Society Generale, Goldman Sachs and UBS have all been hit by software theft. In the case of Societe Generale, they noted that the bank’s security cameras showed an employee printing out hundreds of pages of code. I would guess that the printing was an attempt to evade the electronic security measures likely in place on the employees computer system which would have prevented them from copying the code to a flash drive. It’s notable that “old school” detection technology was what caught the perpetrator.

The Stockwatch article stated that Reuters stated that in the Goldman Sachs case a new employer offered a Goldman computer programmer $1.2 million a year whereas Goldman was only paying him $400,000. The article does not name the new employer, nor does it state whether the new employer enticed the individual to steal the code, or if they did so of their own accord.

Stockwatch is an excellent resource for news and information on companies and individuals, especially for Canadian publicly traded companies. If you spend a lot of time trying to identify corporate affiliations then I would recommend it.

Here are the updates of interest:

1. The Firefox/Chrome/Internet Explorer/Safari plugin: This will basically allow you to search an image on the fly rather than stopping what you are doing, visiting Tineye, loading the image, etc. It’s an efficiency tool.

2. A Tineye API: From the Tineye website “Using the API, you can integrate the TinEye search engine with your own website or backend to perform searches and retrieve results from TinEye’s growing database of web images. Search for incoming images on the fly, or queue up a bulk set of searches. Your API search results contain the same type of information provided by tineye.com.”

It is aimed at commercial users that want to integrated Tineye into their monitoring or archiving activities. Neat stuff.

I’ve done some tests using the Firefox pluggin and have had some success in locating similar images to the ones I searched. Note Tin-eye doesn’t tell you the “original” image, it just tells you where other similar images are located. This might be a lead for something like, say, a forensic analysis of a seized computer.

I’d be interested to hear comments from others on their experience. For the API I don’t have a need for it at the moment so I won’t be testing it; however, it sounds like it could be a very useful component to a brand protection monitoring strategy.

Among my favourites are:

- Follow the Golden Rule. Assume that the personal information and photos you display are available to everyone and anyone, not just to your friends.
-To protect children from online predators, do not post a child’s name in a photo tag or caption. If someone else does, delete it if you can, or ask the member who owns the photo to remove the name.
-Do not mention being away from home. Doing so is like putting a “Nobody’s Home” sign on your front door. Be vague about the dates of your travel plans and vacations.

For more please visit the SANS site.

The whitepaper recommends using screen capture video recording software called Camtasia by Techsmith. I have limited experience with this particular software but have used other freeware and video capture services for similar purposes. I have used Techsmith`s Snagit product before and I have had good luck with it.

The whitepaper also suggests using Video Downloadhelper, a Firefox extention to capture videos. I’ve used this app for a long time and like it a lot; however, some people prefer commercial products and there are those which are not free but are quite reasonalby priced, such as SWF Toolbox and RealPlayer Plus. I particularly like the SWF Toolbox for the additional functionality, but Realplayer Plus is a well known brand and some people take comfort in that.

There are a couple of key points to take from the white paper which I think are worth highlighting:
- Make sure you record the audio files separately
- Make sure you capture the video files separately
- Make sure you capture the HTML code by either opening up the source code through “View Source” or by saving a copy of the web page. The white paper suggests that it is important to do because the HTML would show any hidden trackers or code that might not show up on the rendered web page; and because a person who is competent in HTML could recreate the page with the appropriate tools (a variation the old “a competent person with the same information would reach the same conclusions argument”).

I also believe however, that it is important to capture the HTML for a variety of other reasons. Not least of which is to find out the original source of referenced material. Embedded keywords in headers can also help demonstrate mens rea. I put these here to attract a certain type of traffic from search engines (i.e. search engine optimization, a kind of marketing), therefore I knew what I was doing when I posted these fake identity cards for sale on line……and so the argument goes.

The white paper is aimed at MySpace, but given the fact that social media is so prolific, and because just about every kind of webpage can contains just about every kind of content the points could be applicable to most forensic Internet investigations.

There are a few areas that the white paper could have addressed, although to some they may be obvious. First, the investigators notes should reflect what he or she is doing and how they arrived at where they did. This includes things like the search terms they used, when they conducted the research, etc. A Google search on Monday may not provide the same results on Friday, but at least it should be clear to observers that when the search was done these are the results which were provided.

Second, a video is nice, and you can certainly take stills from a video to put them in your report, but I also like to produce pdfs of webpages. These work well in written reports.

Third, there is the issue of non-repudiation for the evidence you collected. Creating a checksum all of the information you obtain and then burning everything to a DVD and closing the session is a good idea. I`m using a DVD-R as an example, but I`m technology neutral. An encrypted flash drive or SD card or whatever else you prefer would also work.

Some of these principles are discussed further in Vere Software whitepaper “Collecting Legally Defensible Online Evidence.” I`ve blogged about this before and I think it is also good, basic reading.

Last but not least, the speed at which you capture information is important. You don’t want to go through a lot of effort to record things and then end up producing a video that is blurred. Editing can clean up the video a little bit but it is a huge time consumer and you cannot over edit lest your video be rejected as investigators should be aware of this constraint and move slowly if they are going to capture their sessions by a screen capture.

