Staging a computer crime to help train Miss Marple
August 6, 2007 6:00 AM Subscribe
How can I realistically stage an (alleged) computer crime?
I am working on some material for a computer forensic course that I hope eventually to turn into a book. I need to create some realistic evidence for my budding computer examiners to pore over. To do this, I have a particular scenario in mind that involves some suspected insider stock trading. I need to create one or two days of email and chat traffic between lots of different characters for it to be convincing. How can I best do this?
One thought I had was to create all the contents of email and chat ahead of time, then spend two days sending them in order. The main problems I see with this are: A) everything would be coming from the same internet addresses, and part of the training is on how to identify those addresses; B) The time line of events would be very predictable, since it would all come from me in my own timezone; and C) everything would be written in my voice and dependent on my imagination and knowledge, so it would probably lack depth. Not that it isn't doable, it just isn't as convincing. Having worked on examples like this, I know they are often easy to solve as they lack detail.
My second thought was to try and recruit some volunteers to play different parts in this online scenario. I would just provide the scenario, a character with an email account or chat login, and then have everyone improvise as they go along. This actually sounds pretty fun to me, and would provide a lot more depth in the examples. My primary worry about this is making sure the alleged fake crime actually occurs, and that things don't get out of hand.
What ideas do you have for how I might do this? Would anyone be willing to play a small part in this online drama and do a little roleplaying? It would involve assuming a persona and sending some normal email over a couple of days in that role, probably at the end of this week. I couldn't pay you, but I would certainly acknowledge everyone if it turned into a book.
If you want to volunteer, or if you want to communicate offline, you can get me at forensicexample@gmail.com.
Any ideas appreciated! Thanks.
I am working on some material for a computer forensic course that I hope eventually to turn into a book. I need to create some realistic evidence for my budding computer examiners to pore over. To do this, I have a particular scenario in mind that involves some suspected insider stock trading. I need to create one or two days of email and chat traffic between lots of different characters for it to be convincing. How can I best do this?
One thought I had was to create all the contents of email and chat ahead of time, then spend two days sending them in order. The main problems I see with this are: A) everything would be coming from the same internet addresses, and part of the training is on how to identify those addresses; B) The time line of events would be very predictable, since it would all come from me in my own timezone; and C) everything would be written in my voice and dependent on my imagination and knowledge, so it would probably lack depth. Not that it isn't doable, it just isn't as convincing. Having worked on examples like this, I know they are often easy to solve as they lack detail.
My second thought was to try and recruit some volunteers to play different parts in this online scenario. I would just provide the scenario, a character with an email account or chat login, and then have everyone improvise as they go along. This actually sounds pretty fun to me, and would provide a lot more depth in the examples. My primary worry about this is making sure the alleged fake crime actually occurs, and that things don't get out of hand.
What ideas do you have for how I might do this? Would anyone be willing to play a small part in this online drama and do a little roleplaying? It would involve assuming a persona and sending some normal email over a couple of days in that role, probably at the end of this week. I couldn't pay you, but I would certainly acknowledge everyone if it turned into a book.
If you want to volunteer, or if you want to communicate offline, you can get me at forensicexample@gmail.com.
Any ideas appreciated! Thanks.
Response by poster: Sorry. In the interest of keeping the question short, I probably left out necessary details.
The examination will be post-crime, and will be an image of a laptop drive. I have a laptop dedicated to this, and will use it as if I were the perpetrator, then image it afterwards. The goal of the exercise it to examine this one machine for evidence that would then lead to servers where necessary. So, no server logs would be needed.
For the server host names and email accounts, I have already registered and am hosting some of the domains myself. For others, I have created free email accounts at various places for use in the scenario. I wouldn't be disguising or altering IP addresses; I suppose if anyone did help me with this, their IP address would be visible. If I did it myself, I could use TOR or open proxies to vary the addresses.
posted by procrastination at 7:17 AM on August 6, 2007
The examination will be post-crime, and will be an image of a laptop drive. I have a laptop dedicated to this, and will use it as if I were the perpetrator, then image it afterwards. The goal of the exercise it to examine this one machine for evidence that would then lead to servers where necessary. So, no server logs would be needed.
For the server host names and email accounts, I have already registered and am hosting some of the domains myself. For others, I have created free email accounts at various places for use in the scenario. I wouldn't be disguising or altering IP addresses; I suppose if anyone did help me with this, their IP address would be visible. If I did it myself, I could use TOR or open proxies to vary the addresses.
posted by procrastination at 7:17 AM on August 6, 2007
The examination will be post-crime, and will be an image of a laptop drive. I have a laptop dedicated to this, and will use it as if I were the perpetrator, then image it afterwards.
Ah, I see. So, one of the reasons you're considering playing out your scenario over a couple of days using real services is so that you don't have to fiddle with setting up a plugboard proxy, a local server, and some scripts/applications that emulate sever side activity?
If you go the route of using volunteers and a real-time scenario, one thing I would recommend you do is pay attention to the IP address used by your volunteers. IP addresses can almost always be matched up with ISP (unless BGP route insertion or such trickery is used) and can often be tracked to a relatively small geographic region. To generate a realistic scenario, it'd be nice if you made sure that scenario took your volunteer's ISPs and locations into consideration. You don't want the fact that the originating IP address for a communication can be shown to belong to a cable modem in San Francisco when it is supposed to be originating from a brokerage in Boston.
