Digital forensics ‘CSI’ for computers

Tim Miller

Crime runs rampant on the Internet as hackers adapt to the newest technology with the goal of making cold, hard cash. Approximately 200,000 complaints of Internet crime were reported last year, according to a report by the Internet Crime Complaint Center.

Now the police are fighting back.

Through digital forensics, computer criminals can now be caught in a variety of ways.

“It’s a little bit like CSI for computers,” said Doug Jacobson, professor of electrical and computer engineering. “Although, digital forensics is a lot more boring. [Digital forensics] is the process of analyzing digital materials to find out what happened.”

Digital material can be any bit of information from computers, cell phones, digital cameras and flash drives. What information is used depends on the type of case, Jacobson said.

Like any other crime scene, one big step of digital forensics is preserving the integrity of the evidence.

“Digital evidence by its very nature is easy to change,” Jacobson said.

Experts who practice digital forensics have a variety of tools and software to avoid changing the original copy of the evidence. These tools allow the investigator to make a forensic copy without tampering with the original, Jacobson said.

The way to find out if a file has been altered from the original is to look at the hash value, he said. The hash value is like a digital fingerprint. The investigator wants the hash value of the original and the forensic copy to match.

After extracting the data from a device, the real police work starts – or, as Jacobson calls it, playing detective.

This is the part where the investigator analyzes the data for what he’s looking for. Now criminals are learning. They’ve started to hide information and add encryptions that make analyzing the data harder, he said.

“The level of user encryption is becoming more evident,” Jacobson said.

The industry of digital forensics is getting quite large. Part of the reason is because computers have become more pervasive in today’s society, Jacobson said.

Law enforcement is still making the transition to accepting digital forensics on a daily basis. They see computers as side evidence, he said. Computers don’t commit the crime, but they can prove who committed it.

Lt. Aaron DeLashmutt of ISU Police, handles all computer forensic cases at Iowa State. He said he handles about 30 to 50 cases in a year, most of them drug related.

He had two years of training prior to getting certified in the field. Certification in digital forensics is a yearlong process.

“You work a fictitious case for a year,” DeLashmutt said.

While working the case, the investigator has to submit reports when progress is made. One report is a standard police report and the other one details what methods the investigator used to solve the case.

One reason the Department of Public Safety added a computer forensics position was that the police were running into computers in cases more and more.

“It was just becoming more and more prevalent,” DeLashmutt said.

Computer forensics is a growing field, where more people are needed, he said.

“It’s still pretty small, but it’s getting bigger,” DeLashmutt said.

Keeping up with the technology involved with digital forensics is hard and possibly a reason why there isn’t a rapid shift toward this kind of work. Federal funding would help this, he said.

Iowa State not only has a computer forensics officer on staff, but it was also one of the first universities to teach a class on the subject. Yong Guan, assistant professor of electrical and computer engineering, has been teaching computer and network forensics since he came to Iowa State in 2002.

In 2002, Guan had a class of only 12 students, but now has 75 students. Guan said he wants to see the number of students in his class grow. The three majors that take the course the most are computer science, computer engineering and management and information systems.

Funding from the National Science Foundation helped Guan create a dedicated computer forensics lab where students use professional forensic toolkits, used in the field by the FBI, to do their own form of investigating.

Students in Guan’s class currently are working on two projects. The first is click fraud, which involves using automated software to generate fake clicks for pay-per-click advertising, such as Google ads. One motive for click fraud is to force a rival company to use up its advertising budget on fraudulent clicks, so the rival ad would be withdrawn from Google.

“It gets rid of competition,” Guan said.

His students right now are looking at finding click fraud and eliminating it from the online market.

Auction fraud through eBay is the second project Guan’s students are working on. Approximately 45 percent of all cybercrime-related complaints in 2006 were for Internet auction fraud, according to the report.

Auction fraudsters post auctions and receive payment for expensive items they have no intent on delivering. These people can be hard for buyers to detect, because they often sell a lot of cheap goods to get high seller ratings before making their move. Auction fraudsters have also been known to pay to get positive feedback faster. Once again, Guan’s class is trying to find and eliminate them from the Internet marketplace.

“The real problem is trying to identify the origin of the criminals,” Guan said.

Problems being tackled are where they are located and who the criminals are, he said.

“A lot of hot problems we don’t know how to solve yet,” Guan said.

The hard-to-solve problems are helping rope people into the profession, he said. People want to be the first to figure them out.

Not only are the problems hard, but the hackers are getting better. The first hackers did it for fun and recreation, Guan said. This new generation is being paid to do significant damage to companies and their computers.

“It has become a real problem,” Guan said, “This is why digital forensics has become important.”