Forensics 101: Digital Investigations and Cybercrime

/

The last of the forensics panels at Bloody Words XIII led us into the fascinating world of cybercrime. Our guide for the hour was digital forensics investigator Michael Perkin. Michael walked us through a couple of his cases (with all the specifics removed, of course) to give us a taste of how the bad guys were caught.

A case of defamation:

  • A string of terrible allegations of was posted in a series of blog entries.
  • The perpetrator then created a Gmail account to email the victim’s family, friends and colleagues links to the blog posts.
  • Enter Michael. The first step in any digital investigation is the forensic acquisition of data. Never work from the original but make a full copy of all drives onto brand new, blank drives. Then the analysis can begin.
  • Michael was able to analyze the email headers and trace the emails back to a specific internet provider. This is turn led back to the perpetrator, someone known to the victim.
  • A judge  issued an ‘Anton Piller’ order—the search and seizure order from the civil side of law (as opposed to a standard criminal law order).
  • The perpetrator had 30 minutes as the law allows to consult with his lawyer before the search could begin. He spent that entire time on his computer. When the computer was recovered, the desktop and documents folders on the hard drive were all blank. Except they really weren’t.
  • Michael then drew the analogy of a hard drive being like a book (it was a writing conference after all!). The book has a table of contents and information on every page.
  • The table of contents is what the computer considers the ‘master file table’—this keeps track of all the files on the computer.
  • When the perpetrator deleted all the files, all he really did was remove the table of contents—the file index—leaving the information still in place.
  • All Michael had to do was read through all the information on the drive and all the data required to convict the perpetrator was right there.

The complicated bounce:

  • A computer at a company was suddenly locked out by a remote user.
  • Michael came in to investigate, copied all the files, and analyzed the data.
  • He discovered that the computer was accessed from another computer within the organization, which was accessed through another computer within the organization… rinse and repeat through numerous bounces.
  • Michael was finally able to access the high value computer that was the actual target and discovered that data had been copied from it. But to where?
  • In the end, it was the perpetrator’s printer that gave him up. No matter where he had bounced, each connection mapped back to his networked printer. So the final link in the chain could be mapped back to the perpetrator’s printer and, from there, to his computer and to him.

Bitcoin and its potential for cybercrime:

  • Bitcoin is essentially a protocol. Just like email is a protocol to send messages over the Internet, Bitcoin is a protocol to send money over the Internet.
  • Bitcoin has an address and a key, just like email has an address and a password. Both are an extremely long alphanumeric string.
  • Bitcoin information can be stored on a computer, on a USB key, in a barcode, on a printout, or in your memory. This last is important as border crossings have a $10,000 limit to cross without reporting. But your Bitcoin account could contain millions of dollars and if you cross the border with the account and key memorized, you can circumvent reporting the money you ‘carry with you’.
  • You can access your money from anywhere in the world. You can also send any amount of money to anywhere in the world.
  • You could keep your printed Bitcoin key in a safety deposit box. Every time you deposit money into your Bitcoin account, you are essentially beaming it straight into that safety deposit box since it can’t be accessed without that key.
  • People have accessed funds when in trouble simply by finding a public access—like television—and broadcasting their Bitcoin address in a 2D barcode with ‘Send Money’.
  • Previous ID theft required a victim’s name, birthday, and social insurance number to steal your money. Now all that is required is your Bitcoin key.

Nifty facts about digital forensics:

  • There are three types of space on a hard drive:
  • Allocated space—sections of the drive used to hold files; these sections are listed in the table of contents/master file table.
  • Unallocated space—sections of the drive that aren’t in use; these sections are not listed in the table of contents/master file table, but still may hold information.
  • Slack space—Back to the book analogy: Suppose that a full page of information is deleted from the table of contents. That space is now considered unallocated. If half of that page is overwritten with new information (listed in the table of contents) the remaining half page of old information—the portion of the allocated space that is not used—is considered ‘slack space’.
  • The only way to truly destroy data on a drive is to overwrite it multiple times. Data destruction software does this by simply writing 1’s and 0’s to the drive. Military protocol demands the drive be written over 10 times to consider the previous information truly ‘deleted’.
  • If you truly need to secure your computer, take it off the internet and lock it in a room where only limited people have access through physical keys.
  • Computers silently record everything we do through printer mapping, file edits, program usage and your browsing history (yes, even when you delete the cache). A skilled investigator can trace you through any of these pathways.

