WindowsNetworking.com Monthly Newsletter of January 2009 Sponsored by: GFI
Welcome to the WindowsNetworking.com newsletter by Thomas W Shinder MD, MVP. Each month we will bring you interesting and helpful information on the world of Windows Networking. We want to know what all *you* are interested in hearing about. Please send your suggestions for future newsletter content to: firstname.lastname@example.org
Microsoft network admins often need to work with criminal investigators when working up a cybercrime case. Because most network crimes happen over a network, and not when the cybercriminal is on-site, you as the network guy will most likely be working with these investigators. These investigators can come from all levels of government, and the more you know about how they work, the better assistance you will be able to provide them.
Cybercrime investigators follow a step-by-step process in conducting investigations that is the same each time. This helps them avoid the possibility of skipping steps or neglecting important tasks. These steps are documented in a procedures manual that may be part of the agency's policies and procedures. A suggested set of steps follows:
Analyzing the Complaint
Upon receiving a complaint or notification that a cybercrime has occurred, the investigator first analyzes the complaint to determine:
The analysis includes evaluating the plausibility of allegations that a violation of the law has occurred, considering the nature and seriousness of the crime, and considering other factors that may complicate the prosecution of the crime.
In an ideal world, all complaints would be thoroughly investigated and all criminal actions would be prosecuted. In our less than ideal world, manpower limitations and other considerations may prevent pursuing less serious cases. If the analysis of the complaint determines that a crime was committed and warrants a preliminary investigation, the next step is to start collecting evidence.
Collecting Physical Evidence
Physical evidence in this context refers to tangible items that can be gathered, marked/tagged and stored in a secure location until trial. Although the evidence itself may be digital in a cybercrimes case, the disk on which it is stored is a tangible item. There may be other physical evidence in addition to digital information, including fingerprints, documents, and so forth. These are preserved in accordance with standard crime scene practices.
Traditional crime scene techniques such as crime scene sketches, photographs and videotapes may be useful. This is especially true if there is information on the screen when investigators seize the computer that is not saved on disk.
There may be information in memory and status information (network connections that are open, applications and processes that are running, etc.) that is useful as evidence, but will be lost when the computer is powered down. Saving the contents of memory or other information, dumping the contents of memory to a file, changes the system so that it becomes altered and it can no longer be testified that it is exactly as it was found.
One way to avoid this problem is to use photography to record the displayed information. Another is to transfer the data to another computer. Remember that every time a task is performed on a computer, even something so simple as saving a file, changes it in some way.
Note that crime scene sketches, photographs and videotapes all serve separate purposes in documenting the crime scene; none of these takes the place of another. The sketch shows perspective, while the videotape provides an overview of the scene. Still photographs are used to document specific items or information. None of these is admissible as evidence unless accompanied by a witness (usually the sketch artist, photographer or videographer) who can testify under oath to the circumstances in which they were made and that they represent the scene as he/she remembers seeing it.
Seeking Expert Advice
When a crime involves technical details that are beyond the knowledge of the investigator and/or prosecutor, it is often necessary as part of the investigation to seek advice and help from an expert in the field, much as one would seek the services of an interpreter if all of the witnesses at a crime scene spoke a language with which the investigator is unfamiliar. The ideal situation is to have law enforcement officers onboard or available on loan from other agencies who are technically savvy. Because this is often not the case, investigators may have to seek outside help.
When investigating a cybercrime in which a corporate network is the victim, why not just use the IT personnel there as the experts? Although this might save the agency some time and effort, it may not be the best idea. The expert used for technical advice should be objective, and it is often difficult to obtain objective opinions from persons whose own networks have been victimized.
Even if the company IT professionals are completely objective, there may be a perception that they are otherwise, which could be exploited if defense attorneys discover that they provided technical guidance to investigators. Agencies may be able to find IT experts within the community that are willing to volunteer their expertise for a good cause.
One good place to look is the academic world; computer science and computer security instructors at local colleges are often happy to help with technical questions in cybercrimes cases. Associations of computer professionals may also be able to point you in the right direction.
Interviewing and Interrogating
Interviewing witnesses and interrogating suspects may be an ongoing process throughout the investigation. As more information is gathered, new witnesses may be discovered and new suspects may come to light. Follow-up interviews may be necessary with witnesses who have already been interviewed, as the case develops.
