This article appeared in the November, 1999 issue of Information Security Magazine - a special issue with articles from "The 20 Most Influential Figures in Information Security Today."
Cybercrime-fighters could learn a thing or two from mass-marketers -- like using all available data sources to track someone.
I've been doing digital forensics work for much of the last 25 years, and I'll probably continue doing it for the next 25 years. Based on my experience, I can tell you two things that have been (and will continue) to be true in this field:
1. There is so much evidence out there that, given enough time and resources, I can probably detect and track down any digital crime.
2. There is never enough time or resources to do the digital forensics job as well as it can be done. That's a big reason so many people get away with cybercrime.
In support of these claims, I could cite enough examples to fill this issue and probably the rest of Information Security's issues 'til the end of the millennium--not this one, the next one. But I'll just give you three examples here:
In the last month alone, I worked on cases where, in the process of gathering evidence from only a few of the thousands of available sources related to the crimes I was investigating, I detected something like 20 crimes taking place in addition to the ones under investigation.
Federal law enforcement officials won't even consider cases where losses of $250,000 or less have occurred unless you stir up the political pot enough to get Assistant Secretaries mad at you (at least one will be rather unhappy with this paragraph, but maybe now she'll get some more investigators on the last few cases I reported to her agency).
I have gathered more than 2 Gb of evidence in the last week and, if it weren't for the parallel processing capability I have for doing analysis, there's no way I would be able to get it evaluated by next month.
With all the evidence available--file dates, dial-up records, RADIUS logs, phone records, proxy logs, Web access logs, credit card receipts, e-mail audit trails, login records, file transfer records, financial transaction records, accounts payable and receivable records, ATM records, medical records, grocery store records, parking lot license number records, air travel records and so on--we should be able to detect and prosecute crimes at a rate that makes your head spin.
The reason we don't is because we don't put the same resources into cybercrime investigation as we put into marketing. That's right: To sell things to people, we use the same records we could use to prosecute people--and we could do it with much the same technology, in real time. Just like we do in marketing.
This is not merely some abstract idea. It's a fact that marketing is way ahead of criminal investigation in its use of diverse data sources to track (down) people and their behaviors. In the future, however, this paradigm will change. Despite the warnings about Big Government and the concerns of the privacy rights folks, as crime increases we will be more and more willing to give the same capabilities and information to law enforcement that we willingly give to marketers today. And you can bet your bottom dollar that this shift will change the face of law enforcement in the cybercrime arena.
As I perform investigations, I create a new investigative tool or technique every few days, on average. The pace is getting faster, too. Pretty soon, you'll see hundreds, then thousands, of products that help corporations and law-enforcement track down criminals in real-time, gathering and securing enough evidence to put them away. The only impediment right now is a lack of financial support. And that will change, too.
My space is up, and so is the jig. I'll be seeing you in court.
2000: Predictions
Digital forensics will adopt a marketing model to gather more in-depth criminal evidence.
Massive data collection and analysis capabilities will become available to law enforcement to combat cybercrime.
Massive data collection and forensic analysis will become commonplace on the corporate level, too.
In the cyber-realm, individual privacy rights will whither and die on the vine.