WindowsNetworking.com Monthly Newsletter of January 2009 Sponsored by: GFI

Welcome to the WindowsNetworking.com newsletter by Thomas W Shinder MD, MVP. Each month we will bring you interesting and helpful information on the world of Windows Networking. We want to know what all *you* are interested in hearing about. Please send your suggestions for future newsletter content to: tshinder@windowsnetworking.com

1. Investigating Cybercrimes

Microsoft network admins often need to work with criminal investigators when working up a cybercrime case. Because most network crimes happen over a network, and not when the cybercriminal is on-site, you as the network guy will most likely be working with these investigators. These investigators can come from all levels of government, and the more you know about how they work, the better assistance you will be able to provide them.

Cybercrime investigators follow a step-by-step process in conducting investigations that is the same each time. This helps them avoid the possibility of skipping steps or neglecting important tasks. These steps are documented in a procedures manual that may be part of the agency's policies and procedures. A suggested set of steps follows:

1. Analyze the complaint
2. Collect physical evidence
3. Seek expert advice (if necessary)
4. Interview witnesses and interrogate suspects
5. Construct the case file
6. Analyze the case
7. Follow up investigations
8. Decide whether to prosecute

Analyzing the Complaint

Upon receiving a complaint or notification that a cybercrime has occurred, the investigator first analyzes the complaint to determine:

• If a crime was committed, and if so:
• What crime was committed

The analysis includes evaluating the plausibility of allegations that a violation of the law has occurred, considering the nature and seriousness of the crime, and considering other factors that may complicate the prosecution of the crime.

In an ideal world, all complaints would be thoroughly investigated and all criminal actions would be prosecuted. In our less than ideal world, manpower limitations and other considerations may prevent pursuing less serious cases. If the analysis of the complaint determines that a crime was committed and warrants a preliminary investigation, the next step is to start collecting evidence.

Collecting Physical Evidence

Physical evidence in this context refers to tangible items that can be gathered, marked/tagged and stored in a secure location until trial. Although the evidence itself may be digital in a cybercrimes case, the disk on which it is stored is a tangible item. There may be other physical evidence in addition to digital information, including fingerprints, documents, and so forth. These are preserved in accordance with standard crime scene practices.

Traditional crime scene techniques such as crime scene sketches, photographs and videotapes may be useful. This is especially true if there is information on the screen when investigators seize the computer that is not saved on disk.

There may be information in memory and status information (network connections that are open, applications and processes that are running, etc.) that is useful as evidence, but will be lost when the computer is powered down. Saving the contents of memory or other information, dumping the contents of memory to a file, changes the system so that it becomes altered and it can no longer be testified that it is exactly as it was found.

One way to avoid this problem is to use photography to record the displayed information. Another is to transfer the data to another computer. Remember that every time a task is performed on a computer, even something so simple as saving a file, changes it in some way. 

Note that crime scene sketches, photographs and videotapes all serve separate purposes in documenting the crime scene; none of these takes the place of another. The sketch shows perspective, while the videotape provides an overview of the scene. Still photographs are used to document specific items or information. None of these is admissible as evidence unless accompanied by a witness (usually the sketch artist, photographer or videographer) who can testify under oath to the circumstances in which they were made and that they represent the scene as he/she remembers seeing it.

Seeking Expert Advice

When a crime involves technical details that are beyond the knowledge of the investigator and/or prosecutor, it is often necessary as part of the investigation to seek advice and help from an expert in the field, much as one would seek the services of an interpreter if all of the witnesses at a crime scene spoke a language with which the investigator is unfamiliar. The ideal situation is to have law enforcement officers onboard or available on loan from other agencies who are technically savvy. Because this is often not the case, investigators may have to seek outside help.

When investigating a cybercrime in which a corporate network is the victim, why not just use the IT personnel there as the experts? Although this might save the agency some time and effort, it may not be the best idea. The expert used for technical advice should be objective, and it is often difficult to obtain objective opinions from persons whose own networks have been victimized.

Even if the company IT professionals are completely objective, there may be a perception that they are otherwise, which could be exploited if defense attorneys discover that they provided technical guidance to investigators. Agencies may be able to find IT experts within the community that are willing to volunteer their expertise for a good cause.

