January 14, 2002

Cybersleuthing solves the case

Computer forensic investigators use a variety of methods and tools to nab cybercriminals.

By Deborah Radcliff

Businesses with intellectual property and online customers to protect are increasingly calling on cyberforensics investigators to get to the bottom of cases of employee wrongdoing and electronic crimes. "People are calling us when they find malicious software installed on their servers, when they're leaking sensitive information, when they suspect employee harassment -- even in cybersquatting cases," says Ed Skoudis, vice president of ethical hacking at Predictive Systems Inc., a technology services firm in New York.

Forensic techniques vary depending on the type of investigation. For example, some investigative firms, like Brandon Internet Services, simply track and trace over the Internet and sort through other publicly available electronic records. Large businesses use cyberinvestigators to set up alarms and traps to watch and catch intruders and criminals within their networks.

To show a cross-section of different types of cyberinvestigations and the tools used to conduct them, Computerworld profiles three ways that organizations have dealt with crime --and sometimes criminals -- in their midst.

The Case of the Freaky Accounts

How techniques of Internet and database investigations thwarted two prolific Russian "carders" (credit card thieves):

There were too many Hudsens and Stivensons opening accounts with PayPal Inc., an online payment processing company in Palo Alto, Calif. John Kothanek, PayPal's lead fraud investigator (and a former military intelligence officer), discovered 10 names opening batches of 40 or more accounts that were being used to buy high-value computer goods in auctions on eBay.com. So PayPal froze the funds used to pay for the eBay goods (all to be shipped to an address in Russia) and started an investigation.

Then, one of PayPal's merchants reported that it had been redirected to a mock site called PayPaI. Kothanek's team set up sniffer software, which catches packet traffic, at the mock site. The software showed that operators of the mock site were using it to capture PayPal user log-ins and passwords. Investigators also used the sniffer to log the perpetrators' own IP address, which they then used to search against PayPal's database. It turned out that all of the accounts under scrutiny were opened by the same IP address.

Using two freeware network-discovery tools, TraceRoute (www.tracert.com) and Sam Spade (www.samspade.org), PayPal found a connection between the fake PayPal server address and the shipping address in Russia to which the accounts were trying to send goods. Meanwhile, calls were pouring in from credit card companies disputing the charges made from the suspect PayPal accounts. The perpetrators had racked up more than $100,000 in fraudulent charges using stolen credit cards -- and PayPal was fully liable to repay them.

"Carders typically buy high-value goods like computers and jewelry so they can resell them," says Ken Miller, PayPal's fraud control director.

PayPal froze the funds in those accounts and began to receive e-mail and phone calls from the perpetrators, who demanded that the funds be released.

"They were blatant," says Kothanek. "They thought we couldn't touch them because they were in Russia."

Then PayPal got a call from the FBI. The FBI had lured the suspects into custody by pretending to be a technology company offering them security jobs.

Using a forensics tool kit called EnCase (www.encase.com), Kothanek's team helped the FBI tie its case to PayPal's by using keyword and pattern searches familiar to the PayPal investigators to analyze the slack and ambient space -- where deleted files remain until overwritten -- on a mirror-image backup of the suspects' hard drives.

"We were able to establish a link between their machine's IP address, the credit cards they were using in our system and the Perl scripts they were using to open accounts on our system," Kothanek says.

The alleged perpetrators, Alexey Ivanov and Vassili Gorchkov, were charged with multiple counts of wire fraud in May. Gorchkov was convicted in September on 20 counts of wire fraud and is awaiting sentencing. Ivanov is still awaiting trial.

The Case of Mastering the Zombies

How a systems and network examination helped the University of Washington kick a cracker out of 30 of its systems:

The calls started on July 1. Frantic administrators were asking why subnets and IP addresses from Dave Dittrich's 50,000-node network were scanning and flooding them with denial-of-service (DOS) packets. "We were shutting affected machines off as we found them, but at one point, we had over 30 of our systems scanning and sending DOS attacks to over 9,000 targets," says Dittrich, senior security engineer at the University of Washington in Seattle.

Using Irvine, Calif.-based Foundstone Inc.'s Fport scanner (www.foundstone.com/rdlabs/tools.php?category=Intrusion+Detection), Dittrich's team located directory and file names uncommon to the Windows operating systems he ran on the network. The program also showed that all of the unusual directories and files were running communications through the same active, high-level port, which was also uncommon to standard configurations.

"That tipped me off that I should be listening to network traffic to and from that port, so I set up sniffers on those ports," Dittrich says. Dittrich used a freeware sniffer called TCPDump (www.tcpdump.org), which captured the unusual traffic going to and from Internet Relay Chat redirectors commanding his machines to send the scans and DOS attacks. Dittrich unplugged the compromised machines from their wall jacks and, with a team of 40 people, spent two weeks contacting 9,106 downstream targets, reformatting the hard drives on compromised machines, and patching the Unicode vulnerability the attacker used to get in.

"It takes detailed network and host forensics to determine what type of malware is installed on the system and how it functions," he says. "That's why I post my findings to the general public: to help improve the training in forensics."

Dittrich's work, including details of the July attack, can be found at www.washington.edu/people/dad.

The Case of the Sneaky Engineer

How forensics examinations of many machines helped one company retrieve its intellectual property and stop the bad guy from using it again:

An engineer left a West Coast manufacturing company, which we'll call Company A due to pending litigation. When that same engineer turned up at Company B, a competitor, in September earning $10,000 more than market rate, Company A's executives worried that some of their intellectual property had been transferred to the competitor. Company A's executives filed a court motion for discovery, and then called New Technologies Inc. (NTI), a computer forensics support and training firm in Gresham, Ore.

In cases like this one, forensics rules must be strictly followed or evidence won't be accepted in court. The first rule is to not tamper with evidence, so NTI's team made a mirror image of Company A's engineering servers and the perpetrator's old computer. To do that, they used a tool called SafeBack, which captures and time-stamps the perpetrator's hard drive contents without altering the original, says Paul French, lab manager at NTI.

While NTI investigators found signs of file copying to removable media in the engineer's computer at Company A, French's team couldn't find empirical evidence of wrongdoing there. So under a court order for discovery, the NTI team then searched the suspect's home computer.

Using another NTI file search utility called FileListPro, the NTIteam found that several product engineering drawings had been copied onto the home computer after the engineer had left the company. (FileListPro tells when a file has been created, accessed and modified.)

The engineer claimed that the clock on his computer had malfunctioned and that the drawings were copied while he was employed at Company A. But simple deduction told a different story. The date on a letter written in the same time period corresponded with the machine's time stamp on that letter.

This was enough evidence to prompt an investigation of the engineer's machine at his new employer. The team found drawings that were similar to those from Company A, but with some differences. But through searches using keywords like diagrams and the name of Company A, French says his team found an e-mail trail on the engineer's new desktop that "cinched it." The e-mails, which passed between the engineer and his girlfriend, detailed their mutual possession of the diagrams in question. One written by the engineer said that the investigators wouldn't be able to tie anything back to them. And another, written by the girlfriend, asked the engineer what he wanted her to do with the drawings he'd sent her.

The result: "a court injunction against this engineer and his company developing products based off our client's intellectual property," French says. "If they do come out with a widget too similar in design, they'll slap them with criminal charges."

Copyright 2002 Computerworld Inc. All Rights Reserved.