Home > Security

Computerworld - Businesses with intellectual property and online customers to protect are increasingly calling on cyberforensics investigators to get to the bottom of cases of employee wrongdoing and electronic crimes. "People are calling us when they find malicious software installed on their servers, when they're leaking sensitive information, when they suspect employee harassment—even in cybersquatting cases," says Ed Skoudis, vice president of ethical hacking at Predictive Systems Inc., a technology services firm in New York.

Forensic techniques vary depending on the type of investigation. For example, some investigative firms, like Brandon Internet Services, simply track and trace over the Internet and sort through other publicly available electronic records. Large businesses use cyberinvestigators to set up alarms and traps to watch and catch intruders and criminals within their networks.

To show a cross-section of different types of cyberinvestigations and the tools used to conduct them, Computerworld profiles three ways that organizations have dealt with crime—and sometimes criminals—in their midst.

The Case of the Freaky Accounts

• How techniques of Internet and database investigations thwarted two prolific Russian "carders" (credit card thieves):

There were too many Hudsens and Stivensons opening accounts with PayPal Inc., an online payment processing company in Palo Alto, Calif. John Kothanek, PayPal's lead fraud investigator (and a former military intelligence officer), discovered 10 names opening batches of 40 or more accounts that were being used to buy high-value computer goods in auctions on eBay.com. So PayPal froze the funds used to pay for the eBay goods (all to be shipped to an address in Russia) and started an investigation.

Credit: Amanda Duffy

Then, one of PayPal's merchants reported that it had been redirected to a mock site called PayPaI. Kothanek's team set up sniffer software, which catches packet traffic, at the mock site. The software showed that operators of the mock site were using it to capture PayPal user log-ins and passwords. Investigators also used the sniffer to log the perpetrators' own IP address, which they then used to search against PayPal's database. It turned out that all of the accounts under scrutiny were opened by the same IP address.

Using two freeware network-discovery tools, TraceRoute (www.tracert.com) and Sam Spade (www.samspade.org), PayPal found a connection between the fake PayPal server address and the shipping address in Russia to which the accounts were trying to send goods. Meanwhile, calls were pouring in from credit card companies disputing the charges made from the suspect PayPal accounts. The perpetrators had racked up more than $100,000 in fraudulent charges using stolen credit cards—and PayPal was fully liable to repay them.