In the highly competitive world of securities trading there has been a noted uptick in software code theft according to Stockwatch.com, particularly among Alternative Trading System platforms (ATS).

Society Generale, Goldman Sachs and UBS have all been hit by software theft. In the case of Societe Generale, they noted that the bank’s security cameras showed an employee printing out hundreds of pages of code. I would guess that the printing was an attempt to evade the electronic security measures likely in place on the employees computer system which would have prevented them from copying the code to a flash drive. It’s notable that “old school” detection technology was what caught the perpetrator.

The Stockwatch article stated that Reuters stated that in the Goldman Sachs case a new employer offered a Goldman computer programmer $1.2 million a year whereas Goldman was only paying him $400,000. The article does not name the new employer, nor does it state whether the new employer enticed the individual to steal the code, or if they did so of their own accord.

Stockwatch is an excellent resource for news and information on companies and individuals, especially for Canadian publicly traded companies. If you spend a lot of time trying to identify corporate affiliations then I would recommend it.

There are a couple of new-to-me changes at Tineye, the image search engine, that might be of interest for readers. For readers who haven’t heard of Tineye before, it is a reverse image search engine. You upload an image or point the service to a URL and Tineye searches similar images on the web. This is useful for fraud investigations and brand protection investigations and at July 19, 2010 the service stated that it had over 16 Billion images in its database.

Here are the updates of interest:

1. The Firefox/Chrome/Internet Explorer/Safari plugin: This will basically allow you to search an image on the fly rather than stopping what you are doing, visiting Tineye, loading the image, etc. It’s an efficiency tool.

2. A Tineye API: From the Tineye website “Using the API, you can integrate the TinEye search engine with your own website or backend to perform searches and retrieve results from TinEye’s growing database of web images. Search for incoming images on the fly, or queue up a bulk set of searches. Your API search results contain the same type of information provided by tineye.com.”

It is aimed at commercial users that want to integrated Tineye into their monitoring or archiving activities. Neat stuff.

I’ve done some tests using the Firefox pluggin and have had some success in locating similar images to the ones I searched. Note Tin-eye doesn’t tell you the “original” image, it just tells you where other similar images are located. This might be a lead for something like, say, a forensic analysis of a seized computer.

I’d be interested to hear comments from others on their experience. For the API I don’t have a need for it at the moment so I won’t be testing it; however, it sounds like it could be a very useful component to a brand protection monitoring strategy.

A great article appeared in the July 2010 version of SANS Ouch! Newsletter on protecting yourself and your family when using Facebook.

Among my favourites are:

- Follow the Golden Rule. Assume that the personal information and photos you display are available to everyone and anyone, not just to your friends.
-To protect children from online predators, do not post a child’s name in a photo tag or caption. If someone else does, delete it if you can, or ask the member who owns the photo to remove the name.
-Do not mention being away from home. Doing so is like putting a “Nobody’s Home” sign on your front door. Be vague about the dates of your travel plans and vacations.

For more please visit the SANS site.

There is an excellent introductory whitepaper on SEARCH.org called How to Capture a MySpace Page for Investigative Purposes that I think should be basic reading for every Internet investigator. It will serve as a baseline for capturing evidence from any on-line investigation.

The whitepaper recommends using screen capture video recording software called Camtasia by Techsmith. I have limited experience with this particular software but have used other freeware and video capture services for similar purposes. I have used Techsmith`s Snagit product before and I have had good luck with it.

The whitepaper also suggests using Video Downloadhelper, a Firefox extention to capture videos. I’ve used this app for a long time and like it a lot; however, some people prefer commercial products and there are those which are not free but are quite reasonalby priced, such as SWF Toolbox and RealPlayer Plus. I particularly like the SWF Toolbox for the additional functionality, but Realplayer Plus is a well known brand and some people take comfort in that.

There are a couple of key points to take from the white paper which I think are worth highlighting:
- Make sure you record the audio files separately
- Make sure you capture the video files separately
- Make sure you capture the HTML code by either opening up the source code through “View Source” or by saving a copy of the web page. The white paper suggests that it is important to do because the HTML would show any hidden trackers or code that might not show up on the rendered web page; and because a person who is competent in HTML could recreate the page with the appropriate tools (a variation the old “a competent person with the same information would reach the same conclusions argument”).

