Photographee.eu - Fotolia
Cyber investigations may require different skills than traditional cases, but the FBI says it can overcome obfuscation techniques and other evasion methods in order to catch the right suspect.
SearchSecurity sat down with David West, assistant section chief of the FBI's Cyber Division, operational section four, at the Black Hat conference in Las Vegas to talk about how the FBI performs cyber investigations.
Part 1, covering the legal framework, incident notification processing and meeting the burden of proof, can be found here.
Editor's note: This interview has been edited for length and clarity.
Can you discuss how the FBI works with security companies who also do these types of cyber investigations?
David West: We realize that the victims are a source of information. We realize that there are corporations out there that specialize in, for business reasons, looking at this information. We will use them for lead purposes.
But, again, if you bring me information and evidence, I cannot rely only on that information and evidence. Because there's a chain of custody, there's [the security company's] motivation. There are tools and techniques that are available to us at the federal level that may not be available at the private sector level, which is why, sometimes, you might get a disconnect between what the general public thinks versus the government.
The term we like to use is 'trust, but verify.'
How does it change a cyber investigation when you get into the deep web, where anonymization can limit the amount of evidence available?
West: The deep web just adds another layer of security. I would say that our investigative techniques have to be more robust and have to be more concentrated on what and how we do things, whether we're relying on human validation whether we're relying on technical validation.
But, again, if we're looking at an investigation, it's typically a crime that has been committed in the past. So, with collecting evidence, we are looking for information to either prove or disprove what the story is, as well as we may uncover new crimes that have been committed.
Because, again, the people we're dealing with are not usually one-time [offenders]. And that is one of the things we rely on: that in your interview style, you interview a certain way repeatedly, so you develop a certain way of doing things. Hackers [and] investigators do the same thing; that is a strength, and it's also a weakness.
Humans are creatures of habit, so how do cyber investigations change when you're targeting international groups working together?
West: The FBI is the lead domestic law enforcement agency for computer intrusion, for counterterrorism cyber investigations; therefore, we build a rhythm, like today, to make sure that we can engage with the community to ... dispel some of the myths about how we do things or why we do things, and also to look for potential employees. And we also engage with our USIC partners, our U.S. Intelligence Community partners. We engage with our international partners; in my section, we have the cyber ALAT [assistant legal attaché] programs. The FBI has representatives in 68 countries around the world.
We have legal attachés all over, but we have, specifically, about two dozen cyber-trained agents sitting overseas under host country authority working in the legate office so that, when crimes are committed in the U.S. that have a foreign nexus, where the information that is maybe required through our legal process will not just work by default, we have to issue an interlateral or another type of legal process. We will issue that to our representatives over there, who will issue it to the local law enforcement, and they will go through the collection of that evidence that we'll get.
We're utilizing our foreign partners, as well as our domestic partners. That's why cyber ALAT is so very important to cyber investigations. If a crime is committed against a U.S. citizen overseas, that's the FBI's jurisdiction. Our strength is that we are a small organization, but we're dispersed, and we're concentrated in those locations both domestically and overseas.
Without giving away too much, can you speak on the types of evidence that may be more valuable in cyber investigations?
West: Generally speaking, what I'll say is that people are creatures of habit. People may reuse code, but ... because they are creatures of habit, they will utilize similar techniques. I won't go into specific ones.
We might look to see, as an indicator, what the language of the keyboard is. That doesn't necessarily mean it is that country, but people are finding out we do those things. But that is something that we have to trust, but verify.
We look for all sorts of digital evidence, whether it's IPs, whether it's MAC [media access control] addresses, whether it's time zones; anything and everything that will help our investigation. Because, again, we're trying to get to the right person because, if we hit the wrong person, it's not a deterrent [if] we spent a lot of the federal government's time and money and energy to go after the wrong person, when the real person can continue to do what they're doing.
The investigations take a long time -- that's another complaint we hear about -- anywhere from six months to years. Part of that is because of the legal process that's required, whether it's a subpoena or, on the national security side, the NSL, [as well as] how long the company has to respond, how quickly the victim company reported it to us whether the evidence is going to exist. If the crime is ongoing, we're going to be able to get ahead of them to the next time they do it.
So these investigations take a long time, but you can believe that, by the time the U.S. Attorney -- who, again, is not doing the investigation, but is looking at the set of facts that have been presented to him -- [receives the evidence] ... he can prove that this crime has been committed. He is going to ask all the questions that the jury will ask even before it's presented to a jury. But leading up until that point, our relationship with the U.S. Attorney's Office allows us to get those legal processes, which will uncover things.
So attribution is possible, but it's not easy. Attribution is difficult. People spend a lot of time trying to hide who they are, but it's no different than a bank robber that goes in with a mask, gloves all these other things. Our guys just go in with the Tor network or some other type of TTPs [tools, techniques and procedures] that they believe are going to make them anonymous. People, by default, believe the internet is anonymous, when it's really not.
The FBI supports encryption and those types of things. I think there's a misperception that the FBI is against encryption. We are not against encryption. If you look at some of the public notifications we put out, [some] of the things we tell people are, use secure passwords encrypt your information ... When you hear things about how the FBI feels about encryption, we just believe that, with legal process, we should be able to gain access to things that are encrypted.
But the argument there is, if you can get access, bad actors can get access, too. So it fundamentally breaks the system.
West: That is a common belief. I can't say I agree or disagree with it. I'm just saying that if a legal process requires that you provide evidence of a crime, we'd like for you to provide it.
Though nobody knows how that happens ...
West: Yes, how that happens ... I can't get into that.
But, again, if the internet were secure and there were no known exploits, maybe we wouldn't have any crime, and I'd be out of a job in this area.
And the key is, like I said, from headquarters' perspective, we do program management in large cases, we may forward control. The investigations, holistically, the FBI conducts them, and we leverage our tools through legal process, through human sources, through technical sources, through whatever sources that we think will identify a clear picture and what has occurred.
One of the reasons why we're here today is to make sure people know what we do and, really, how we do it, and if we have information that we can share that we think will help people protect themselves, we often do that. Because of what we do, we sometimes collect information that can help protect the public and we share that information with them.
I don't want to simplify a cybercrime, because it's not simple, but neither is algebra. To a mathematician, calculus and algebra is simple, but it requires certain steps. Being a cyber investigator is no different than being a drug investigator or a Russian organized crime investigator or a white-collar crime investigator. It is a specialty where we're trained investigators and we apply our skill set to a legal process to uncover what we need to do to prove that this violation of federal law occurred.
And, following that analogy, if you're investigating a physical crime scene, the criminal could have tried to hide their tracks, but they're always going to leave some evidence there.
West: I would say yes. Just like a regular crime scene, we rely on them making mistakes; we rely on them not cleaning up behind them completely. We rely on them trying to do the same thing over and over again.
There's a well-known case back years ago we learned in the academy where a person knew the FBI was collecting fingerprints. So what they did is, they burned off all their fingerprints. But when we caught them [it was] because, at the crime scene, they didn't have these fingerprints, it was a telltale that he did it because he's the only one walking around with burnt off fingertips.
So what I'm saying is that there are people who can do things that make them believe they are more anonymous that make them less anonymous.
Learn how work groups tried to reconcile going dark with strong cryptography
Find out why information governance strategy is needed for reliable digital evidence
Get info on how Google Earth geolocation is used in digital forensics investigations