One good place to look is the academic world; computer science and computer security instructors at local colleges are often happy to help with technical questions in cybercrimes cases. Associations of computer professionals may also be able to point you in the right direction.

Interviewing and Interrogating

Interviewing witnesses and interrogating suspects may be an ongoing process throughout the investigation. As more information is gathered, new witnesses may be discovered and new suspects may come to light. Follow-up interviews may be necessary with witnesses who have already been interviewed, as the case develops.

Investigators get contact information from all witnesses, even those who might not need to be interviewed at the time. This includes work addresses and phone numbers and home addresses and phone numbers. It is not unusual for witnesses to leave the company or to move during the course of an investigation, making them difficult to locate if you have only one set of contact information.

It is also a good idea, in today’s mobile, connected world, to get witnesses' email addresses. Many people retain the same email address when they move and/or leave a job, so this may be the only contact information that remains constant.

Case Construction

The next step, after physical evidence has been gathered and documented and interviews and interrogations have been conducted, is to start putting together the physical case file. This is an important element in case preparation.

Black's Law Dictionary, defines a case as "an aggregate collection of facts which furnishes occasion for the exercise of the jurisdiction of a court." Preparation, according to Webster's New Collegiate Dictionary, is "the action or process of making something ready." From this, we can extrapolate that a simple definition of case preparation is "a compilation of information made ready for court presentation."

The case file contains all documentation of the case, including (but not limited to):

• Initial incident report from the officers or investigator who responded to the complaint
• Follow-up reports
• Documentation of evidence collection by crime scene technicians
• Lab reports by forensics lab personnel
• Written statements of witnesses, suspects and experts
• Crime scene sketches, photographs and videotapes
• Printouts of digital evidence, where applicable

The case file is used to organize information and evidence in one place and will be used by the prosecutor in making a decision as to whether to prosecute the case, and at trial. The case file must contain documentation of proof of the elements of the offense, the legality of the entry/search/seizure/arrest, and the preservation of the chain of custody.

Case Analysis

When the case file has been constructed and all documentation included, the next step is an analysis of the legal significance of the information and evidence it contains. This is usually done in conjunction with the prosecutor, who may be able to provide the investigator with guidance as to the weaknesses of the case and what additional information or evidence needs to be obtained to strengthen it. This may be the first of several pre-trial conferences between members of the prosecution team and the investigator(s).

Follow-up

After the case analysis, additional evidence may need to be obtained, or facts and information clarified. Re-interviewing witnesses at this point can serve several purposes. In addition to obtaining specific additional information, the second interview will help to refresh their memories about the case, help to refresh the investigator's memory about the case, and help to prepare the witnesses for the courtroom process if and when the case goes to trial.

Decision to Prosecute

After all additional information has been collected and the case file is considered complete, the prosecutor will make the decision to prosecute (or refer the case to a grand jury, depending on the jurisdiction and its procedures). At this time, the selection of the charge will also take place. In some cases, there may be several different offenses that could be charged.

The prosecutor will select based on the provability of the elements and the difficulty of obtaining a conviction, as well as the severity of the punishment. For example, a suspect's actions might contain the elements of two different offenses, unauthorized access and theft of trade secrets. If the latter charge is a felony and the former is a misdemeanor, the prosecutor may choose to charge only the more serious offense.

In other cases, both charges would be brought. Generally, if one offense is a lesser included offense of another, the jury can find the defendant guilty of the lesser charge even though only the higher charge was filed.

Summary

Criminal investigation of cybercrime cases uses many of the same principles used to investigate other crimes. This article is a bit of a departure from our usual articles in the windowsnetworking.com newsletter, but given the increasing number of network based attacks on information on your Microsoft networks, I figured that many of you will have the opportunity to work with the authorities, and a better understanding of how the authorities work will help you work with them more smoothly.

