High-Tech Crimes Revealed

Alex Moskalyuk writes "When reading about the computer crimes, we are usually told the victim's point of view. We learn about the thieves stealing thousands of credit card numbers and identity theft victims, who lost their credit history with the wallet they lost at the mall. But how do criminals ever get caught? Who performs the forensic search and participates in sting operations?" Read on for Alex's review of High-Tech Crimes Revealed, which addresses these questions. High-Tech Crimes Revealed author Steven Branigan pages 448 publisher Addison-Wesley rating 9 reviewer Alex Moskalyuk ISBN 0321218736 summary Cyberwar Stories from the Digital Front Steven Branigan is a cop, a system administrator, an Internet security consultant and network security researcher. Ex-employee of Bell Labs now is a founder of a company that "specializes in solving leading edge computer and network security issues."

The book is a collection of high-tech investigations performed by Branigan in cooperation with the police force and sometimes the Feds. Generally Branigan would be involved in forensic research of the evidence and be on the scene as the "computer expert" that cops would refer to when dealing with cybercrime.

Twelve chapters take us through some of the high-tech crimes that the Western world faces today. An attack on the telephone network (unauthorized access to the switches), backdoors left at the former employer, hacking into university networks and the well-publicized identity theft are all covered in the book. Branigan brings up anecdotal evidence from his own career, describes some of his cases in great detail, and provides advice for practitioners in the forensics field.

The author is a Linux/Unix/BSD guru, and he shares his methods for retrieving telltale data from the equipment that the criminals leave behind. He also talks about the generic problems that law enforcement faces when investigating a high-tech crime - how do you obtain a warrant, what's a proper way to conduct searches, how do you work with the confiscated computer so that all the data is left intact?

However, don't expect some secrets to pop-up in regards to data collection - Branigan uses commonly available Linux tools like grep for searching the suspect's hard drive for needed data. More often that not, the investigator, it turns out, depends on his experience, not the book knowledge - one has to recognize the network sniffer log when they see it, and be capable of recognizing the tools freely downloadable from security sites.

Thus it's not surprising that there are some chapters in the book dedicated purely to the author's experience in the field. He describes working with the hackers who have been arrested, discusses how rootkits are spread around, discusses the motivation behind the network attacks (it's not always money, to say the least), describes the structure of a hacking ring and their potential revenues and also talks about ways to unravel the networks. His motto? No crime is too small, and sometimes things so little as missing the rent can lead to more discoveries and tie-ins into bigger crimes.

If you're thinking about becoming a security consultant, a law enforcement officer or just a sysadmin with better than average knowledge of security, this book is an interesting read. It's not a textbook, nor it is technical by nature. It reads more like a detective story, except the stories are real, the culprits are real and so are the victims. One can read the book on two levels - as a forensics tutorial (however, don't expect extended technical tutorials and tools overview) or as an autobiography of a cop, who had to deal with high-tech crimes all his life. If you liked Art of Deception or Hacking: The Art of Exploitation , this title would be a perfect complement.

Chapter 3, If Only He Had Paid the Rent, is available online from Addison-Wesley.

Alex enjoys reading programming, technology and business tech books in his spare time. He also keeps a list of free books available on the Internet for tech readers on a budget. You can purchase High-Tech Crimes Revealed from bn.com. Slashdot welcomes readers' book reviews -- to see your own review here, carefully read the book review guidelines, then visit the submission page.

Double-edged?

[fembots]

I wonder if the author left out some "secret methods" he used in the field, since his now owns a company that specializes in solving leading edge computer and network security issues, those methods can be valuable trade secrets.

And high-tech criminals can also learn from others' mistakes and be more careful next time if the author detailed enough of how he traced a criminal.

So do slashdotters have any of these "secrets" to share?

Re:Double-edged?

[weinrich]

"...criminals can also learn from other's mistakes and be more careful next time..."

We should be advocating secrecy around how these crimes are solved because the next criminal might learn, and won't make the same mistake as the last one?

Why?

I don't know the exact statistics, but I am certain the clear majority of criminals are caught and convicted because they made the same mistake that millions of criminals before them made. Mistakes that have been publicized, written about, memorialized in songs, even had entire TV shows made out of them (think Law & Order, COPS, CSI, etc.).