Similarly, I'd avoid the use of TOR as a means to produce additional "origin" IP addresses unless your scenario actually calls for one or more of the characters to be using anonymous messages. TOR is vary high profile and the IP addresses of the TOR servers are explicitly public (if you put a TOR IP address into Google it will show up as belonging to TOR). If you use TOR simply to vary addresses your student investigators might uncover these addresses as TOR origin IP addresses - and thus conclude that the corresponding communications were sent by anonymizing proxy, a red herring that you might not want in your scenario.
posted by RichardP at 7:57 AM on August 6, 2007
Ah, I see. So, one of the reasons you're considering playing out your scenario over a couple of days using real services is so that you don't have to fiddle with setting up a plugboard proxy, a local server, and some scripts/applications that emulate sever side activity?
If you go the route of using volunteers and a real-time scenario, one thing I would recommend you do is pay attention to the IP address used by your volunteers. IP addresses can almost always be matched up with ISP (unless BGP route insertion or such trickery is used) and can often be tracked to a relatively small geographic region. To generate a realistic scenario, it'd be nice if you made sure that scenario took your volunteer's ISPs and locations into consideration. You don't want the fact that the originating IP address for a communication can be shown to belong to a cable modem in San Francisco when it is supposed to be originating from a brokerage in Boston.
Similarly, I'd avoid the use of TOR as a means to produce additional "origin" IP addresses unless your scenario actually calls for one or more of the characters to be using anonymous messages. TOR is vary high profile and the IP addresses of the TOR servers are explicitly public (if you put a TOR IP address into Google it will show up as belonging to TOR). If you use TOR simply to vary addresses your student investigators might uncover these addresses as TOR origin IP addresses - and thus conclude that the corresponding communications were sent by anonymizing proxy, a red herring that you might not want in your scenario.
posted by RichardP at 7:57 AM on August 6, 2007
I have no advice as to how to do this, but I'd love to volunteer to be a "player" - email in profile.
posted by banannafish at 9:15 AM on August 6, 2007
posted by banannafish at 9:15 AM on August 6, 2007
What a neat project! I can participate, if you like.
I second what RichardP said. You want this to be as close to real as possible, since many bread crumbs will be left unintentionally. Students shouldn't be led astray.
posted by nilihm at 9:37 AM on August 6, 2007
I second what RichardP said. You want this to be as close to real as possible, since many bread crumbs will be left unintentionally. Students shouldn't be led astray.
posted by nilihm at 9:37 AM on August 6, 2007
I'd also be happy to volunteer if I'm told specifically what to do. Email in profile.
posted by jeanmari at 9:38 AM on August 6, 2007
posted by jeanmari at 9:38 AM on August 6, 2007
Check your gmail. I am also up for a little dastardly make-believe.
posted by Rock Steady at 9:50 AM on August 6, 2007
posted by Rock Steady at 9:50 AM on August 6, 2007
You shouldn't have a problem finding volunteers (Email in profile :), but do err on the side of overspecifying the key points you expect the actors to hit.
posted by Skorgu at 10:15 AM on August 6, 2007
posted by Skorgu at 10:15 AM on August 6, 2007
Response by poster: Wow, back from lunch and lots of volunteers! Thanks so much. I will be in touch with everyone who volunteered this afternoon.
posted by procrastination at 10:46 AM on August 6, 2007
posted by procrastination at 10:46 AM on August 6, 2007
I'll help too, if you need it.
posted by The Esteemed Doctor Bunsen Honeydew at 11:13 AM on August 6, 2007
posted by The Esteemed Doctor Bunsen Honeydew at 11:13 AM on August 6, 2007
And and idea- you might want to set up (off the criminal laptop) an IRC or AIM chat to organize everything in real-time with everyone present, so things don't get confused between "players".
posted by The Esteemed Doctor Bunsen Honeydew at 11:18 AM on August 6, 2007
posted by The Esteemed Doctor Bunsen Honeydew at 11:18 AM on August 6, 2007
Response by poster: Nilihim - I couldn't find a contact email for you. Can you drop me a note at forensicexample@gmail.com if you still would like to play?
posted by procrastination at 12:14 PM on August 6, 2007
posted by procrastination at 12:14 PM on August 6, 2007
I'll play too, email's in profile.
posted by klangklangston at 2:10 PM on August 6, 2007
posted by klangklangston at 2:10 PM on August 6, 2007
« Older Winter holiday festivals in Alabama, Mississippi... | MacOSX/Palm OS Finance Software Newer »
This thread is closed to new comments.
Also, wouldn't any realistic scenario will involve examination of mail server logs? If you intend your scenario to take place in real time, it might be a little awkward to have to fake up consistent logs. It'd probably be easier to use real logs and arrange for at least some of your actors to use SMTP/POP servers to which you have access to the server logs.
If you intend to publish a book of this material, what do you plan to do about IP addresses, server host names, etc.?
posted by RichardP at 7:07 AM on August 6, 2007