I’m big on privacy, even though I know that practically, the only information that is private today is that which (1) only you know and (2) does not exist anywhere outside your head. Everything else can be had one way or another, by hook or crook. Most personal information we willingly give away, such as our date of birth when signing up for “free” online services. Other personal information we are required to give in order to abide by laws, such as applying for a driver’s license.
I’m also big on de-anonymizing criminals. Supporting privacy efforts while at the same supporting de-anonymization efforts is contradictory, but realty. If you have ever been a victim of a crime where the criminal got away with it, you probably feel the same. Both aspects contradict each other, where I want to have individual privacy but at the same time, I want to be able to de-anonymize someone who is committing crimes facilitated with technology. What a dilemma...
I tend to focus on de-anonymization of criminals more since we are on a never-ending trend of breaches, hacks, and theft of personal information, let alone crimes against persons using technology. Two of my books were solely focused on the topic. During presentations on the subject, I have regularly been questioned on “How do I…” in this case or that case from investigators* looking for the magic bullet. Given just a 15 second brief of an investigation that has been ongoing for months, my typical answer is – the answer is there, you just have to find it.
Secret Tip: there is no magic bullet until there is one.
The magic bullet in almost every case is a mistake made by the suspect. An oversight. An error. A bad decision. Or just plain ignorance. All on the part of the suspect. But a mistake by itself is not enough to crack a case. You, the investigator or the analyst, need to catch that mistake. You have to look for it constantly. You have to expect to find where the suspect made the error because if you don’t have the intention to find the criminal’s mistakes, you will not find them. That is when you find the magic bullet to solve your case, by looking for it and not hoping it drops in your lap.
When you do find the break in an analysis or investigation, everything becomes clear and appears to be such an easy thing that you wonder why you didn’t think of it before. The fact is, finding the errors is not always simple or easy. The little mistakes are usually hidden in tons of data and easily overlooked. Sometimes the answer is plain view and no one sees it. Even when you find the suspect’s mistake, if you do not recognize it for what it is, you will quickly pass it and keep looking without realizing you could have solved your case a few minutes prior.
The steps in finding these mistakes made suspects are:
If you don’t have #1 above, then #2 and #3 won’t matter since you won’t be able to identify the evidence or clues you need. The first things I do in any case is determine the goal or goals. Sometimes the goal is either dictated by someone else or it is obvious. If the goal is not dictated or obvious, you have to identify the goal or again, step #1 is useless which renders #2 and #3 just as useless.
When you work with these 3 steps, the 6-Ws naturally come up in the case (the 6-Ws: who, what, when, where, how, why). You need the above 3 steps as your foundation to actually work a case in order to get to the 6 Ws. Focus on the 3 and the world is yours. A tip: not everyone does this. Many many examiners/investigators/analysts simply collect data without reason other than to collect data with the hope the case solves itself. Don't be that person.
When I was a new investigator, it seemed that every case I received was like Groundhog Day. No case was like the last, no evidence was consistent among the cases, and the goals were sporadic (other than “find the bad guy”). Basically, every day I was starting over as new in each assigned case. In time, I learned a few things from experienced investigators, other things I learned the hard way. In more than one case, I would be given a hint or a tip that would put me on a path to close a case. A question as simple as, “Did you try this?” or “Did you look here?” was all I needed to plow ahead. Sometimes, i would figure out an easy way or more effective means of gathering information and intelligence. Many training courses focus on the technical means, but not the thinking part. It's nice to know how to recover deleted event logs, but why? If you don't know why you should do it, you won't get anything out of it because you won't see the clues.
In cases with electronic media, the process is the same as in any investigation you have, whether it is a criminal or civil case (or even an internal corporate matter). Define the goal so you know what to look for, know where to look, and figure out how to look for it. Apply this to every case and incident you have and your case closure rates will be much better with less work.
For example, a case involving an unidentified cyber-criminal who is ‘hiding behind the keyboard’ clearly means that the what is anything that ties directly to the criminal. The specifics of the what is important. The where depends on what you have to work with. Perhaps you have an email, or network traffic, or maybe even physical media. Somewhere in that data is the where and you need to know in what part of that data you should be looking. The how is maybe the easiest part. Maybe you need to look at metadata, or reverse engineer a file, or simply recover a deleted file. That’s the manual labor part. You need to work the brain part first, otherwise the labor will be for nothing.
Recent cases in the news have shown that this method of investigation works on the most difficult of cases. I must stress that when you see that a major case was solved by the simple piece of evidence of identifying an email address, that this is not so simple. Every case has at least one error that was made by the suspect, and to discount looking for that mistake is a mistake on your part.
Any case where the article states that, “Oh, the case was easily solved because the suspect forget his email was in the code” seriously discounts the effort of the investigator who took the time to know what to look for, where to look for it, and how to look for it. Cold cases are solved the very same way.
It’s not the size of the dog in the fight, but the size of the fight in the dog.
This is what I have been teaching for almost 20 years now. I believe that anyone from any place in any job with any education level can be a superb investigator. I have met young investigators from small towns who can run circles around someone with 10 times their experience and education in the largest agencies because they apply the foundation principles of what it takes to solve a case. Once they learn the how of digital forensics, they are just as effective in the digital world as if they were working a street corner robbery. It’s not a diploma, or a certificate, or a coin in your pocket that makes you good. You make yourself good. If you happen to collect some tokens along the way, add them to a shadow box, but bragging about having certs has no weight if you can't work a case.
Another benefit of getting the investigative skills down is that you can apply it to other areas and other types of cases. If you have the desire and can finesse the skill, you can run with the big dogs in working any type of case. I truly mean that in every sense. My first investigator duties, after being a patrol officer, was a narcotics detective. I used the skills learned in narcs to solve murders, uncover and disrupt organized crime groups, identify terrorists, and work all types of crimes involving technology.
Be prepared that when you start solving cases by finding the “easy” things, that those around you will call you names, like lucky or you only solved the case because of a suspect's mistake. Just smile and carry on. After enough cases, you won’t be called lucky anymore; you will be called good and that is the goal: be good at what you do.
* I use the term “investigator” to apply to anyone who has the job to find information, curate into intelligence, on which assumptions, conclusions, and judgments can be made. That means a police detective, federal agent, incident responder, or forensic examiner.