monks, and individuals outside the Abbey.

Equivocal Analysis

Given the exigent circumstances surrounding this investigation, this examiner has only made a preliminary examination of digital evidence relating to this case. A summary of findings is provided here and details of this preliminary examination are provided in a separate report "Digital Evidence Examination for Case No. 583".

• Each victim communicated with many individuals on the Abbey network and Internet, resulting in a significant amount of digital evidence. Some of these communications were of a sexual nature. Additional analysis is required to determine if any of these communications are relevant to this case.

• Adelmo's laptop contained child pornography that was sent to him by an individual on the Internet using the nickname <dirtymonky69@yahoo.com>. The originating IP address in e-mail messages from this address corresponds to the Abbey's Web proxy. An examination of the Web proxy access logs revealed that several computers in the Abbey were used to access Yahoo.com around the times the messages were sent. Additionally, log files from the Abbey e-mail server show that all of the victims received messages from this address.

• Adelmo's personal digital assistant contained contact and schedule information, in addition to what appears to be a personal diary. Unfortunately, entries in this diary appear to be encoded and have not been deciphered.

• Venentius's mobile phone contained images of other monks in the nude. It is not clear whether these photographs were taken with the monks' knowledge and additional analysis of the telephone and associated records are required to determine if these photographs were taken using the digital camera, on the telephone, or downloaded from somewhere else.

• Exhume Adelmo's body to determine if he died by poison.

Crime Scene Characteristics

• Location and type: The specific locations of the primary scenes where the victims were exposed to poison are unknown. The victim's bodies were found in locations that were frequented by others in the Abbey.

• Point of contact: Unknown

• Use of weapons: Poison

• Victim resistance: None apparent

• Method of approach, attack, and control: How the victims were exposed to poison is unknown, and the existence of an offender in this case had not been firmly established.

• Sexual acts: Unknown

• Verbal behavior: Requires further analysis of online communications

• Destructive acts: None

• Evidence of planning and precautionary acts: Insufficient evidence to make a determination

• Motivational aspects: Insufficient evidence to make a determination

Offender Characteristics

• Sex: Investigative assumptions in this case to date have included the preconceived theory (treated as fact) that there was only one offender involved in these crimes and that this offender must be male. The first part of this assumption may not be correct. Berengar's lack of knowledge of and access to poisons weakens the hypothesis that he murdered Adelmo and Venentius, and that he committed suicide. The second part of this assumption cannot be supported or falsified using available evidence. The anal tearing could have occurred during sexual intercourse that might not be associated with the crimes. Even if the anal tearing were associated with the crimes, this would not be definitive proof of a male attacker since no semen was found.

• Knowledge of/familiarity with location: It is still unclear if all of these deaths were caused by exposure to poison, and whether this exposure was accidental or malicious. If the exposure were malicious, the perpetrator would not necessarily require knowledge of the Abbey. A valuable item coated with or containing poison could have been delivered to one of the victims in any number of ways and may have subsequently found its way into the hands of the other victims.

• Skill level: The fact that no apparent effort was made to conceal the bodies could be interpreted as low homicide-related skill because it increases the chances that the crime would be discovered. However, the offender has some skill administering poison.

• Knowledge of/familiarity with victims: There is insufficient evidence to make a determination on this matter. Based on the available evidence, the targeting of victims in this case could be either targeted or random.

Investigative Suggestions

The following is a list of suggestions for further investigation and establishing the facts of this case:

1. Examine Macintosh desktop belonging to the Abbey, formerly used by Berengar Arundel.

2. After obtaining necessary authorization, examine all computers in the Abbey that were used to access Yahoo.com around the times that messages from <dirtymonky69@yahoo.com> were sent.

3. After obtaining necessary authorization, perform keyword searches of all computers in the Abbey to determine whether the victims used computers other than those already seized.

4. Using MD5 hash values of the image files, search all computers in the Abbey for copies of the child pornography found on Adelmo's laptop and for copies of the naked monks found on Venantius's mobile phone in an effort to determine their origin.

5. Obtain Venantius Salvemec's mobile telephone records to determine who sent him text messages and photographs.

6. Attempt to decipher Adelmo's diary.

7. Look for hiding places in the victim's cells, library desks, and other locations they had access to in an effort to further develop victimology.

8. Attempt to determine how Venantius gained access to the kitchen on the night of his death. The kitchen and adjoining buildings are locked in the evening and only the abbot, cellarer and head librarian have keys.

9. Perform full investigative reconstruction using digital evidence and information from interviews to determine where the victims were and whom they communicated with between November 15 and November 27.

The same type of analysis and report structure can be used in computer intrusion investigation. For instance, the following report pertains to an intrusion into an important system (project-db.corpX.com) containing proprietary information.

5.5.2 Threshold Assessment: Unauthorized Access to project-db.corpx.com

Complaint received: February 28, 2003

Investigating Agencies: Knowledge Solutions, Case No. 2003022801

Report by: Eoghan Casey

For: CIO, Corporation X

Case Background and Summary of Findings

On February 28, an intruder gained unauthorized access to project-db.corpX.com and Corporation X is concerned that the intruder stole valuable proprietary information. Based on an analysis, the available digital evidence in this case, this examiner has determined that the attack against project-db.corpX.com was highly targeted. The amount and type of information accessed by the intruder suggests that intellectual property theft is likely. The perpetrator had a significant amount of knowledge of the computer systems involved and information they contained, suggesting insider involvement. The intruder used an internal system to perpetrate this attack - this system should be examined.