Photo credit: Benjamin Doe/Wikimedia Commons

Forensics 101: Fingerprinting Techniques

/

Today I’m continuing with my series of session reviews from Bloody Words XIII earlier this month in Toronto. I was interested in a session called CSI: Toronto, but when retired forensic identification specialist Wade Knaap arrived (with his graduate student apprentice) and started pulling out bottles of chemicals, I knew we were in for a treat. Sidenote—as a practicing scientist, I couldn’t help but wince every time Wade picked up his Tim Horton’s coffee in his gloved hand to take a sip. Just…no.

A Detective Constable for many years with the Toronto Police Service, Wade is now retired and teaching forensic identification at the University of Toronto. He spent an hour teaching us some of the tools of the trade when it came to fingerprint identification, specifically with latent prints—prints that are invisible to the naked eye until something is used to develop them.

First he dealt with fingerprints on a porous surface, i.e. paper, thermal cash register bills, currency.

Black magnetic powder: Investigators use a magnetic wand to pick up the fine magnetic powder (the powder comes in many shades, so there is always a contrasting shade available no matter what the background colour). The powder is gently swiped in a ciruclar motion over the latent print. The moisture in the print attracts the powder and the latent print is revealed. Unfortunately, any moisture will attract the powder in the same way, so if there is a latent print on a bottle with beer splashed over it, the powder will stick to the entire bottle. If a latent print is successfully detected and isolated, it can be lifted with tape to be photographed and entered into evidence.

 

Ninhydrin: This chemical reacts with the amino acids in fingerprints to produce a purple colour. A paper with a potential print is soaked in ninhydrin and allowed to air dry. Then the paper is exposed to steam. Any prints present will turn purple. These prints can then be further enhanced with a light source and photographed.

Wade then moved on to non-porous surfaces like a wall or solid object.

 

Cyanoacrylate (superglue): This is a popular one with the current forensics shows. You see them put an object with a potential print into a airtight box with a small tray of water and some superglue on a heated plate. As the plate temperature rises, the superglue vapourizes and the gaseous glue particles bind to the protein and amino acids in the fingerprint, polymerizing and plasticizing the print, creating a three dimensional permenant version. This procedure is very useful on handguns, where the gun oil required for regular maintenance would produce an extremely high background with most fingerprinting powders. If a dye is added to the superglue, a forensic light can be used to reveal the fingerprint. If the sample is in the field and can’t be moved into the lab, a portable cyanoacrylate torch can be used at the scene. However, great care must be taken as the temperature to vaporize the superglue is only somewhat below the temperature to produce deadly cyanide gas.

 
20140606_205409_cropped.jpg

Amido black: This chemical is used solely for blood impressions that are too faint to see clearly or use for identifcation purposes. Faint impressions are sprayed with amido black and then the reaction is chemcially stopped. After a final rinse with water, the formerly faint impressions are a vivid permenant black.

Some fun facts about fingerprinting:

  • Luminol is simply a blood locator that enhances small amounts of blood. It does not give big glowing prints like you commonly see in crime shows.

  • Light sources can be very useful in finding bodily fluids. But unlike how this technique is fictiously used in crime shows, while it does light up semen or vaginal fluids, it will never light up blood spatter.

  • None of the above tools are able to pull a reliable fingerprint from a live person without transferring that print first; there’s simply too much moisture. However you can do this from a cadaver using either magnetic powder or a process of iodine fuming and silver plate.