Investigators get contact information from all witnesses, even those who might not need to be interviewed at the time. This includes work addresses and phone numbers and home addresses and phone numbers. It is not unusual for witnesses to leave the company or to move during the course of an investigation, making them difficult to locate if you have only one set of contact information.
It is also a good idea, in todays mobile, connected world, to get witnesses' email addresses. Many people retain the same email address when they move and/or leave a job, so this may be the only contact information that remains constant.
The next step, after physical evidence has been gathered and documented and interviews and interrogations have been conducted, is to start putting together the physical case file. This is an important element in case preparation.
Black's Law Dictionary, defines a case as "an aggregate collection of facts which furnishes occasion for the exercise of the jurisdiction of a court." Preparation, according to Webster's New Collegiate Dictionary, is "the action or process of making something ready." From this, we can extrapolate that a simple definition of case preparation is "a compilation of information made ready for court presentation."
The case file contains all documentation of the case, including (but not limited to):
The case file is used to organize information and evidence in one place and will be used by the prosecutor in making a decision as to whether to prosecute the case, and at trial. The case file must contain documentation of proof of the elements of the offense, the legality of the entry/search/seizure/arrest, and the preservation of the chain of custody.
When the case file has been constructed and all documentation included, the next step is an analysis of the legal significance of the information and evidence it contains. This is usually done in conjunction with the prosecutor, who may be able to provide the investigator with guidance as to the weaknesses of the case and what additional information or evidence needs to be obtained to strengthen it. This may be the first of several pre-trial conferences between members of the prosecution team and the investigator(s).
After the case analysis, additional evidence may need to be obtained, or facts and information clarified. Re-interviewing witnesses at this point can serve several purposes. In addition to obtaining specific additional information, the second interview will help to refresh their memories about the case, help to refresh the investigator's memory about the case, and help to prepare the witnesses for the courtroom process if and when the case goes to trial.
Decision to Prosecute
After all additional information has been collected and the case file is considered complete, the prosecutor will make the decision to prosecute (or refer the case to a grand jury, depending on the jurisdiction and its procedures). At this time, the selection of the charge will also take place. In some cases, there may be several different offenses that could be charged.
The prosecutor will select based on the provability of the elements and the difficulty of obtaining a conviction, as well as the severity of the punishment. For example, a suspect's actions might contain the elements of two different offenses, unauthorized access and theft of trade secrets. If the latter charge is a felony and the former is a misdemeanor, the prosecutor may choose to charge only the more serious offense.
In other cases, both charges would be brought. Generally, if one offense is a lesser included offense of another, the jury can find the defendant guilty of the lesser charge even though only the higher charge was filed.
Criminal investigation of cybercrime cases uses many of the same principles used to investigate other crimes. This article is a bit of a departure from our usual articles in the windowsnetworking.com newsletter, but given the increasing number of network based attacks on information on your Microsoft networks, I figured that many of you will have the opportunity to work with the authorities, and a better understanding of how the authorities work will help you work with them more smoothly.
3. WindowsNetworking.com Articles of Interest
A delay occurs when you try to reconnect to the network on a Windows Vista Service Pack 1-based or Windows Server 2008-based computer that is a member of a domain
You have a Windows Vista Service Pack 1 (SP1)-based or Windows Server 2008-based computer that is a member of a domain. When you disconnect from the network, you may experience a delay of 12 to 14 seconds before you can access the network again.
For the solution to this problem go here.
The scalable network pack (SNP) has been the bane of existence for some time for Microsoft network admins. SNP can do the following things when enabled on your Windows Server 2003 computer:
If youre experiencing any of these kind of problems, you can quickly and easily disable the SNP features by downloading an update. Check out the KB article and download the update here.
I'm having a hard time with my Vista VPN clients. When they connect to my Windows Server 2008 VPN server, they try to connect to resources on the network using computer names, but it doesnt work. These computers are not joined to the domain. Any tips? Thanks! - Ricardo.
The problem is mostly likely due to the fact that your non-domain joined clients do not know how to fully qualify the computer names that the clients are trying to reach. For example, your user tries to reach a network share \\server1\share and gets an error that says the name cannot be resolved or the computer is unreachable. The problem is that DNS cannot resolve the single label name \\server1. There are two solutions to this problem. Users can append a domain name to the request, so that the connection is to \\server1.domain.com\share, or they can configure the client system to append a DNS suffix to their requests in the following way:
The second option only needs to be done once, so your users won't need to type the FQDN each time they want to reach a server on the internal network.
Got a question for Dr. Tom? Send it to email@example.com.