digital evidence2

digital evidence2 - Obtaining Electronic Information in...

Info iconThis preview shows page 1. Sign up to view the full content.

View Full Document Right Arrow Icon
This is the end of the preview. Sign up to access the rest of the document.

Unformatted text preview: Obtaining Electronic Information in Criminal Investigations Investigations Overview Overview Cellular technology Legal terrain types of available location data historical records prospective location data special constitutional and statutory issues First Things First: First Things First: A Common Vocabulary “Tower/sector” data “GPS” data Terms frequently misused or misunderstood “cell site” “ping” In any conversation with agents, carriers, or judges, be careful to avoid ambiguous terms same advice for applications Wireless Location Information Wireless Location Information and Provider Capabilities Wireless networks necessarily require general information about user location CALEA (1994) requires carriers to be able to isolate and deliver certain user location data (tower and sector) to law enforcement at origination of a call answer of a call to the target phone release (end of call) for both incoming and outgoing calls Origination Message CaseIdentity ­ 5126637426 IAPSystemIdentity ­ 4182­4­1 Raw Date/Time ­ 20050227092547.666­0600 Date ­ 02/27/2005 Time ­ 09:25:47 Calling ESN ­ 336810b6 MIN – 5126637426 Called genericDigits ­ 2815371632 Location ­ 137­3 Sample Data for Verizon Sample Data for Verizon Wireless Outbound Call Sample Tower/Sector Sample Tower/Sector Omnidirectional Tower Omnidirectional Tower A cell tower’s service radius can range from 200 meters to 30km center city vs. suburbs vs. rural coverage Sector (tower face) information is not always provided with the tower identifier The tower closest to a phone does not necessarily serve every call to that phone terrain network load How Precise Is Tower/Sector How Precise Is Tower/Sector Data? “GPS” Data (Latitude/Longitude) FCC “Enhanced 911” mandate requires wireless telephone carriers to be able to deliver certain location data for 911 calls Carriers may choose either of two ways to implement this capability “handset solution” “network solution” “Handset Solution” (True GPS) Phone itself contains a GPS device that calculates latitude/longitude data resides on phone carrier does not acquire location data absent 911 call or active interrogation by carrier FCC requires accuracy: to 50 meters for 67% of calls to 150 meters for 95% of calls Used by Verizon, Sprint/Nextel, Alltel “Network Solution” (Signal Timing/Triangulation) Doesn’t use GPS system per se Using any of various methods, measures signal characteristics relative to one or more towers FCC requires accuracy: to 100 meters for 67% of calls to 300 meters for 95% of calls Used by T­Mobile and AT&T Wireless (f/k/a Cingular) Practical Limits (or, Practical Limits (or, Jack Bauer Is Make­Believe) Obviously, neither method works if phone is powered down Versions of E911 capabilities “ported” for LE compliance are not fully automated & continuous carrier staff have to push a button each and every time lat/long data desired carriers typically impose a non­trivial per­ query charge What’s In A Packet? What’s In A Packet? An IP data packet includes 201.4.46.12 141.6.23.52 Replies from the receiving host go to the packet’s source address routing information (where it came from, where it’s going) the data to be transmitted 0111001010101011 1011011000100101 0100... Domain Names Domain Names This is a second-level domain name www.doj.gov Host Name This is a toplevel domain name Domain Names Domain Names Every domain name has a unique corresponding number, which is the domain’s IP address. The IP address is based upon the IP address of the computer that is “hosting” the domain. It will consist of 4 groups of numbers between 0 and 255. www.doj.gov = 205.166.250.86 Domain Names Domain Names Every domain name must be registered with the Internet Corporation for Assigned Names and Numbers. (ICANN) When a domain is registered, an IP address obtained from the company, agency or entity hosting the web site is provided to the registrar. Companies, agencies, or other entities will provide the domain owner with an IP address they own or lease. So What? So What? Every computer connected to the internet has a unique identifying number. Internet communications depend upon these numbers. Web Site Basics Web Site Basics Overview Overview How a web site is placed on the Internet. How a web site is identified on the Internet. How you can get information about the operators of a web site. Registering a Web Site Network Solutions maintains the list of all domain names. Registrars work with Network Solutions to add the names of newly registered domains to the master list. BUT each domain has its own domain name server. Registering a Web Site Registering a Web Site I have a domain name that I want to register: WWW.Leonard.Com I check with a registrar to see if domain name is taken. Registrar needs the following info: Provide registrar with IP address of hosting company. A) Registrant B) Administrative Contact C) Technical Contact D) Billing Contact E) DNS Server Settings Registering a Web Site Registering a Web Site I have a domain name that I want to register: WWW.Leonard.Com I check with a registrar to see if domain name is taken. Registrar needs the following info: Provide registrar with IP address of hosting company. A) Registrant B) Administrative Contact C) Technical Contact D) Billing Contact E) DNS Server Settings These can be fake. Investigation Involving a Web Site Investigation Involving a Web Site Registration information is publicly available through various websites: www.Internic.net www.arin.net www.Samspade.Org This information is called “whois” info. What Is “whois”? What Is “whois”? A general­purpose lookup utility Most common use Some “domain name registrars” keep a complete historical record (offline) determine ownership & other information about an Internet domain name Investigation Involving a Web Investigation Involving a Web Site Different WHOIS service for different regions of the world: ARIN, for North and South America and parts of Africa (Whois database on 'whois.arin.net RIPE NCC, for Europe, Russia, Middle East and parts of Africa (Whois database on 'whois.ripe.net‘ APNIC, for Asia and the Pacific region (Whois database on 'whois.apnic.net' Common Lookup Tools Common Lookup Tools & Techniques whois nslookup/host (“reverse lookup”) “Who registered a certain domain name?” “What name goes with this IP address?” “Who owns this IP number?” IP block lookup All of these can be done using programs like Sam Spade for Windows Common Lookup Tools Common Lookup Tools & Techniques Common Lookup Tools Common Lookup Tools & Techniques Provides various functions for finding publicly available information. What Is “whois”? What Is “whois”? “Reverse Lookup” (rDNS) Recall that there is usually a 1­to­1 correspondence between domain names and IP addresses With an IP address (e.g., 166.62.91.254), you can usually look up the corresponding domain name by doing a “reverse lookup” e.g., www.harvard.edu = 128.103.60.55 “IP Block” Lookup IP addresses are given out by network authorities in “blocks” of at least 256 consecutive numbers Even when there is no “reverse lookup” info for a given IP address, there is always a record of who owns the block it belongs to With IP Block info, you can determine who to contact for further information about an IP address “IP Block” Lookup So what? So what? The network is chock full of information that makes tracing possible A competent tech agent (or even a lawyer) can readily use tools to get that information Even if you don’t know how to use these tools, remember that they exist E­mail Basics E­mail Basics Header Information Header Information Each time any server handles an email message, it adds one or more headers Some headers are like postmarks from all the post offices that handle a letter en route to its final destination A skilled interpreter of headers can determine where a message originated (usually) Header Information Header Information Every interaction between computers in a network may leave a record in the form of “logs.” Logs provide information that can help identify a computer that accessed a network. E­mail is often used in various frauds and scams. The source of an e­mail is usually traceable. Identifying Information for e­mail can be “spoofed” or falsified. ...
View Full Document

This note was uploaded on 12/05/2009 for the course CS 175 taught by Professor C.martin during the Spring '09 term at GWU.

Ask a homework question - tutors are online