Lance P. Hawk, Manager of Computer Forensics and Investigations at ‘Air Products and Chemicals, Inc.’, takes the floor at InfoSec World conference to deliver an instructive presentation on how in-depth forensic analysis and tracking can be conducted using a variety of web-based techniques and tools.
I think we are ready to begin our session “Using the Internet as an Investigative Tool”. This is not meant to be a technical session. It’s more to tell you the various sites that I use on a daily basis. My name is Lance Hawk. I manage computer forensics and investigations.
I have been doing that for 24 years. I also help out various levels of law enforcement, from local states all the way to the federal, because I actually grew up with forensics. Another responsibility I have is cyber risk mitigation and response, which mostly has to do with attacks and stuff like that.This is a presentation that I give that actually grows based on input from the audience. First thing: general process and tools to document findings. We are going to talk about everything from screen grabbers and screen captures – to web mirrors and different things you can use to document your investigation.
General search engines – in this presentation I’ll only talk about two search engines: Google and Bing, I leave out Yahoo. And you may ask: “Why do you leave that out?” Yes, I realize it indexes 4 Billion+ pages, but I seem to get more of a difference between the other two search engines. So this isn’t that I am not endorsing, you know: “Don’t use Yahoo”, you may use whatever you are comfortable with.
Meta search engines – two big ones out there, we will talk about them. A lot of people don’t know the difference between when you use a general search engine versus a meta search engine, we will get into that.
Translating texts and web pages – I’ll talk about two different websites that can do that fairly well. I say ‘fairly well’ because there is a concept called ‘trust but verify’ in everything we talk about. Everybody knows what that means. I mean, if you are translating something from simplified Chinese to English, you know, it might not always sound so good, so you got to verify, just like with some search engine results.
We are going to talk a lot about search engines that I love, but still, just like in the last session the speaker was talking about verifying it with another source, when you use search engines you have to verify it with another source. You really do because sometimes search engines only update themselves once every six months. I know one that doesn’t do it for two years. So depending on how old that data is, you don’t wanna get wrong results.
Search engines for the blogs and social investigations – when we get to this, I actually wanna add one aspect today in regards to recent caseloads, so I have an idea of what’s going on.
Air Products and Chemicals is a gases and chemicals company, a ‘Fortune 500’ Company, I’d like we’re the top 100 – we are not, we are not the top 200. And I guess it’s 300. We are pretty close to that, but close to 20,000 employees worldwide.
So when I talk about the investigations, I’m gonna also talk about the international impact of a lot of these reviews. We will actually discuss a Chinese search engine, so we can get into it and understand the difference, you know, when you use one versus another, versus another.
Next, searching wikis and tweets – tweeting is actually interesting. A survey just came out saying there’s been a 20% increase in crime just using tweeting. In fact, they said it used to be 1.6%, now it is 2% of people. You know, 2% of tweets in a survey that was done are somehow and someway committing crimes. And that was done with a review of 10000+ tweets.
Searching for people, searching for email – I also will talk about reverse address lookups. With reverse address lookups, a lot of them are already built into some of the tools we’re gonna be talking about here.
Miscellaneous searching, the IP address searching – that’s geolocation that has brought a whole new round of forensics and searching.
And there is a great freebie out there we will talk about, and my model – if it’s free, it’s for me, as long as you can trust it, yet verify it. And there’s some other great ones that actually go into the history of registration of IP addresses which never existed before.
Searching for risks to your corporate reputation – one you probably know of; there are two that actually, if you feel bad one day, you might take a look at: you submit your corporate name and see what people say about your company, it’s amazing.
And finally, I will talk about accessing archived web pages.Okay, this is what I call my ‘CYBB’, the ‘Cover Your Big Butt’ disclaimer (see image). The information is presented ‘as is’, we’re gonna talk about tools that can be used not just on the good side but the bad side; the same thing with some of the websites discussed. It’s assumed you have the appropriate authority to use such tools and your company supports such tools. Any websites, processes, tools used will be done at your own risk. And the opinions presented herein are not from ‘Air Products’, they are from me, and they don’t reflect ‘Air Products’ or any other agency I’ve done work with. Now, why use the Internet as an Investigative tool? We all know: corporate, civil and criminal investigations – that’s the majority of my work. You can also add personal in there as there is a lot of personal consultation done.
Intellectual asset protection, I didn’t use to do much of these but that’s becoming more and more predominant, especially oversees for me, including protecting your ‘brand’. You know, how can you do that, what kind of websites can you use?
Litigation support, eDiscovery1 – eDiscovery and computer forensics go hand in hand.
Competitive intelligence – it’s amazing that competitive intelligence is built into some search engines.
Then I’ll talk about compliance, and I really like this quote, just came out in a survey: “95% of workers use IT resources for personal reasons at work, yet 40% have no social networking guidelines”. That says a lot, and that’s Unisys study.What should you use to search? This is the first question to establish who the true geek in the room is. You have to be very careful. You wanna do your searching in a covert manner as much as possible. And generally you wanna use a dedicated independent resource. I have machine specifically I’ve set aside for this. It has nothing but this Internet searching, it has nothing but that. And not only do I have it set aside, but it goes without saying you have all the up-to-date virus and malware protection.
In fact, that machine – we have a normal corporate what is called the Gold Load – it has none of that on, that’s totally separate from my corporation. And it never gets plug in to the company Internet or Intranet. It’s used specifically for searching.
I suggest covert searching, ‘Sam Spade’ is a good one. Is anybody in here familiar with ‘Tor’? Glad to see that, glad to see more and more people are getting familiar with that.‘Tor’ is actually what was used when all the bedlam over in Egypt and China, and everything else was coming up. It is the slickest way to avoid detection that’s out there. Now this is where the ‘CYBB’ disclaimer comes in because it is used for good as well as bad. What it does is it employs something called the ‘Onion Routing’, where basically I’ll connect to a server, which will connect to a server, which will connect to a server, it’s like a Verizon commercial, and so on and so on. And you can’t track back through multiple hubs. And I know various governments have tried, I know the U.S. government put some credence into that, too.
But I also use it just from a searching perspective because we do a lot of work over in the Middle East, obviously. And if you think about what gases and chemicals can be used for, and a lot of times people steal our product, the government is worried what our products could be used for, just think about it.
You wanna make sure that if you are investigating, say, some place over in Iran, and you are looking at their website – to make sure they don’t know you are looking, Tor is like the best thing out there for that.
Multiple browsers. I use multiple browsers for a variety of reasons. You do not want stick with one, I mean Firefox, IE, whatever you like. I mean they are all out there, but never just keep yourself to one, because I am amazed at the amount of times using one versus another, or one is down, one is not – so multiple browsers.
The other thing you wanna consider is multiple email addresses. You wanna set up a bunch of dummy emails. I have at last count, like, 61-62 bogus email addresses. And I have them with a variety of different places, not just the typical Hotmail, Gmail, but I have ones set up in different countries where we do business. I can actually go and use those emails yet together with Tor, so I am giving a double layer of protection. You generally do not want things tracked back to you.
1 – eDiscovery (Electronic discovery) refers to discovery in civil litigation which deals with the exchange of information in electronic format (often referred to as electronically stored information, or ESI). Usually (but not always) digital forensics analysis is performed to recover evidence.