Here There Be Monsters: Hunting for Criminals in the Virtual Sea

Most cybercriminals are no different than other lawbreakers. They’re lazy, impulsive, and/or sloppy, and that’s what gets them caught. That was the message delivered by prosecutor Gary Dawson at the October meeting of the Rocky Mountain chapter of the Mystery Writers of America as he outlined the various ways law enforcement tracks down internet crimes.

rmmwaoct1317Gary has been a prosecutor his entire legal career, starting in upstate New York in 1996 and landing him in Colorado as Senior Deputy in the general felony docket for the 18th Judicial District. The 18th District includes Arapahoe, Douglas, Elbert and Lincoln counties and is the largest judicial district by population in the state. It’s headed by George Brauchler, the 18th Judicial District Attorney.

Besides prosecuting homicide, narcotics, fraud and arson cases, Gary has been involved with Special Victims Units in both New York and Colorado. His SVU work has led to involvement with prosecuting computer-related child pornography, luring and bullying cases, and his presentation focused on those crimes, particularly child pornography on the internet.

As we learned in our September meeting, the internet can be divided in three “neighborhoods”: the Surface Web, the Deep Web, and the Dark Web. Fortunately for law enforcement, most of the child pornography exists on the Surface or on password-protected Deep web sites, making it easier to track down offenders. Once they’re found and charged, Gary and his fellow prosecutors’ job is to make the case understandable to juries. That involves translating geek-speak to everyday English to keep jurors from tuning the message out. That’s also what he tried to do for the MWA group.

It takes a fair amount of work to keep from leaving trails of evidence on computers, cell phones and sites you visit. Criminal activity often starts with a simple online search, and even if that search history is deleted from a browser, traces remain on the search engine’s host computers. And the chat rooms and social media sites often used for luring have activity logs that can be accessed by law enforcement, often without warrants since much of that information, such as IP addresses, isn’t personally identifiable except by the service itself. Getting that information may require a warrant, but plenty of incriminating evidence to build a case can be gathered without it.

For instance, software on hard drives and at servers assigns “hash values” to blocks of files or data to organize it ways that make searching more efficient. By knowing what the hash value is for known child pornography sites and users, investigators can use a hash evaluator to search for and analyze them much like DNA is used as biological evidence. And since hashing algorithms generate tags to the 128th power, hash evidence is even more precise than DNA. MD-5 and SHA are common hashing algorithms. You can dig deeper here or on Wiki.

Law enforcement may even be notified by service providers like Google of suspicious activity. These businesses have people who interface with authorities to handle inquiries, and they even do hash searches of their own to identify bad guys and kick them off their service to avoid legal trouble of their own.

When the long arm of the law finally gets its hand on a computer or mobile device, there’s likely a treasure trove of information to be had. System software assigns a Globally Unique Identifier (GUID) to every machine, and it can be traced. You probably know that deleted files aren’t really deleted; their space is just made available to overwrite as needed. Unless a “wiper” or “bleaching” program has been used to clean the hard disk (you’ve been following the email scandals, haven’t you?), even overwritten files may have fragments remaining that have incriminating evidence. Offloading to a USB device like a thumb drive may seem like a good idea, but they have link and log-in data that can be useful. Besides, pervs want to see those files, so they seldom keep them very well hidden anyway. Even digital photos are packed with information on when and where they were taken.

Cell phones and tablets have much less storage than desktops, so their deleted files are more likely to be overwritten, but they use cloud storage to save space on things like emails, so some of that data may be retrievable. That’s good, too, because kids use phones and tablets to hang out in chat rooms and on social media and are more likely to text than send emails, so if they’re in touch with a predator, there’s probably evidence to be found. Phones have GPS trackers called geo-locators that are used to help find restaurants and other nearby things, and they keep logs of where the phone is and has been that are much more accurate than triangulating cell towers. Some phones keep a history that can nail a suspect to a crime scene days or weeks later. Most people don’t even know it’s on there. If you know what phone you’re trying to locate, phone companies can ping it for a location without alerting the user…as long as it’s on, of course.

OK, so you finally get the bad guy into custody and start sweating him. What’s he most likely to say? According to Gary, the first thing is probably that somebody else must have gotten on his computer or phone. It’s so common that prosecutors even give it an acronym—SODDI (Some Other Dude Did It). They might say that a virus took over and downloaded the porn, or that it was planted by someone else. But regular porn users are impulsive and tend to be organized, keeping incriminating stuff in files they can easily access, so that argument is fairly easy to shoot down, especially with so much log-in data that can pin them to times and places.

Law enforcement agencies have quite a bag of tricks they can use to track down cyber predators. But how often are they used and how long does it take to get results? A typical cyber dragnet can take weeks to close. On the other hand, a well-equipped agency can push an urgent case, such as an abduction, to the top and get results in hours or less, but that can vary by department and policy. Some have more resources than others, and priority is always an issue. As for ongoing operations, porn users are easier to target than porn producers, so agencies often go for the low-hanging fruit. The good news is that more time and resources are being devoted to cybercrime, especially to luring and child pornography, so more bad guys are being caught. The bad news is that there’s plenty of work to do.

The challenge to mystery writers is that crime of all kinds is taking place in a very different world than existed even a few years ago. And that means plenty of homework for us all. Try to have fun with it and don’t forget those breadcrumbs you leave behind. Plausible deniability prevents knocks on your door.

–Mike McClanahan