January 2,
2017
Conducting an Electronic Investigation:
A Case Study in Virginia Politics
Happy New
Year! 2017 has already started
off with a proverbial “bang” in our home state of Virginia with a story
in the political world which directly relates to the field of digital forensics
and electronic investigation. Two
Republican candidates for Lieutenant Governor, Jill Vogel and Bryce Reeves, are
now embroiled in a scandal which is detailed in The Washington Post and the conservative blog, The Bull Elephant, which are also linked below:
The Bull Elephant: http://thebullelephant.com/email-smear-of-sen-bryce-reeves-traced-to-sen-jill-vogel/
In a
nutshell, an email was sent from a Gmail account allegedly accusing Reeves of
having an affair with an aide. Court
records indicate the email detailing the affair were sent from Vogel’s home IP
address, she claims that she (or others
close to her) was/were “hacked” and the damaging personal email had nothing to
do with her campaign. There is already a
civil matter filed which deals with the email and the investigation is ongoing.
What I find
in reading the blog comments and online postings of those who may be interested
in this story is the lack of knowledge about what can be proved vs. what cannot
be proved and that is what we’ll explore here.
As a matter of full disclosure, I have met Reeves, although I doubt he
remembers. We have mutual friends and
acquaintances in various areas of the practice of law and in public service. I have not met Vogel. I have also offered the
assistance of Pro Digital Consulting in this case in one or more public forums.
Potential Areas of
Evidence
So how does an investigator go about proving or disproving that emails were sent from a particular
device at a specific location? There are
a number of potentially relevant pieces of information and evidence which can
help lead us to a reasonable conclusion.
The evidence can be from a larger entity, such as the email provider or
internet service provider (ISP) and can be drilled down to a single user,
depending on the specific makeup of the network in use. So here’s what we’d be looking for, in order
of increasing specificity:
IP Connection Records
IP or
Internet Protocol addresses are similar to a telephone number for your computer
or other web-connected devices. Every subscriber
on the internet is issued an IP address for a location and the IP address is what reaches out via your internet
service provider (i.e., Verizon, Comcast, Cox Cable, etc.) or ISP to the larger
internet. In the most basic terms, a
single subscriber is issued an IP address by the ISP to a specific location,
such as a home or office, and that IP address is shared internally between
individual users on the internal network through a wireless or other
router. The router also issues IP
addresses to each device that is connected on the internal or private network, but
those private IP addresses can be manipulated, depending on the knowledge of
the private network administrator.
Of key
importance with this information is the correct day and time of the connection
of interest. IP addresses are sometimes
static (not changing) and sometimes dynamic (changes often). Additionally, while the connection of
interest may have been made in Virginia, the ISP may be located in California,
so standardizing the time zone in the subpoena request is also very
important. One larger piece of evidence
which appears to already exist in this case is the subpoena return to the ISP,
which allegedly details that the IP address issued at the specific date and
time that the email in question was sent was issued to Vogel’s home address. However, a twist comes in when we add that
her neighbor allegedly shared an internet connection with the Vogels via an
unsecured wireless router (or routers).
More on that later.
Records from the Email
Provider
The crux of this case is the email,
which Ms. Vogel claims she did not send, nor did anyone related to her
campaign. Therefore, it is crucial to
get as much information about this email as possible. Emails are nothing more than text messages
sent with more detail (i.e., metadata) and with more “digital breadcrumbs”
associated with them. Every email
provider is a little different, but generally speaking, they all log incoming
and outgoing dates & times, IP addresses and other metadata that can be
useful in the email header. However, as
is widely known, certain email providers anonymize their IP addresses, which
makes tracking down the sender slightly more difficult, but not impossible.
All emails contain headers, which
contain this vital information and metadata.
While you may not see them, they’re there. It’s how each ISP and their servers log the
activity as a virtual Post Office for each email you send. The original email(s) in question in
this case should be preserved as evidence, both in print and digitally, as a
matter of best practice. What we often
see is an email that is submitted as evidence for analysis or investigation
that has been forwarded once, twice, three times… You get the idea. The best evidence in any case is the original evidence, or at least as close
as we can get to it. Evidence that has
been passed from hand to hand to hand only degrades in its value and impact in
the overall investigation.
The headers in the email(s) in
question will tell us when it was sent, who sent it (the sending account), from
what IP address it was sent and so on.
From there, subpoenas for additional information may be submitted to the
email provider for account holder information, which will include the creation
date and time of the account and most often, the IP address that was captured at
the time the account was created, as well as potential other information,
such as a phone number in this specific case, which is most often used to verify the account belongs to a person.
Then, a subsequent subpoena may be issued for the subscriber information
for the IP address that was used to create the fictitious or anonymous email
account and the owner of the phone number used for verification. Of course, if cause can be
shown, the court may be petitioned for an order to the email provider also
releasing the content of all emails present on the account, which can also be
very valuable and contain additional metadata (IP addresses, other email
addresses, etc.) that may prove useful.