  • Canada’s fingerprint database is run by the RCMP nationwide allowing for countrywide comparison. However, each state in the United States runs its own system, so to search outside an individual state, investigators must apply for national searches. A reciprocal agreement exists between Canada and the U.S to allow for open access for print searches between the two countries. Outside of Canada and the U.S., application must be made to Interpol for further searches.

  • There are three types of prints: a deposited print (like a latent print from oily fingers), a takeaway impression (where, for instance, a dusty surface is touched and the dust is removed only from the point of contact), or a molded impression (if fingertips touch wet paint, leaving a 3D impression of the print behind).

  • Canada recently issued new dollar bills made of polymer instead of paper. Porous techniques no longer apply to these new bills; instead, the superglue fuming technique must be used to develop latent prints.

  • Unlike in CSI, overlapping prints cannot be taken apart and put back together to make a full print with multiple points of comparison. When prints overlap, the only parts of the print that are usable are the sections that are completely isolated and not in contact with any other print. This greatly decresases the chances of successfully identifying the print.

Next week, I’ll be back with my final forensics session review when I’m going to talk about cybercrime and the new threat presented by Bitcoin.

Forensics 101: A Primer on Blood

/

I’m recently back from the final Bloody Words crime writer’s conference, so, over the next few weeks, I’m going to share some of the fascinating information I learned at some of the panels I attended. This is the third time I’ve attended this conference, and while they always excelled at having lots of sessions pertaining to writing, they also had multiple sessions on forensics and procedure, taught by in-the-field professionals.

The first session of the conference was forensic hematology, presented by Margo French, a medical lab technologist. Margot has worked in the field of hematology (the study of blood, its cells and organs and blood-oriented diseases) for decades. She has been called as a trial witness on many occasions, so she’s familiar with lab techniques in criminal investigations.

Blood basics:

Blood can be broken down into two components—liquid and cellular. The liquid component, the plasma, makes up 55% of the total blood volume, with the combined cells making up the remaining 45%. 

Red blood cells (RBC):

  • RBCs are the overwhelming cellular component in blood, making up about 60% of the total cellular volume. A single drop of blood has approximately 3.4 million RBCs.
  • RBCs are the only cells in the body that are non-nucleated (have no DNA in the form of chromosomes). Cells develop in the bone marrow and start off having nuclei, but when they leave the marrow 7 days later, they are non-nucleated. Nucleated RBCs in the blood stream are destroyed by the spleen.
  • RBCs live for approximately 120 days.
  • The main purpose of RBCs is to carry oxygen to the tissues and carbon dioxide from the tissue. To accomplish this task, RBCs contain hemoglobin to bind the compounds for transfer within the body.
  • The key to gas transport is the iron ions that are an integral part of the hemoglobin molecule. The iron you’re born with can stay with you for life, and is constantly recycled during your lifetime. When RBCs are destroyed, a type of white blood cell called a macrophage uptakes the iron and transports it back to the storage pool for reuse.

White blood cells (WBC):

  • WBCs make up approximately 20% of the total cellular volume. A single drop of blood normally contains between 3,500 and 8,000 WBCs.
  • The WBC complement is part of the human immune system and is made up of lymphocytes (including natural killer cells, T cells and B cells), basophils and eosinophils.
  • WBCs vary in size based on cell type, but are generally about twice the size of a RBC.
  • The life span of different WBCs also vary, but lymphocytes can live for years. Lymphocytes are the cells that recognize specific pathogens and, in the presence of a pathogen, will signal and then mount an immune response against it.

Platelets:

  • Platelets are not intact cells. They are actually tiny pieces of cytoplasm from bone marrow cells called megakaryocytes.
  • Platelets are approximately 1/4 the size of a RBC and 1/8 the size of a WBC.
  • Platelets make up approximately 20% of the total cellular volume. Because of their size, a single drop of blood contains 150 – 400 million platelets.
  • Platelets work with coagulation factors to stop bleeding. When the skin is cut, RBCs rushing to the site form a mesh. Platelets arrive at the site, swell, and become sticky. They then enter the mesh, filling the holes and creating a solid barrier, stopping the outward flow of blood.

