Internet Tracking and Tracing
Internet tracking and tracing (Forensic Science)
Law-enforcement authorities can use Internet tracking and tracing to identify and prosecute persons who are responsible for irresponsible or malicious Internet activity. Internet tracking and tracing are used, for example, in the identification, capture, and conviction of those who mount denial-of-service (DoS) attacks against online companies. In such attacks, the perpetrators attempt to stop particular Internet sites from functioning. In a DoS case that took place in February, 2000, a number of Web sites—including those of Yahoo, CNN, and eBay—were overrun, and essentially disabled, by requests that were orchestrated by a young boy in Montreal, Canada, who used the alias “Mafiaboy.”
Agents for the Federal Bureau of Investigation (FBI) and the Royal Canadian Mounted Police (RCMP) began to suspect that Mafiaboy was behind the DoS attacks after they tracked activity in an Internet chat room. After they established that Mafiaboy was a suspect, they used standard software to trace his URL (uniform resource locater)—that is, his online address—and obtain his IP (Internet protocol) address. With this information, they obtained permission to tap the suspect’s telephone and recorded his descriptions of the DoS attacks in subsequent phone conversations. Mafiaboy ultimately pleaded guilty to fifty-six charges related to his DoS attacks. Although estimates differ, it is generally agreed that his attacks caused more than one million...
(The entire section is 227 words.)
Tracking and Tracing Tools (Forensic Science)
The activities of Internet tracking and tracing are often done by humans. For example, undercover agents might pose as children in online chat rooms to catch child predators. Humans also inspect Internet log files heuristically to detect the misuse of browsers to search the Internet for illegal items such as drugs and weapons.
Many of the forensic tools used for Internet tracking and tracing are computer programs that are designed to search chat rooms, Web sites, and e-mail automatically. For example, MySpace partnered with Sentinel Tech Holding Corporation to build a sexual predator database and search program that could automatically discover sexual predators using MySpace. The effort was so successful that several state attorneys general demanded and received predator information from MySpace to assist in the prosecutions of sexual predators in their states.
“Honey pots” are network resources that law-enforcement authorities use to fool potential online attackers into thinking they can easily perpetrate attacks; the authorities then let the attacks occur and collect important information about the attackers from these activities. Most honey pots are Web sites, but a number of wireless access-point honey pots have been developed to defend against those attacking wireless networks. Honey pots have been very successful tools for the early identification of computer hackers and crackers.
(The entire section is 211 words.)
Tracking Individual Users (Forensic Science)
Employers and concerned parents of Internet-using children sometimes use Internet tracking to detect and then prevent or control undesirable Internet behavior. This type of tracking is generally done at individual computers with software programs that record every keystroke made by users. Individual Internet tracking software packages record such information as instant messages, chat, and e-mails sent and received; peer-to-peer file searching and swapping; Internet search strings typed; Internet sites visited; and Web-oriented programs used. By installing an individual tracking package on each computer, a company can encourage all employees to make proper use of the Internet, catch those employees who abuse the Internet, and document the company’s efforts to secure its computer systems.
Home and corporate products aimed at defending against malware (malicious software, including viruses and worms) often have databases of dangerous sites that function to stop users from visiting those sites. These software packages also keep records of users’ attempts to access forbidden sites, such as pornography sites; this could be valuable information for parents, employers, or law-enforcement agencies if they need to prove that particular users have been misusing their Internet access.
(The entire section is 186 words.)
Tracking at Routers and Firewalls (Forensic Science)
Some of the most important Internet tracking done by organizations takes place at border routers and firewalls, where it is routine to inspect all incoming Internet traffic. If a firewall serves as a bastion host, for example, it will check all requests of the corporate Web server for known attackers. Also, all e-mails arriving at an organization’s e-mail post office are usually checked for viruses, with attachments opened and scanned as well. In addition to tracking incoming traffic, it is common for computer systems to track outgoing traffic as well. Some famous cases in which the American public has been made aware of this type of tracking have occurred at the White House. During the Clinton administration, the White House e-mail archives were important because they allowed the tracking of communications between President Bill Clinton and intern Monica Lewinsky. During the presidency of George W. Bush, the log files of official and unofficial White House e-mail traffic appeared to be significant in the investigation of the firings of several federal attorneys.
Internet tracing to determine all routers used in the sending of Web requests or e-mails is also an important activity carried out by both individuals and organizations, including law-enforcement agencies. Numerous computer programs have been designed to carry out automatic traces to find the home addresses of online attackers or e-mail senders....
(The entire section is 338 words.)
Further Reading (Forensic Science)
Almulhem, Ahmad, and Issa Traore. Experience with Engineering a Network Forensics System. New York: Springer, 2005. Emphasizes the capture, recording, and analysis of network packets and events for investigative purposes.
Berghel, Hal. “The Discipline of Internet Forensics.” Communications of the ACM 46 (August, 2003): 15-20. Surveys the new field of Internet forensics, which was created in response to the activities of computer crackers and hackers.
Mandia, Kevin, Chris Prosise, and Matt Pepe. Incident Response and Computer Forensics. 2d ed. Emeryville, Calif.: McGraw-Hill/Osborne, 2003. Covers incident response as well as attacks and includes several chapters on Internet incident responses.