Interrogation of the
Internal Private Router
As discussed
earlier, once the ISP issues an IP address to a subscriber, that individual (or
company) then needs to use a private router to allow individual users to access
the internet. That router issues private
IP addresses to each device internally, the records of which are logged in the
router itself. Typically (and all
routers are different), the router will log the date and time of last
connection for each device, the name of the device (e.g., ProDigital-PC or
Patrick’s iPhone), the MAC address of the device, the internal IP address that was
issued to that device and the status of the router – be it open or secure
access.
So what’s
the MAC address? The MAC is the Media
Access Control, an internal unique identifier assigned to
network interface devices for communications. “Unique”
in this case means, unit-specific. In
other words, every device connected to the network has its own MAC address and
they cannot be duplicated. There are
also ways to break down the MAC address and determine the device manufacturer
and potentially other items of interest.
By connecting to the internal private routers, all connection records
become available to us and can be preserved as evidence. So what’s the catch? The data is almost always volatile. In other words, if you remove the power
source from the routers, this data is erased and reset. It’s extremely valuable, especially when
investigating claims of hacking or unauthorized access on a private network, so
any thorough investigation needs attempt to capture this data by going go
on-site as soon as possible and before the router is removed from power, there
is a power outage or some other happenstance that will make this data
disappear.
Due diligence also dictates that an investigator go on-site to
determine the range and status of the allegedly open wireless connections for
themselves. Could an unknown third part
have driven into the Vogel’s neighbor’s driveway to “tap” into the router
without their knowledge? There’s one
sure way to find out – try to do it yourself!
The
Specific Device(s)
One comment on an online forum I read with regard to this case stated
“IP addresses do not equal an individual.”
Very true! In fact, there are
documented cases where investigations of criminal suspects based solely upon an
IP address have yielded such errors as search warrants being executed on the
wrong residence and later discovery that criminal suspects were “stealing”
access to open wireless connections to facilitate their crimes. This is why the best and most specific piece
of evidence in any case is the actual device upon which the alleged activity
was conducted. In this case, it appears
to be the iPhone belonging to Ms. Vogel’s husband. However, none of the evidence cited here
exists in a vacuum. The reason all of
the subpoenas and connection records and router logs are important is they
serve to verify the source of the evidence in question (emails).
By capturing the router logs and comparing that data to the internal
MAC address and issued IP address(es) of the specific device(s) in question, we
start to tie all of the electronic evidence together to then put an actual
person behind the device – the one responsible.
The value of forensic data acquisition and analysis on the devices in question
can also not be overlooked. In this case
example, the analysis of the email records would need to be conducted manually,
as iPhone email records are not currently available through a mobile forensic
data extraction. However, a forensic extraction should still be performed as it
may yield other information, data and evidence that may be useful. Connected email accounts, web history,
deleted apps of interest and potentially recoverable information from app databases
may all prove valuable pieces of evidence in an investigation such as this. Key word searches can also be conducted for
key terms such as the anonymous/sending email address, terms contained in the
original email and other specific text that can point to the originating
device.
Conclusions
Every investigation is different and invariably, they all take left
turns at some point. The overview of
specific areas of available evidence listed here is not exhaustive, but is
designed to provide a blueprint of what is available and what should be done in
order to conduct a thorough investigation and determine who is or is not
responsible in cases involving matters where professional reputation and
survival, as well as personal integrity and public appearance, may be at
stake. It’s easy to throw down the claim
that one has been “hacked”, but quite another to undertake the proper steps to
prove or disprove that claim in a manner which is acceptable in a court of
law.
As a wise
man once said upon his acquittal on serious criminal charges “Great! Now where do I go to get my reputation back?” While a complete investigation may reveal
that Vogel and her campaign had nothing to do with these emails, it seems clear
that several people’s personal and professional reputations may be at stake
here… and that’s the best motivation to want to find the truth.
Author:
Patrick J.
Siewert
Principal
Consultant
Professional
Digital Forensic Consulting, LLC
Virginia
DCJS #11-14869
Based in
Richmond, Virginia
Available
Globally
We Find the Truth for a
Living!
Computer Forensics -- Mobile Forensics -- Specialized
Investigation
About the Author:
Patrick Siewert is the Principal
Consultant of Pro Digital Forensic Consulting, based in Richmond,
Virginia. In 15 years of law
enforcement, he investigated hundreds of high-tech crimes, incorporating
digital forensics into the investigations, and was responsible for
investigating some of the highest jury and plea bargain child exploitation
investigations in Virginia court history. Patrick is a graduate of SCERS, BCERT, the
Reid School of Interview & Interrogation and multiple online investigation
schools (among others). He continues to hone his digital forensic expertise in
the private sector while growing his consulting & investigation business
marketed toward litigators, professional investigators and corporations, while
keeping in touch with the public safety community as a Law Enforcement
Instructor.