Examinations Performed

The examiner made this Threshold Assessment of the above case based upon a careful examination of the following case materials.

• target computer system (project-db.corpX.com);

• various log files relating to activities on target network;

• configuration files of firewalls and routers on the target network;

• memos and media reports describing organizational history and situation;

• interviews with system administrators familiar with the target network and system.

Victimology of Target Organization

• Organization name: Corporation X

• Real space location: 1542 Charles Street, Suite B, Baltimore, MD, 21102

• Purpose/role: Software development and sales

• Type of product/service: Banking software

• Operational risk: High risk because Corporation X has the largest market share in a highly competitive area. As a result, the value of Corporation X's products is high. Additionally, knowledge of the internal workings of this software might enable a malicious individual to manipulate banking systems for financial gain.

• Incident risk: High risk because Corporation X recently went public and has received extensive media attention.

Victimology of Target Computer

• Computer name: project-db.corpX.com

• IP address: 192.168.1.45

• Hardware: Sun Enterprise server

• Operating system: Solaris 9

• Real space location: Machine room, Corporation X

• Purpose/role: Programming, file sharing, and project management

• Contents (type of data on system): Design documents and source code for Corporation X's main products, along with project schedules and other project related information.

• Physical assessment: Locked cabinet in machine room. Only two individuals have a key to the cabinet (the machine room operator and CIO).

• Network assessment: Highly secure. All network services are disabled except for Secure Shell (SSH). Logon access only permitted using SSH keys. Protected by firewall that only permits network connection to server on port 22 (SSH) from computers on the Corporation X network.

• Operational risk: Low-medium risk because project-db.corpX.com is physically secure, has a good patch and configuration history, no prior intrusions, and is well configured services. However, over one hundred (100) employees have authorized access to the system and database.

• Incident risk: Low-medium risk because, although project-db.corpX.com contains valuable data, it is well patched and protected by configuration and hardware firewall.

Equivocal Analysis of Network Related Data

An examination of the digital evidence in this case provided additional details of the intruder's activities and revealed several discrepancies that had been overlooked. The main findings are summarized here and a detailed description of the digital evidence examination is provided in a separate report "Digital Evidence Examination for Case No. 2003022801".

• An examination of the system indicates that most activity occurred on February 28 with many files accessed.

• Although server logs indicate that the intruder connected from an IP address in Italy, an examination of the Internet firewall configuration revealed that only internal connections are permitted. A connection from Italy would have been blocked indicating that the server logs have been altered.

• NetFlow logs confirm that the unauthorized access occurred on February 28 between 18:57 and 19:03 hours and that this was a focused attack on the target system. However, the source of the attack was from another machine on the Corporation X network (workstation13.corpX.com), indicating that the intruder altered logs files on the server to misdirect investigators.

Crime Scene Characteristics

Location and type: The primary scene is project-db.corpX.com. Secondary scenes in this crime include the Corporation X network and the other computer that the intruder used to perpetrate this attack. This other computer (workstation13.corpX.com) will contain digital evidence relating to the intrusion such as SSH keys, tools used to commit or conceal the crime, and data remnants from the primary scene (project-db.corpX.com) transferred during the commission of the crime. If workstation13.corpX.com was compromised, there will be another secondary crime scene - the computer that the intruder used to launch the attack. Once the original source of the attack is found, the computer and surrounding workspace should be searched thoroughly because this crime scene will contain the most digital evidence of the intruder's activities.

Point of contact: SSH daemon on project-db.corpX.com

Use of weapons/exploits: Legitimate user account and SSH key

Method of approach: Through workstation13.corpX.com

Method of attack: Gained target's trust using legitimate user account and SSH key

Method of control: Altering log files to misdirect investigators

Destructive/precautionary acts: Altered log files to misdirect investigators

Offender Characteristics

Knowledge of/familiarity with target system: The intruder had knowledge of, and authentication tokens for, an authorized account on the system. However, the intruder did appear to know that the firewall was configured to block external connections (e.g. from Italy). Additionally, the intruder did not appear to know that Corporation X maintained NetFlow logs that could be used to determine the actual source of the intrusion.

Knowledge of/familiarity with target information: There is no indication that the intruder scanned the network or probed any other machines prior to breaking into the target system. Once the intruder gained access to the target, very little time was spent exploring the system. The direct, focused nature of this attack indicates that the intruder knew what information he/she was looking for and where to find it.

Skill level: Any regular user of the target computer would have the necessary skills to access the system as the intruder did. However, the intruder was also capable of altering log files to misdirect investigators, indicating a higher degree of technical skill than an average user.

Investigative Suggestions

It is likely that the intruder is within the organization or had assistance from someone in the organization. The following is a list of suggestions for further investigation and establishing the facts of this case:

• After obtaining necessary authorization, seize and examine the internal system that the intruder used to perpetrate this attack.

• Interview the owner of the user account that the intruder used to gain access to project-db.corpX.com. Do not assume that this individual is directly responsible. Examine this individual's workstation for signs of compromise and try to determine if the intruder could have obtained this individual's SSH key and associated passphrase.

• Find the original source of the attack and search the associated computer and workspace thoroughly. This secondary crime scene will contain the most digital evidence of the intruder's activities.

• Determine how the intruder was capable of altering log files on the target system. This usually requires root access unless there is a system vulnerability or misconfiguration.

• After obtaining necessary authorization, examine all computers on the Corporation X network for the stolen information.

It is worth reiterating that all conclusions should be based on fact and supporting evidence should be referenced in and attached to the report.