Computer Forensics: Cybercrime One-Upmanship
By Kevin J. Ripa, EnCE
The investigation of cybercrime is not unlike the challenge of investigating wrongdoing that has gone on for centuries. It is largely driven by the bad guys figuring out a way to manipulate or cheat the system, and then the good guys finding a way to respond to it and stop it from happening again.
In the computer world using techniques like computer forensics, we are largely dealing with intangibles, making it even harder to chase down the bad guy and bring him/her to justice. Cybercrime investigation is typically an exercise in responding, rather than being proactive.
Since the advent of cybercrime, criminals have found various ways to get away with their nefarious plans. They have continually come up with better and more sophisticated methods in which to hide data or the evidence of their dealings. With more and more complex cybercrimes occurring, the perpetrators have no choice but to keep an electronic record just so they can keep things straight. In the past, they have been using methods like hiding files, putting passwords on files, using stegenography (the science of hiding data in other data), and file encryption to hide it from detection. As a result, cybersleuths have had to continually respond to these methods by finding ways to detect this activity. Although we are usually engaged in a game of catch up, it is only a matter of time before some brilliant mind comes up with a new and better way to hide things, while another brilliant mind comes up with new and better ways to detect this.
The most recent example of this was a specialized encryption program that would allow the user to essentially create two separate spaces on their hard drive. They could create one section that would contain the operating system and decoy data, so that if they were investigated, nothing bad would be found. They could then use the other space they created to hide all of their illicit data. If the entire hard drive was analyzed by a forensics expert, it would look like unreadable random data that is not unfamiliar to an examiner, and no illegal activity would be found, because of the encryption method used. When the computer is started up, it asks for a password. Each of the two spaces on the hard drive has a different password, and this is how the computer decides which section to go into. When the bad guy was investigated, they would provide a password that would open the "safe" side of the computer, and nothing would be found. Cyber Investigators had no way of detecting the other space, let alone knowing what was in it.
That is until now. Forensic Innovations, Inc of Fishers, Indiana has stepped up to the plate and found a way to detect these hidden spaces. Once again, the playing field has been leveled, and it is the bad guys that are having to find a new way to hide.
There is no telling how computer forensics will progress, but history shows us that it will be a "catch up" style of response. But for now, chalk one up for the good guys.
Kevin J. Ripa, is a former member, in various capacities, of the Department of National Defense serving in both foreign and domestic postings. He is now providing superior service to various levels of law enforcement and Fortune 500 companies, and has assisted in many sensitive investigations around the world. Mr. Ripa is a respected and sought after individual within the investigative industry for his expertise in Information Technology Investigations, and has been called upon to testify as an expert witness on numerous occasions. He has been involved in numerous complex computer forensic investigations. Mr. Ripa can be contacted via email at kr1@asginvestigations.com.
Tags:
- Computer forensics
- Computer forensic investigation
- Cybercrime
- Investigation
- Hide data
- Hiding files
- Justice
- Expert witness
