The soaring popularity of social media eclipses the growth of the devices that support such “tweets,” “likes” and “favorites.” While much of social media seems innocuous or harmless, it is far from being anonymous or safe and, in fact, many people post too much personal information that can become a means or target of cyber crime. On the other side of the equation, though, social media can also be a tool by which some cyber crime can be investigated or even solved.
The topic in its ramifications was explored during a recent ISC West Premier Education Series. Guest speakers Bruce Anderson of Cyber Investigation Services, and Detective Paul Parlon of the University of Massachusetts, Boston Public Safety agency hosted a session about the civil and criminal aspects of social media.
Anderson said many victims of cyber crime go to their police department, attorney, FBI or other agency, only to find that virtually no help can be obtained. Turning to an investigative service can often assist, but Anderson feels police agencies need to add cyber investigation to their arsenal of crime-fighting techniques. He said the “systematic use of digital information and human intelligence in the investigation of, or monitoring of, actions or communications” can hone in on the person, people or groups that may be using social media for nefarious purposes.
Cyber crime through social media not only affects individuals, but also includes industrial and corporate infrastructure with threats to intellectual property, organizational integrity, communications, mobile platforms, insider activity, public confidence in the organization, and corporate assassinations in which a company or organization is attacked to take it down or defame the group’s leadership.
Since the U.S. enjoys “the largest transfer of wealth” in the world, its organizations and people are the targets of cyber crime against personal interests, strategies, money, property and other assets, Anderson said. Social media can also involve such crimes as harassment, stalking, defamation, fraud, network and data interference, location or exploitation of people or assets for criminal intent, attacks on financial relations, or theft of information. Mix in the privacy concerns that social media raises and the formula is right for a “new” brand of crime coming through social media and the information it hosts.
In social media crime and threat assessment, it is necessary to define the case carefully, Anderson said. What is the nature of the crime? What is the investigating agency trying to prove? What is the information about competitors to an industrial or corporate target? What vetting has occurred? What civil and/or criminal laws are in play in the incident(s)? What other partners in other jurisdictions or nations might be involved in the investigation?
Is there policy in place about cyber crime and social media in the organization? How many suspects are involved? How sophisticated are they? Do the suspects have a honed network security background or are they just hackers or novices? Who will be the prime investigating team? Who is responsible for the chain of evidence? How is the evidence to be documented and saved? Who is responsible for keeping that evidence?
“You can spend a lot of time spinning your wheels” without a thorough definition of the case, Anderson said. “It becomes very strategic,” and “a lot of factors come into play,” but it is necessary to examine all aspects carefully because the investigation may take many different trails to reach resolution of the case, he pointed out. Determining the suspect is part of the case, of course, but there must also be work in determining the methodology used by the suspect so further problems can be reduced or eliminated.
“We’re a small world,” and a case may be very simple, but more likely, perpetrators “are using highly sophisticated techniques,” Anderson said. Laws relating to cyber and Internet crime are many and varied, depending on the jurisdiction or nation(s) involved. “It’s like the wild, wild West across the world,” Anderson avowed about the variety of laws and their application and interpretation in the various jurisdictions. The “intricacies in law lead to people thinking they know what’s going on, but they don’t!” he said.
Profile, he recommended. Who is the person? Who are the person’s friends? Where does he/she work? What motives might the perpetrator have? How technically savvy is the person? What is the person’s background and history? Look at the Internet, law enforcement and private databases, social media sites, human intelligence, cyber investigative tools, deep Web searches, online records, and history through print media and through Internet media (web traps and honey pots). Anderson said all such questions and resources must be answered and researched before ever getting to the point of taking action to apprehend.
Tools exist online that can assist the thorough investigation that needs to be done. “Maltego” can give a visualization of Web searches about such elements as domain servers, e-mail associates, and social media. Even though an investigation may start with one website or point, that may lead to, say, five others, and the search can dig out more pieces of information, mapping it for you to see, Anderson explained. “It’s not the solve all” though, he said, “because there is no one tool or technique to use. But this is a very useful tool to start.”
“Sam Spade” is also useful as an “advanced ‘who is’” tool, locating people worldwide by records, e-mail address, name, etc., Anderson stated, adding that it can also trace routes with other servers and websites.
