Forensic Detectives

Something looked fishy in PayPal Inc.'s merchant account system. Late in 2000, hundreds of new accounts were being opened under the same names, including Hudsen and Stivonson. PayPal's antifraud team was dispatched. Investigators tied the accounts to a single IP address that used Perl scripts to automatically fill in applications that opened the accounts using stolen credit card numbers.

Those accounts were then used to purchase approximately $100,000 of computer equipment on eBay. And, from the looks of things, preparations were being made to turn credit into cash by depositing charges as payments into the PayPal accounts and then to an outside bank account.

That's when the FBI called asking for help examining the computers of two suspects from Russia with PayPal account information on their computers. PayPal's evidence and support helped the FBI charge Alexey Ivanov and Vassili Gorchkov with multiple counts of wire fraud in May.

But PayPal's cybersleuthing also improved PayPal's bottom line by leading to the development of a pattern-matching fraud prevention system that has reduced PayPal fraud rates to 0.5%—well below than the average e-business fraud rate of 1.3% to 2.6%, according to Stamford, Conn.-based Gartner Inc.

"We found tremendous value in having these skills in-house," says Ken Miller, director of the 75-person fraud control group at PayPal, a Palo Alto, Calif.-based online payment processor. "A lot of our competitors have gone out of business because of fraud. We were able to drop our fraud rate significantly."

Because more and more evidence is digital these days, people with expertise in computer forensics and network/Internet investigations are being called upon to answer such questions as how someone got in, what systems were affected and how, how to repair them and how to prevent such incidents from happening again, says John Tan, research scientist of forensics at @Stake Inc. in Cambridge, Mass.

While forensics and investigative work are each highly specialized, they both require similar skills: strong network and systems engineering expertise (to know where evidence, including erased files, hangs out on the network), the ability to think analytically, an inclination toward thoroughness beyond tedium, knowledge of hacking tools and techniques, and the ability to follow your nose, say forensics professionals and employers. An investigative background in government, the military, law enforcement, or banking and legal support is also important.

Using freeware and commercially available tools, a computer forensics investigation starts with a mirror-image backup of a computer system and then proceeds with keyword searches through commonly used applications, file systems and the slack space where erased data resides until overwritten, says Charles Neal, vice president of cyberterrorism detection and incident response at Exodus Communications Inc., a Santa Clara, Calif.-based provider of Internet hosting services for businesses.

In a recent case where a client suspected an IT group of sabotaging its systems, a forensics examination of the file directories, e-mail files and slack space on the suspects' hard drives linked the suspects to a disgruntled former executive who was acting as the master saboteur, says @stake's Tan.

This evidence was presented to the disgruntled IT employees when they were fired to discourage them from filing a wrongful termination suit. If they do file suit, the employer can present the evidence in court.

The key to forensics is the ability to follow your nose, a skill most commonly found among those with law enforcement backgrounds, like Neal. Once a special agent at the FBI, Neal led the investigations of the infamous Kevin Mitnick and Mafiaboy.

But innately curious technologists like Dave Dittrich also fit the bill. Dittrich, senior security engineer at the University of Washington in Seattle, is well known in the forensics community. His prolific documentation on attack methods and viruses is invaluable to anyone pursuing a career in forensics.

"I grew into security and forensics work because I like to know the nitty-gritty of how things work," says Dittrich, who trained himself to use C and Unix while working at The Boeing Co. prior to joining the university as a systems administrator.

"As more of my computers got compromised, I learned more about security and hacking tools," he says. "I was reverse-engineering things like the Trin00 virus, and at the same time continued to grow my networking knowledge by reading a lot in my off hours."


Increasingly, companies are hiring forensics and incident-response consultants to uncover the sources of fraud, intellectual property theft or employee misuse. Forensics also plays a role in corporate due diligence work, says Michael Anderson, founding president of New Technologies Inc., a 5-year-old forensics consulting and support firm in Gresham, Ore.

People in this field need to know not only where evidence might reside on a network but also how to retrieve it. And, if there's any possibility that the evidence will appear in court, it must be gathered legally, says Tom Arnold, CEO of CyberSource Corp., a Mountain View, Calif.-based payment and risk management service for online merchants. Therefore, investigators must be meticulous when gathering and logging information, and they should adopt standard procedures for gathering evidence.

"If we're tracing a scam site, we need as much information as we can gather - where the money is, where the credit card accounts are, hosting companies, who's aiding and abetting, and so on," says Chris Brandon, president of Brandon Internet Services, whose clients include backbone and service provider organizations. "We validate and document the evidence, then turn it over to our clients or sometimes to the authorities, and tell them to look for themselves and check it all out."

Brandon and others say the work is rewarding, particularly since they can get done in hours what takes weeks or months through court and law enforcement channels. Exodus' Neal concurs.

In the private sector, says Neal, investigations are built on relationships between affected parties—not on jurisdictional and international laws. "When I was in the FBI, if I called up UUNet to say one of its IP addresses is attacking us, they'd ask me for a subpoena," Neal says. "[Now] UUNet cooperates with us because the next day, the shoe's on the other foot, and they'll need our help."

Copyright © 2002 IDG Communications, Inc.

Shop Tech Products at Amazon