I also believe however, that it is important to capture the HTML for a variety of other reasons. Not least of which is to find out the original source of referenced material. Embedded keywords in headers can also help demonstrate mens rea. I put these here to attract a certain type of traffic from search engines (i.e. search engine optimization, a kind of marketing), therefore I knew what I was doing when I posted these fake identity cards for sale on line……and so the argument goes.

The white paper is aimed at MySpace, but given the fact that social media is so prolific, and because just about every kind of webpage can contains just about every kind of content the points could be applicable to most forensic Internet investigations.

There are a few areas that the white paper could have addressed, although to some they may be obvious. First, the investigators notes should reflect what he or she is doing and how they arrived at where they did. This includes things like the search terms they used, when they conducted the research, etc. A Google search on Monday may not provide the same results on Friday, but at least it should be clear to observers that when the search was done these are the results which were provided.

Second, a video is nice, and you can certainly take stills from a video to put them in your report, but I also like to produce pdfs of webpages. These work well in written reports.

Third, there is the issue of non-repudiation for the evidence you collected. Creating a checksum all of the information you obtain and then burning everything to a DVD and closing the session is a good idea. I`m using a DVD-R as an example, but I`m technology neutral. An encrypted flash drive or SD card or whatever else you prefer would also work.

Some of these principles are discussed further in Vere Software whitepaper “Collecting Legally Defensible Online Evidence.” I`ve blogged about this before and I think it is also good, basic reading.

Last but not least, the speed at which you capture information is important. You don’t want to go through a lot of effort to record things and then end up producing a video that is blurred. Editing can clean up the video a little bit but it is a huge time consumer and you cannot over edit lest your video be rejected as investigators should be aware of this constraint and move slowly if they are going to capture their sessions by a screen capture.

I’d also recommend that readers check out the other great publicly available whitepaper that is on the Search.org website for doing Internet investigations called “Setting up an Online Investigative Computer: Hardware, Connectivity and Software Recomendations”. It was written in 2004 so some of the specifications are a little old, but the principles are still relevant.

In my view the technology is going to keep evolving and because of this we must stay grounded in the basics. Improving searching by using semantic search techniques that understand natural language is fine, but it is still searching and we must be able to explain how we arrived at the results we did. Social networking sites, virtual worlds and so on are all interesting and important; and evidence will exist in these places, but just like the old school chatroom, they are all just tools for communicating in different ways.

Ours is to know the principles and evolve the processes for the new technologies.

I highly recommend the book Twitterville written by Shel Israel. It is a great book for those considering using Twitter for business purposes, but also suggests ways in which information professionals might use the service for research. It was a great repository for services that can assist the investigation & security professional achieve what they want incluidng researching information on individuals or organizations; or obtaining real-time indicators of threats to events.

I found that Chapter 15 “The Dark Streets” (of Twitterville) to be particularly interesting.

For more information on some Twitter advanced research techniques you can check out this blog post.

Despite taking a hiatus from our regular program, the HTCIA is holding Birds of a Feather (BOF) formatted events over the summer, including a discussion on Social Media attacks on July 13, 2010. This will be hosted by Sherif Koussa.

On August 10, 2010 we’ll be having a discussion on SCADA attacks, so mark your calendars for that one as well.

After our summer format program has concluded we launch into the annual three-part case study. This year’s topic is IT Security Mobilization Units – A Case from the Field. It promises to be very cool, with an interactive discussion around the use of live forensics to conduct real-time investigations by mobile rapid Computer Incident Response Teams (CIRT) in some highly challenging environments. As always attendees are encouraged to engage and discuss this evolving topic. The dates for these events are: September 14, 2010, October 12, 2010 and November 9, 2010.

The November 9, 2010 meeting will also include our Chapter’s annual general meeting where we hold elections for the next year’s board. For those who are interested in participating in the board level of the Chapter, this is a good time to start thinking about how you would like to become involved.

I was recently doing some work on how to isolate information on Twitter and I found the advanced Twitter search function.

