Chapter 23
Digital Evidence on the Internet
On completion of this chapter, the student will:
Be aware of the role of the Internet in criminal investigations.
Recognize that Internet Services retain information about people and organizations.
Be aware of the difficulties in connecting an Internet artifact with a person (i.e., proving that
a specific e-mail was sent by a specific individual).
Recognize the value of analyzing social networking in Internet investigations.
Be aware of the characteristics of various synchronous chat networks.
Be aware of the nature of peer-to-peer computer networks and some methods of gathering
evidence.
Chapter Guide
The Internet is both an attractive venue for criminal activities and a powerful investigative tool. This
chapter discusses both aspects to give investigators intelligence about how criminals operate online, and
to help investigators use digital evidence on the Internet to apprehend offenders. The main Internet
services are covered, including the Web, e-mail, newsgroups, Internet chat, and P2P. New services are
emerging that extend the capabilities of the Internet, providing criminals with new opportunities, and
making digital investigations more challenging. Therefore, in addition to becoming familiar with existing
Many people think of the Internet as separate from the physical world. This is simply not the case and to
neglect the very real and direct link between people and the online activities that involve them limits
ith an online component. The Internet effectively
provides us with windows into aspects of the world that we otherwise might not know about. As
discussed in Chapter 1, a trained eye can use data on computers and the Internet to learn a great deal
about an individual, providing such insight that it is like looking through a stained glass window into the
cept is important for several reasons:
This last point is worth reiterating and expanding. There is currently an inordinate amount of criminal
activity on the Internet, providing us with a unique opportunity to learn more about criminal activities that
more detail, computers and networks can provide
a window into their world, giving us a clearer view of how they operate.
Multiple Choice Questions
1. Who is authorized to conduct online undercover investigations when child pornography is
involved?
2. Which of the following Internet services can be used to exchange illegal materials?
3. What are two of the most useful headers for determining the origination of Usenet messages?
4. What information should you document when searching for evidence on the Web?
5. Why is it important to hide your identity when conducting an online investigation?
6. When it is not possible to determine the identity of the author of a Usenet message using IP
addresses in the header, what else can you do to learn more about the author?
7. What characteristics of IRC make it attractive to criminals?
8. Which of the following enables a user to connect to IRC and run IRC fserves without disclosing
their IP address?
9. Which of the following applications leave traces of Internet activities on a personal computer?
10. Which of the following tools can reconstruct TCP streams?
11. What peer-to-peer clients use the Fast Track network?
12. Web Whacker and Httrack are examples of tools that:
13. Metaverseink is a:
14. Second Life is one of the better known:
15. Synchronous chat networks are particularly conducive to criminal activity because of their
True or False Questions
1. The cybertrail is only useful for gathering information about an offender, not a victim.
2. accessed by government employees.
3. When you access a web page, the content may be located on a server other than the one you
accessed.
4. All web search engines use the same search syntax.
5. Whois databases contain contact information relating to IP addresses but not domain names.
6. Criminals let their guard down in chat networks because they feel protected by the perceived
anonymity.
7. The Web archive (web.archive.org) contains a complete and accurate copy of web pages as they
existed at a particular time.
8. E-mail Received headers can be relied on for tracking purposes because they cannot be forged.
9. When evidence is located on the Internet, investigators should document and preserve it
immediately or it may be gone the next time they look for it.
10. Pseudonymous e-mail enables the sender to receive responses to messages whereas anonymous e-
mail does not.
11. It is not possible to decrypt and view captured network traffic.
12. Freenet is not being widely used by criminals to exchange illegal materials because it is too
difficult to use.
13. KaZaa has one feature that can be beneficial
possible, it obtains files from peers in the same geographical region.
14. Posting information online takes control of the information away from the person and such
information can remain online indefinitely.
15. Given the wealth of information that social networks contain, digital investigators will often find
useful information at these sites.
Discussion Questions
1. What website does http://www.paypal.com@1113781300 refer to? Explain how you got your answer.
3. What are the pros and cons of metasearch engines like www.dogpile.com?
4. What are the advantages and disadvantages from an investigative perspective of Usenet archives like
5. What is the most interesting channel you can find on IRC? Note that you can answer this question by
6. Describe one way that files can be exchanged on IRC.
7. Describe one way that criminals on IRC can conceal their actual IP address to make tracking them
more difficult.
1. The purpose of this scenario is to develop e-mail tracking skills. Give students an e-mail message
and have them determine where it came from. Have them describe how they determined where
the message came from and report what they find using the tools described in this chapter. If
certain tools (e.g., Whois or finger) do not provide useful information, this should be noted in the
report. It is not necessary to determine the identity of the sender. However, once students have
2. It can also be instructive to set up an IRC file server for students to connect to and download files.
Panzer (http://arnts.tripod.com/) is a feature rich, user-friendly IRC file-serving package, and is
141.157.67.68):
Session Start: Wed Feb 25 10:59:24 2004
Session Ident: Fserver
[10:59] DCC Chat session