You can tell criminals over and over: "Don't leave behind finger prints when you break and enter." But do they listen? NoooOOOOoo!

--
Error: .sig not found, using /etc/passwd instead

Re:Double-edged?

[MoralHazard]

Investigative work has VERY little to do with proprietary methods, for a couple of reasons:

1) Every investigation, especially when dealing with computer crime, is going to be different. There aren't really any super-secret methods that ANYone who does normal work in the field (networking, programming, sysadmining) wouldn't already know.

2) Most investigative work has to hew to legal standards for evidence, even if the issue probably isn't going to court, because it MIGHT go to court. Meaning that all of your methods as an investigator have to meet standards for scientific evidence, which requires (among other things) that those methods be widely accepted in the field and peer reviewed. It's hard to keep things secret when they have to be peer reviewed to be useful at all.

3) Good investigators get that way through experience, not training. I've met people with significantly less pure technical skill than I have who can make me look like a fool on the investigative front. The difference is that these kinds of people have years or decades of experiential learning, closed cases, and lessons learned behind them. Skill and method is important, but it's far from being the whole story. And besides, you can always learn new skills by picking up a book/taking a class and then applying them, but you can only get experience from time and getting your ass kicked repeatedly.

(As I've noted elsewhere, I ought to disclose that I work for Steve, so take as you will.)

Find the expert

[BWJones]

So, one of the important things I hope this book demonstrates (not read the book, yet) is that for proper scientific or forensic analysis, you find the right/relevant talent or subject matter expert to examine your data. For instance, some years ago I was stunned to find out that the FBI had been shipping hard drives from Apple Macintosh systems to the Royal Canadian Mounted Police for investigation. Apparently, the RCMP had established themselves as the subject matter experts and were the right folks to send data to from Apple systems. Of course this brings up all sorts of International issues, but that is only one example.

My point is simply that forensic agencies should not always attempt to do it all themselves. Rather it would be appropriate to build a network of subject matter experts and then approach the problem by having the best "eyes" examine the problem rather than always presuming your local agency/facility has all of the tools.

Re:Find the expert

[Apreche]

A computer forensics guy came to talk to my computer crime class last year. He showed us this windows tool they use to look at confiscated drives. Pretty much first they make a bit for bit copy of a drive onto a drive of equal or greater size using a hardware device. Then they put the original drive away in the evidence box without touching it again.

Then they use this software tool, which I forget the name of, which is the only tool that holds water in a court of law. It examines the whole drive one piece at a time to recreate every file on all partitions and filesystems even if the files are "deleted". His example was how he caught a bunch of kiddy porn perverts.

Well that's great for catching those guys, but against someone using out of the ordinary stuff this guy is screwed. I've got serial ATA drives and reiser4 and xfs file systems. I'm willing to bet that he doesn't have a hardware drive copier that supports SATA. And his software doesn't recognize reiser4 or xfs. He would either need a different tool or he would have to send the drive someone higher up to be examined. And if the case is too small they wont bother. The real problem is that the average nerds and the hackers are so far ahead of the forensics guys in terms of knowledge about modern technology and software that they can't keep up. Hackers will always have bleeding edge tools, and police budgets can't

CSI:Geek

[Underholdning]

In a related story, a new spin-off of a popular series has just been announced. We're pleased to give you CSI:Geek starring Rick Moranis as Gil "Open Source" Grissom.

Read the Sample Chapter

[Marxist+Hacker+42]

At the end- this guy pled guilty just two months before all the evidence was destroyed in the 9-11 attacks....what a trippy ending!

Few cybercriminals get caught

[serutan]

The computer crimes this guy talks about seem to be mainly the identity theft type. But when people inside companies skim off rounding errors, create phony accounts, that type of thing (e.g. Office Space), I have read that the crime itself usually goes undetected. They get caught when they do stupid things like associating with bookies and drug dealers, getting involved in some unrelated investigation where their mysterious wealth gets noticed.

There was one guy at Microsoft who made a couple $million selling software that he ordered internally for his department. His mistake was that he put up a website full of photos showing off his lavish house and collection of cars and expensive motorcycles. If the idiot had just kept his big mouth shut and retired he probably would have gotten away with it.