See you next month!
Tom 
tshinder@windowsnetworking.com
For ISA or TMG firewall, as well as other Forefront Consulting Services in the USA, call me at 206-443-1117 or visit Prowess Consulting web site

=======================
Quote of the Month - "It is said that power corrupts, but actually it's more true that power attracts the corruptible". - David Brin
======================

2. ISA Server 2006 Migration Guide - Order Today!

3. WindowsNetworking.com Articles of Interest

• Deploying Vista - Part 21: Working With Capture Images
• Working with the Windows Server 2008 Task Scheduler (Part 2)
• Working With the Domain Controller Diagnostic Utility (Part 1)
• Configuring IIS To Host an FTP Site (Part 1)
• Deploying Vista - Part 20: Working With Discover Images
• Network Access Protection, Revisited (Part 8)
  

4. KB Article of the Month

A delay occurs when you try to reconnect to the network on a Windows Vista Service Pack 1-based or Windows Server 2008-based computer that is a member of a domain

You have a Windows Vista Service Pack 1 (SP1)-based or Windows Server 2008-based computer that is a member of a domain. When you disconnect from the network, you may experience a delay of 12 to 14 seconds before you can access the network again.

Notes:

• This issue usually occurs when the computer switches between a network that deploys Network Access Protection (NAP) enforcement and another network.
• This issue does not occur on a computer that is running the release version of Windows Vista or on a computer that is not a domain member

For the solution to this problem go here.

5. Windows Networking Tip of the Month

The scalable network pack (SNP) has been the bane of existence for some time for Microsoft network admins. SNP can do the following things when enabled on your Windows Server 2003 computer:

• You cannot create a Remote Desktop Protocol (RDP) connection to the server.
• You cannot connect to shares on the server from a computer on the local area network.
• You cannot join a client computer to the domain.
• You cannot connect to the Exchange server from a computer that is running Microsoft Outlook.
• Inactive Outlook connections to the Exchange server may not be cleaned up.
• You experience slow network performance.
• You may experience slow network performance when you communicate with a Windows Vista-based computer.
• You cannot create an outgoing FTP connection from the server.
• The Dynamic Host Configuration Protocol (DHCP) server service crashes.
• You experience slow performance when you log on to the domain.
• Network Address Translation (NAT) clients that are located behind Windows Small Business Server 2003 or Internet Security and Acceleration (ISA) Server experience intermittent connection failures.
• You experience intermittent RPC communications failures.
• The server stops responding.
• The server runs low on nonpaged pool memory

If you’re experiencing any of these kind of problems, you can quickly and easily disable the SNP features by downloading an update. Check out the KB article and download the update here.

6. WindowsNetworking Links of the Month

• SSTP Remote Access Step-by-Step Guide: Deployment
  
• Windows Server 2008 Telnet Operations Guide
  
• Next Generation TCP/IP Architecture
  
• Foundation Network Companion Guide: Deploying Server Certificates
  
• Dynamic Host Configuration Protocol for Windows Server 2003
  

7. Ask Dr. Tom

QUESTION:

Hi Tom,

I'm having a hard time with my Vista VPN clients. When they connect to my Windows Server 2008 VPN server, they try to connect to resources on the network using computer names, but it doesn’t work. These computers are not joined to the domain. Any tips? Thanks! - Ricardo.

ANSWER:

Hi Ricardo,

The problem is mostly likely due to the fact that your non-domain joined clients do not know how to fully qualify the computer names that the clients are trying to reach. For example, your user tries to reach a network share \\server1\share and gets an error that says the name cannot be resolved or the computer is unreachable. The problem is that DNS cannot resolve the single label name \\server1. There are two solutions to this problem. Users can append a domain name to the request, so that the connection is to \\server1.domain.com\share, or they can configure the client system to append a DNS suffix to their requests in the following way:

1. Click Start, right-click Network, and then click Properties.
2. Click Manage network connections.
3. Right-click the VPN connection that you want to configure, and then click Properties.
4. If you are prompted to confirm that you want to continue, click Continue.
5. In the This connection uses the following items box on the Networking tab, click Internet Protocol Version 4 (TCP/IPv4), and then click Properties.
6. Click Advanced, and then click the DNS tab. 
7. Specify the DNS suffix for the connection, and then click OK three times.

The second option only needs to be done once, so your users won't need to type the FQDN each time they want to reach a server on the internal network.

Got a question for Dr. Tom? Send it to tshinder@windowsnetworking.com.