Plasma:

  • Composed of 95% water, plasma also contains proteins, clotting factors, hormones, electrolytes and glucose.
  • Its main function is as the medium that holds the blood cells in suspension, and allows the flow and transport of cells, nutrients, and waste products around the body.

Some interesting facts about blood in criminal investigations:

  • While thought to be a modern investigative tool, the chemical locator ‘Luminol’ dates back to 1901.
  • The first time blood analysis was used as part of an investigation was in 1937.
  • Blood and fingerprinting used to be an investigator’s primary identification tools. But both techniques have been eclipsed in recent years by DNA, as this is the only technique which can completely exclude a suspect (all other tests have a certain percentage of false negatives).
  • Information carried in the blood can denote blood type to include or exclude suspect. DNA obtained from white blood cells can be used for definitive identification.
  • The difference between many species and human blood is not easily discernable, so serology—the study of human plasma—is used to identify human blood.
  • Blood is also used for chemical testing, i.e. blood alcohol and bloody glucose analysis.
  • While not covered in this blog post, blood at a crime scene can indicate the mechanics of the crime, i.e. bloody carrying or spatter.

 Next week, we’re going to look at fingerprinting techniques, especially when investigators are faced with latent (invisible) prints.

Forensic Case Files: How Shakespeare Changed History (or The Continuing Story of Richard III)

/

A 3D approximation of the articulated skeleton of Richard IIIIt’s a story we’ve been following for a while. In October of 2012, we covered the discovery of historic human remains under a parking lot in Leicester. Because of the physical characteristics of those remains—primarily an extremely curved spinal column—it was suggested that they were the remains of King Richard III, killed at the Battle of Bosworth Field, during the War of the Roses against Henry Tudor (later Henry VII and the beginning of the Tudor line that would include Henry VIII and Queen Elizabeth I). In February of 2013, it was confirmed that those remains were indeed those of Richard III when scientists successfully matched his mitochondrial DNA—DNA consistently passed only through the female line of a family—to the mitochondrial DNA of relatives through Richard’s sister’s line.

Just last week, the University of Leicester announced that it had completed its studies on Richard’s spinal column and determined that the king’s spine showed 65 to 85 degrees of scoliosis, curving the spine to his right. A modern day patient with that degree of scoliosis would be an excellent candidate for surgery; in the fifteenth century, this was not yet an option. However, with the skilled help of both a tailor and master armorer, the deformity could have been minimized or even completely camouflaged (minus one shoulder sitting slightly higher than the other). Richard’s skeletal remains also show no evidence of a withered arm or a limp, both part of the Richard III legend. In fact, one needs to keep in mind that Richard was a skilled soldier, able to fight on horseback with both sword and shield—an act someone with a major deformity might not be able accomplish.

It is clear now that Richard, while having a spinal deformity, was never a hunchback. So where did that picture of the king come from? No mention is made of Richard the hunchback until 1598 by Shakespeare: First in Henry VI: “an envious mountain on my back, / Where sits deformity to mock my body” (Act 3, scene ii) and later in Richard III, where Queen Elizabeth describes him as “that foule hunch-backt toade” (Act 4, scene iv). But considering that Shakespeare wasn’t a contemporary of Richard III, and was, in fact, born nearly 100 years after Richard’s death, where did this information come from? From the men who were writing the history of the time—the Tudors—who had a vested interest in showing Richard in the most negative light possible.

History is written by the victors. In this case, the Tudors used The Bard to smear a predecessor so successfully that over 400 years later, that unsupported history still lingers and, for many, the view of Richard as a hunchbacked monster responsible for the death of his two nephews, The Princes in the Tower, remains to this day.

Photo credit: The University of Leicester