However, if you want examples of the URLs used to conduct the search, additional search strings and examples of what results the searches are meant to find there is a great post on WebConnoisseur, a social media blog written by Dustin Woodward. Examples of search parameters inlcude:

1. Multi-word queries
2. Exact match queries
3. OR queries
4. Hash Tag queries
5. At queries
6. Question queries
7. Combining queries
8. From and To queries
9. Exclude queries
10. Location queries
11. Date-based queries
12. Attitudinal queries
13. Source queries
14. Link filtered queries
15.Jumping forward in older searches

There are a few applications and services out there that are designed for Twitter research but I haven’t found the need to investigate them as yet, so I don’t have any comments on their effectiveness. I do however, see the benefit of using a service like Radian6, Scoutlabs or any of a myriad of other competitors for intelligence purposes so long as the benefits outway the cost of the subscription service.

These services are particularly beneficial because they aggregate information across social media platforms (i.e. feeds from Twitter, Facebook, the blogsphere, etc). I wonder if you might be able to achieve similar results with a Yahoo! pipes concoction of some sort…it would definitely take some work.

As Twitter’s user base grows it becomes increasly important to understand how to effectively use the service for investigation and intelligence purposes. It’s a communication medium at the end of the day and it can be used for dasterdly deeds as easily as it can be used for good. Learning how to focus your search criteria to dates, posters (tweeters) of interest and other narrowing functions is imperative otherwise you risk wasting time focusing on the wrong things.

SanDisk has announced the development of a 1GB Write Once Read Many (WORM) SD memory card. Conceptually, this will provide extra assurances that original digital photographic evidence will not be tampered with.

Investigators can download their images to a computer and then work their magic, but their originals are, well, original.

Thanks to Philip Golan, who provided this information on the Investigative Databases Group on LinkedIn.

Every once in a while it’s a good idea to remind ourselves of why we do background due diligence on potential new hires, and more importanly why it is imporant to conduct the appropriate level of research into individuals depending on the position they are applying for. Doing these types of inquiries on a risk ranked basis is the proper way to achieve the best cost-benefit outcome. The BankInfo Security site has a good article on this very subject.

My view is that the first thing you have to do is verify that they are who they say they are. Verifying that they have a certain degree or job experience is secondary to the basic verification of identity.

The Problem: Occasionally you will find a video, posted on a blog or some website that is useful for your investigation. You’ve downloaded a copy of the video using videodownload helper or realplayer plus or some other tool but you want to find where the embedded video was originally posted and who the original poster of the video was to see if they are posting other videos that might be of interest to your file.

Of course if it is a YouTube video there is usually the YouTube logo in the bottom right, so that solves part of your quandry, but this solution will deal with locating both where the video was posted and who posted the video.

The Solution: It should be said upfront that this solution likely has an expiry date since YouTube, Vimeo, etc. change their coding every so often. That being said, this has been working for the last two years at least.

First, open the source code of the web page you’re viewing. My preference is to use the “View Selection Source” on Firefox; however, the view page source function in Explorer will also work.

Second, using either your own scrolling or the Find Function (“Cntrl F”) search for the common “src=” line which will be immediately before the link to the video.

Third, look for the video id which will be the string of alpha-numeric numbers after the http://www.youtube.com/v/ and before the & (ampersand) in the case of YouTube posts. In the case of the previous Evince Blog post “Copyright Battle” posted on June 30th, 2009 where a video was posted from YouTube the string is: http://www.youtube.com/v/PhSnQbflg2A&hl=en&fs=1&rel=0 so what you are looking for is the PhSnQbflg2A .

Note: You now know the source site where the video was streaming from.

Alternatively for steps one to three you can identify the video id by using the “copy embedded html” function on the right click menu when you hover over the video posted on the blog. Then paste the html code on a word document and the video id will be fairly apparent.

This is the embedded html for the previously mentioned video on Copyright battle. You can click on the image to view the code alone.

Note: the video id appears after both “value=” and “src=”.

Finally, conduct a search using the video id on Google (or other search engine) or YouTube itself (or the other video posting website you believe the video is from). That should lead you to find the page where the video was posted and hence to the original poster of the video. You can use the inurl: function although I have found my success with that approach to be inconsistent.

If anyone has any suggestions on how to improve this strategy, or other methods of accomplishing the same thing, please let me know.