Deciphering who last logged on

A story or two would be good to illustrate my point. I once did a case involving a young man who was accused of robbing a Mac’s Milk store. His stated defence was that he was on his computer at home at the time of the robbery. I was hired by the defence to validate the statement from the accused. Through an analysis of the web history, emails and general activity on the computer at the time of the crime, there was no doubt left in anyone’s mind that the accused was not at the computer at the time, but instead, his mother was on the computer. Her Facebook account was accessed and cooking sites were visited. It was clearly not the son.

Do you know how awkward it is to go back to your client (the lawyer) and say “I know you hired me to corroborate the story of the accused, however, I can tell you with certainty that the mother was on the computer and not your client.” Just as a side note, it all worked out in the end, as the lawyer appreciated knowing the truth, which helped in the process of negotiating a plea bargain.

I was recently hired by the Crown to help them with a case. There was material on the computer that was crucial evidence in part of a criminal investigation. As there were many people that lived in the house, the question became, ‘Who really had access and control over this information?’

Of the four people in the house, all four denied having access to the information. The police had charged one of the individuals and I had the opportunity to sit down with his defence counsel. “How do you know that it was my client that had the information?” he asked. “I can tell you with certainty who owns the information”, I said. “Prove it”, he challenged.

Well, first, the information we are talking about was inside of a password protected container known as a cryptainer. I was able to crack the password and it was “Poseidon.” Inside of the cryptainer was a Word document, signed “Joe, God of the Sea.” Now, for those who know their Greek Mythology, you will know that the God Poseidon, was God of the Sea.

I asked the defence lawyer, “How many Joe’s lived in the house?” We all knew the answer was one and that happened to be his client. But I did not want the defence lawyer to think that was all. Also inside the cryptainer was a folder. The folder was labelled “Me”. Inside of this folder was a picture, only one picture. I displayed the picture on my computer and said to the defence lawyer, “I have never seen or met your client, but I am going to take a wild guess and say that is him”. It was at this point the defence lawyer starting negotiating a plea deal.

The big problem for an investigator is that just because a particular computer account was used, does not necessarily mean that the person who owns that account used it at the time of the “crime”. I have learned by experience that more times than not, when the owner of the account is confronted with the evidence I can expect the response, “Yup, that’s my account alright, but it wasn’t me”. The reality is that sometimes your suspect is telling the truth and sometimes they are not. Which leaves us with the     question “Who committed the crime?”

Obtaining user accounts and passwords in a given organization is relatively easy. The user account is usually made up of a combination of the first and last name of the user. Certainly if you work at this organization you will know that for example, last name and first initial is how the organization structures user accounts. So, that leaves the password which is easy to get.

The organizers of the Infosecurity Europe 2004 conference found that 71 per cent of office workers were willing to part with their password for a chocolate bar while 37 per cent of workers immediately gave up their password and an additional 34 per cent gave up their password with a little coaxing. My favourite is to call someone in an organization who doesn’t know me and pretend to be someone calling from the help desk. After a little story about how you can see that there is a virus on their computer and you immediately need their user account and password to sign on to their system to eradicate the virus, which is threatening the corporate network, few will stand in the way of giving you their password. So, as investigators we need to be aware of the fact that the suspect may or may not be telling the truth when they say, “That was my account, but it wasn’t me”.

I would like to define the term “Profiling” from a computer perspective to mean the type of activity on a computer at the time the “crime” happened. Your profile and mine are completely different. I might use Google, you use Yahoo, I might use RBC, you use Scotia Bank. By determining the profile of the computer use for the individuals who had access to the computer, you will most likely see a clear indication of who was on a computer at any given time.