Some social media have ways to investigate “behind the scenes,” Anderson said. That may reveal different connections, geo-locations, travel patterns and other information that will prove useful. Most often, doing such research requires the help of a consultant who knows how to access such information or to “map” who are the friend groups and what communications have occurred, he said.
A profile can be mapped out in the network, giving a visualization of the full network and even any fake accounts connected to the person. Knowing the “friend group” and e-mail information can assist the investigation to use spoof e-mail or a website of interest to catch an IP address, he explained, adding that such resources are “great tools for catching anonymous people who are trying to hide their identity.”
Although search engines seem they are able to find “everything,” only about 85 percent of the Web is searched, Anderson commented. The remaining 15 percent should also be checked for other patterns, searches and so on. “It builds upon itself,” he said, to create a visual link analysis for the investigation.
Domain tools such as “Who Is” and “Wayback” are paid services for the history of hosting. They may identify a person, hosting accounts, change of hosts, who are hosts, where they are located, history of a website and its information as compared to the present, Web addresses, etc. Anderson said most people committing cyber crime tend to get more careful as they progress and thus, evidence can be quickly lost, making the perpetrator more difficult to catch. So, the timing of what is done can be critical to the investigation, he emphasized.
“WiGLE” is a geographic logging engine reporting router addresses. Encryptions and the susceptibility to hacking are also resources to know. “It’s all out in the open and available,” according to Anderson, but it must be accessed and used to be effective in a cyber crime investigation. The “BeEF Framework” is yet another tool using technology in a browser exploitation framework, leveraging browser vulnerabilities to assess the security “posture” of a target. “Website Ripper Copier” and “Foca Free” are additional tools for website deep exploration, analyzing metadata in the areas it explores.
Anderson likened such research tools and methods to the sport of fishing. Just as the fish has a natural tendency to trust the bait as a tasty morsel, there is a natural human tendency to trust the social media. Using the right bait for a cyber criminal might yield getting the information needed to expose a threat and solve a problem or case.
Detective Paul Parlon next described how agencies might suddenly find themselves in the task of investigating cyber and social media-linked crime. “I wasn’t much of a cyber ‘anything,’ but I got thrust into it!” he said. With hundreds of millions postings of text and photos placed on social media each day, there is “good and bad” occurring on social media, he said.
A recent case in his department illustrates. The alarmed parents of a student at the university feared the worst, as their son seemed to be missing. The student’s phone account had been closed, computer erased, his bank account depleted, his belongings gone from his apartment, and contact with him lost. Since there was no evidence of foul play and because the student was an adult, there was not much the police could do for the parents who then turned to the campus police and sought help.
Parlon found that the student had left notes for his roommate and for his former girlfriend—both of which seemed to imply a suicide might occur. Parlon said evidence of online gambling by the student was found. A hold was placed on a Visa gift card the student had bought, his communications on social media were investigated, and the content of his computer was recovered (although it yielded few answers).
The student took photos with his cell phone and, because the locator was still on, it was possible to do geo-tracking to learn the student had headed east, with hopes to become anonymous and turn his interest in gambling into a more lucrative activity. The student’s photo was circulated to casinos in the east and one casino reported the student was there. A combination of tracking multiple clues, and trying to get a step ahead of the student eventually led to the reuniting of the student and his parents, and a satisfactory ending of the case.
Parlon described another case in which social media and cyber investigation also helped resolve a problem and expose a crime. A cyber stalker of a student living off-campus had tracked her through posts she trustingly made to her social media—describing activities she had done, places she had gone, and people she had met. “She put too much” on her social media, Parlon said, even posting her address, phone, former address and other information.
The cyber stalker posed as a classmate wanting to be her “friend.” Far from being so, he continued harassing the student and, when apprehended through the investigation, admitted he liked hearing the panic in his victims’ voices when he phoned them. Parlon added that the arrest was the perpetrator’s 91st for cyber stalking.
Parlon said Thomson Reuters’ resources prove useful to him in investigations, terming them “an amazing tool” for information on individuals. “It opens up a world of information,” he said, for exactly what might be needed to help solve a case.
Stephenie Slahor, Ph.D., J.D., writes in the fields of law enforcement and security. She can be reached at firstname.lastname@example.org.