Murder Board Blog Series: Chapter 1 – Traces
The Time Factor
Traces are the “metadata” of an act, a course of action, a communication or even a presence or having been there. They show us that something happened, but often also how something happened. We consider traces always in retrospect, because they have to be there first in order to be considered. The time interval between the emergence of traces and their observation can vary. In 2017, for example, researchers investigated how Ötzi, a mummy from the ice of the Ötztal Alps, came to his death about 5,300 years ago and thus solved a murder with a slight time delay.
But some traces also disappear. Not only the well-known traces in the sand … Also we can’t detect e.g. knockout drops in the victim’s blood already 24 hours after they drank them.
There are also traces that are not recognized as “disturbing factors”. They fit into the picture and do not cause any frowning by trained observers. A classic “looks like an accident”. Or the death of aged persons, which surprises no one but delights heirs.
And then there are the traces that online crimes leave behind. “IP addresses” and “log data” may sound more cryptic than footprints, cardiac arrhythmias or “direction from which the arrow came”, but they are just as revealing.
Time is ubiquitous not only in crime or physics. Computers depend on clocks. Thus, de facto clocks and looking at them are constant companions in the digital world. Pretty much all tools used for programming allow a simple view of the current time. Times or timestamps, as we call them, are an excellent Ariadne’s thread digitally. You can always orient yourself by this.
A Harmless Beginning
Leon is a student and has a tight wallet. His computer broke, and he urgently needs a new one. So he goes to a computer store that also offers refurbished devices. He buys a refurbished laptop and trades in his defective device as a spare part.
Data Carrier
Eventually, something has to be stored permanently. By permanent, computer science understands the so-called non-volatile memory, which can store bits and bytes for a certain time even without a power supply. The digital clay tablets can take various forms. Storage began with magnetic data carriers such as tapes, floppy disks and rotating metal discs. Optical data carriers (CD, DVD, BluRay) accompanied this. Modern media use computer chips that memorize, i.e. store, small electrical charges. The actual process of storage leaves traces as magnetic fields, electric fields or material properties, depending entirely on the method.
Forensics on and at data carriers deals with accessing and analyzing stored data. The copy plays a central role, since we carry all investigations out on copies of the original. The aim is to prevent unintentional changes during the analysis. Exactly what we can read from which medium and how depends heavily on the technology used. We find traces everywhere, if one does not have a melting furnace at hand for cover-up. Even broken CDs can contain data fragments on the fragments. This sounds a lot like movies and television, but occasionally it’s just a matter of small amounts of data like passwords, logins, keys or metadata. Even small pieces of the whole can be sufficient.
Networks
When we send data over a network, it is divided into smaller parts and transported individually via many intermediate stations. You can think of it as a delivery that is sent in a series of manageable packages. These packets can, of course, each create traces. On the one hand, the individual stations could create copies of the packages. There is also the digital sender and receiver. Which point communicates with which other point can be recorded as well. With more complex protocols, additional data is added. For example, a web server can record which end point (meaning: which end device) retrieved which data and when. From this, for example, we can derive the purpose of the transmission.
These traces do not always have to be automatically collected and stored. However, the data necessary for the traces always arise, whether or not they are stored.
Files and Messages
Digital and analog, information is always available in defined portions. File folders and books correspond to files. Notes, postcards and letters correspond to messenger messages and e-mails. All of this can be arranged in any way – sorted, chaotic, in one place (i.e. on one device), distributed across multiple locations or people. Sifting through and properly connecting these finds is a fine art and requires experience. With luck, files carry time information in or on them. Emails often also have a history of time and place information in their content, if they are complete (i.e. with envelope and postmarks on them).
A Next Step
Meanwhile, Leon’s defective laptop is taken apart at the dealer. Spare parts storage in the literal sense. They disposed of the defective main board, and put the remaining parts like keyboard, screen, hard drive, touchpad and more into boxes with other keyboards, screens, hard drives and touchpads and wait for a new use. First, they use the screen as replacement part in another laptop, then the hard drive. The storage media gets formatted, and the system reinstalled. And with that, the repaired device is ready for its next life.
Metadata
Metadata is structured data that describes certain characteristics of the actual data. They provide context and help to understand and process the data describing them. Metadata alone can be very revealing. One can infer relationships, for example. Who is in contact with whom is quite interesting. Often, metadata relates to communication. Additionally, there is sometimes a description of the content linking the communication partners. In investigations, the general rule of thumb is: the more metadata, the better.
We are familiar with metadata from everyday life. Telephone numbers, the device identifier of cell phones or e-mail addresses are examples. They rarely contain any personal information, but we can assign them to people.
00 Prequel (German / English)
01 Chapter 01: Traces (German / English)
02 Chapter 02: Investigations (German / English)
03 Chapter 03: Serial Hackers (German / English)
04 Chapter 04: State Hacking (German / English)
Klaudia’s blog has also the German versions of the articles.
Our presentation at #pw20 (in German) can be found here: https://media.ccc.de/v/pw20-367-murderboard-wo-krimi-privatsphre-und-it-sicherheit-zusammenkommen
Pingback: Murder Board Blog Series: Chapter 4 - Trojan Horses or: State Hacking | DeepSec In-Depth Security Conference
Pingback: Murder Blog Series: Chapter 2 - Investigations | DeepSec In-Depth Security Conference
Pingback: Murder Board Blog Series: Prequel | DeepSec In-Depth Security Conference