Internet Forensics review

Wendy M Grossman ZDNet.co.uk

Published: 04 Apr 2006

The title of this book makes it sound as though it's for police experts only, but in fact it's aimed at not only security professionals but also system administrators and managers. The basic idea: how to use the information available in electronic data to trace its source and identify fraud.

A fair amount of Robert Jones's Internet Forensics: Using Digital Evidence to Solve Computer Crime should be familiar to anyone who has lived through the spam wars of the last decade: how to analyse email headers; how to identify spam and its origins; how to analyse URLs to determine whether they're fake -- a problem that's taken on a new twist since international domain names became available. A good bit, however, is more arcane, such as the section on how to search virus software for strings that indicate its origin.

This book also aims to help you safeguard your system's privacy. The material on how much information browsers reveal to remote systems about the computers they're running on is pretty standard fare. More interesting -- and harder to come by -- is the explanation of the inner workings of Word metadata, and how to distribute files to ensure that the author isn't embarrassed by text struck out with 'track changes' but not fully deleted. Robert Jones presents several examples of such embarrassments, including SCO lawsuit documents that revealed that the Bank of America was the originally intended defendant, not DaimlerChrysler. This sort of thing happens all the time; we once downloaded Egg's quarterly financial results to find that the final edit had not been fully merged.

Jones gives good advice about 'sanitising' documents before releasing them -- primarily by saving them as PDFs before distribution. However, he points out that even if that's been done it may be possible to retrieve embarrassing information. For example, he cites the case of the British government's dossier on Iraq, sections of which were lifted from an article published some months earlier in the US. It had been sanitised, but the revision log revealed detailed information about who worked on the document. This case became better known for Dr David Kelly's suicide and for the hearings into Blair's government's support for US actions in Iraq, but it began, less dramatically, with this electronic analysis.

In another case discussed by Jones, researchers were able to reconstruct redacted portions of a document in PDF form by examining the font size, semantics and pixel distribution. He goes on to provide advice about how to redact text so this does not happen to you.

The final sections of Internet Forensics cover the use of activity patterns and signatures to trace the origins of fraudsters (aided by Google searches to find others investigating the same scams); a couple of detailed case studies showing how all the techniques discussed have been used in practice; and a brief discussion of larger efforts to tackle Internet fraud, including a section drawing the line between investigation and vigilantism. This last is the only section that could have stood a broader, more international focus.

Overall, though, this is an interesting and informative read, and a useful reference.

• 
• 
• 
• 

• Share this article:
• Digg
• Slashdot
• Del.ici.ous
• Stumble
• Reddit