Marcella, Albert J., and Robert S. Greenfield, eds. Cyber Forensics: A Field Manual for Collecting, Examining, and Preserving Evidence of Computer Crimes. Boca Raton, Fla.: CRC Press, 2002. Collection of case studies offers a basic introduction to the practical aspects of computer forensics. Includes several chapters on Internet forensics.
Shinder, Debra Littlejohn. Scene of the Cybercrime: Computer Forensics Handbook. Rockland, Mass.: Syngress, 2002. Bridges the gap between the computer professionals who provide the technology for cybercrime investigations and the law-enforcement professionals who investigate the crimes.
Vacca, John R. Computer Forensics:...
(The entire section is 207 words.)
Internet Tracking and Tracing (World of Forensic Science)
Forensic science, in particular the process of forensic accounting, where the routing of finances, property, and other material items are traced, relies upon trails of evidence. The information that resides on the Internet can be tracked and traced, and so can be valuable in forensics.
Tracing is a process that follows the Internet activity backwards, from the recipient to the user. As well, a user's Internet activity on web sites can also be tracked on the recipient site (i.e., what sites are visited and how often, the activity at a particular site). Sometimes this tracking and tracing ability is used to generate e-mail to the user, promoting a product that is related to the sites visited. User information, however, can also be gathered covertly.
Techniques of Internet tracking and tracing can also enable authorities to pursue and identify those responsible for malicious Internet activity. For example, on February 8, 2000, a number of key commercial Internet sites such as Yahoo, Ebay, and Amazon were jammed with incoming information and rendered inoperable. Through tracing and tracking techniques, law enforcement authorities established that the attacks had arisen from the computer of a 15-year-old boy in Montreal, Canada. The youth, whose Internet identity was "Mafiaboy," was arrested within months of the incidents.
Law enforcement use of Internet tracking is extensive. For example, the U.S. Federal Bureau of Investigation has a tracking program designated Carnivore. The program is capable of scanning thousands of e-mails to identify those that meet the search criteria.
Cookies are computer files that are stored on a user's computer during a visit to a web site. When the user electronically enters the web site, the host computer automatically loads the file(s) to the user's computer.
Cookies are files, and so can be transferred from the host computer to another computer. This can occur legally (i.e., selling of a subscriber mailing list) or illegally (i.e., "hacking in" to a host computer and copying the file). Also, cookies can be acquired as part of a law enforcement investigation.
Stealing a cookie requires knowledge of the file name. Unfortunately, this information is not difficult to obtain. A survey conducted by a U.S. Internet security company in 2002 on 109,212 web sites that used cookies found that almost 55% of them used the same cookie name. Cookies may be disabled by the user, however, this calls for programming knowledge that many users do not have or do not wish to acquire.
A bug or a beacon is an image that can be installed on a web page or in an e-mail. Unlike cookies, bugs cannot be disabled. They can be prominent or surreptitious. As examples of the latter, graphics that are transparent to the user can be present, as can graphics that are only 1x1 pixels in size (corresponding to a dot on a computer monitor). When a user clicks onto the graphic in an attempt to view, or even to close the image, information is relayed to the host computer.
Information that can be gathered by bugs or beacons includes: the user's IP address (the Internet address of the computer) and e-mail address; the user computer's operating system (which can be used to target viruses to specific operating systems; the URL (Uniform Record Locator), or address, of the web page that the user was visiting when the bug or beacon was activated; and the browser that was used (i.e., Mozilla, Explorer).
Like cookies, the information provided by the bug or beacon can be useful to law enforcement officers and forensic investigators who are tracking down the source of an Internet intrusion.
E-mail transmissions have several features that make it possible to trace their passage from the sender to the recipient computers. For example, every e-mail contains a section of information that is dubbed the header. Information concerning the origin time, date, and location of the message is present, as is the Internet address (IP) of the sender's computer.
If an alias has been used to send the message, the IP number can be used to trace the true origin of the transmission. When the originating computer is that of a personally owned computer, this tracing can often lead directly to the sender. However, if the sending computer serves a large communityuch as a universityhrough which malicious transmissions are often routed, then identifying the sender can remain daunting. Yet depending on the e-mail program in use, even a communal facility can have information concerning the account of the sender.
The information in the header also details the route that the message took from the sending computer to the recipient computer. This can be useful in unearthing the identity of the sender. For example, in the case of "Mafiaboy," examination of the transmissions led to a computer at the University of California at Santa Barbara that had been commandeered for the prank. Examination of the log files allowed authorities to trace the transmission path back to the sender's personal computer.
Chat rooms are electronic forums where users can visit and exchange views and opinions about a variety of issues. By piecing together the electronic transcripts of the chat room conversations, enforcement officers can track down the source of malicious activity.
Returning to the example of "Mafiaboy," enforcement officers were able to find transmissions at certain chat rooms where the upcoming malicious activity was described. The source of the transmissions was determined to be the youth's personal computer. Matching the times of the chat room transmissions to the malicious events provided strong evidence of the youth's involvement.
SEE ALSO Computer forensics; Computer hackers; Computer security and computer crime investigation.