I’d also recommend that readers check out the other great publicly available whitepaper that is on the Search.org website for doing Internet investigations called “Setting up an Online Investigative Computer: Hardware, Connectivity and Software Recomendations”. It was written in 2004 so some of the specifications are a little old, but the principles are still relevant.

In my view the technology is going to keep evolving and because of this we must stay grounded in the basics. Improving searching by using semantic search techniques that understand natural language is fine, but it is still searching and we must be able to explain how we arrived at the results we did. Social networking sites, virtual worlds and so on are all interesting and important; and evidence will exist in these places, but just like the old school chatroom, they are all just tools for communicating in different ways.

Ours is to know the principles and evolve the processes for the new technologies.

I found that Chapter 15 “The Dark Streets” (of Twitterville) to be particularly interesting.

For more information on some Twitter advanced research techniques you can check out this blog post.

On August 10, 2010 we’ll be having a discussion on SCADA attacks, so mark your calendars for that one as well.

After our summer format program has concluded we launch into the annual three-part case study. This year’s topic is IT Security Mobilization Units – A Case from the Field. It promises to be very cool, with an interactive discussion around the use of live forensics to conduct real-time investigations by mobile rapid Computer Incident Response Teams (CIRT) in some highly challenging environments. As always attendees are encouraged to engage and discuss this evolving topic. The dates for these events are: September 14, 2010, October 12, 2010 and November 9, 2010.

The November 9, 2010 meeting will also include our Chapter’s annual general meeting where we hold elections for the next year’s board. For those who are interested in participating in the board level of the Chapter, this is a good time to start thinking about how you would like to become involved.

However, if you want examples of the URLs used to conduct the search, additional search strings and examples of what results the searches are meant to find there is a great post on WebConnoisseur, a social media blog written by Dustin Woodward. Examples of search parameters inlcude:

1. Multi-word queries
2. Exact match queries
3. OR queries
4. Hash Tag queries
5. At queries
6. Question queries
7. Combining queries
8. From and To queries
9. Exclude queries
10. Location queries
11. Date-based queries
12. Attitudinal queries
13. Source queries
14. Link filtered queries
15.Jumping forward in older searches

There are a few applications and services out there that are designed for Twitter research but I haven’t found the need to investigate them as yet, so I don’t have any comments on their effectiveness. I do however, see the benefit of using a service like Radian6, Scoutlabs or any of a myriad of other competitors for intelligence purposes so long as the benefits outway the cost of the subscription service.

These services are particularly beneficial because they aggregate information across social media platforms (i.e. feeds from Twitter, Facebook, the blogsphere, etc). I wonder if you might be able to achieve similar results with a Yahoo! pipes concoction of some sort…it would definitely take some work.

As Twitter’s user base grows it becomes increasly important to understand how to effectively use the service for investigation and intelligence purposes. It’s a communication medium at the end of the day and it can be used for dasterdly deeds as easily as it can be used for good. Learning how to focus your search criteria to dates, posters (tweeters) of interest and other narrowing functions is imperative otherwise you risk wasting time focusing on the wrong things.

Investigators can download their images to a computer and then work their magic, but their originals are, well, original.

Thanks to Philip Golan, who provided this information on the Investigative Databases Group on LinkedIn.

My view is that the first thing you have to do is verify that they are who they say they are. Verifying that they have a certain degree or job experience is secondary to the basic verification of identity.

Of course if it is a YouTube video there is usually the YouTube logo in the bottom right, so that solves part of your quandry, but this solution will deal with locating both where the video was posted and who posted the video.

The Solution: It should be said upfront that this solution likely has an expiry date since YouTube, Vimeo, etc. change their coding every so often. That being said, this has been working for the last two years at least.

First, open the source code of the web page you’re viewing. My preference is to use the “View Selection Source” on Firefox; however, the view page source function in Explorer will also work.

Second, using either your own scrolling or the Find Function (“Cntrl F”) search for the common “src=” line which will be immediately before the link to the video.

Third, look for the video id which will be the string of alpha-numeric numbers after the http://www.youtube.com/v/ and before the & (ampersand) in the case of YouTube posts. In the case of the previous Evince Blog post “Copyright Battle” posted on June 30th, 2009 where a video was posted from YouTube the string is: http://www.youtube.com/v/PhSnQbflg2A&hl=en&fs=1&rel=0 so what you are looking for is the PhSnQbflg2A .

Note: You now know the source site where the video was streaming from.

Alternatively for steps one to three you can identify the video id by using the “copy embedded html” function on the right click menu when you hover over the video posted on the blog. Then paste the html code on a word document and the video id will be fairly apparent.

This is the embedded html for the previously mentioned video on Copyright battle. You can click on the image to view the code alone.

Note: the video id appears after both “value=” and “src=”.

Finally, conduct a search using the video id on Google (or other search engine) or YouTube itself (or the other video posting website you believe the video is from). That should lead you to find the page where the video was posted and hence to the original poster of the video. You can use the inurl: function although I have found my success with that approach to be inconsistent.

If anyone has any suggestions on how to improve this strategy, or other methods of accomplishing the same thing, please let me know.