©2014
ASSISTING YOUR FRAUD EXAMINATION WITH ONLINE AND
OPEN SOURCE INTELLIGENCE
As the use of the Internet and associated technologies has grown rapidly in recent years, so has
the opportunity for computer-related crime. Unlawful activity can be committed or facilitated
online with criminals trading and sharing information, masking their identity, gathering
information on victims, and communicating with co-conspirators. Websites, email, chat rooms,
and social networks can all provide vital evidence in an investigation of computer-related crime,
and this session will assist investigators in their efforts to curb such crime.
STEPHEN HILL, PH.D., CIIP, MLPI
Managing Director
Snowdrop Consulting Ltd
United Kingdom
Dr Stephen Hill specialises in e-crime and fraud awareness, and has more than 12 years of
experience focusing on counter fraud, cyber fraud, not-for-profit fraud, and risk management. He
is a certified practitioner (CIIP) for IS027001 and has worked on a number of guides to fraud
detection, data security, and prevention for many small to medium enterprises (SMEs) and
charities. He is a Trustee Director of the Fraud Advisory Panel and chairs their Cybercrime
Working Group with colleagues from the public, private, and third sectors. In addition to
developing a series of fraud prevention, data security, e-fraud, and Internet investigations and
OSINT courses, Hill published Corporate Fraud: Prevention & Detection, a book with practical
advice on all aspects of fraud and how to prevent it, with the royalties going to the charity Victim
Support.
“Association of Certified Fraud Examiners,” “Certified Fraud Examiner,” “CFE,” “ACFE,” and the
ACFE Logo are trademarks owned by the Association of Certified Fraud Examiners, Inc. The contents of
this paper may not be transmitted, re-published, modified, reproduced, distributed, copied, or sold without
the prior consent of the author.
ASSISTING YOUR FRAUD EXAMINATION WITH ONLINE AND OPEN SOURCE INTELLIGENCE
2014 ACFE European Fraud Conference ©2014 1
NOTES Online Investigations
The use of the Internet and mobile technologies, including
smartphones, has grown rapidly in recent years as has the
opportunity for computer-related crime. Unlawful activity
can be committed or facilitated online with criminals
trading and sharing information, masking their identity,
gathering information on victims, and communicating with
co-conspirators.
However the Internet also provides opportunities to the
fraud investigator to acquire vital digital intelligence. The
Internet by design is ‘public’ with incredible amounts of
data available to anyone with a computer and browser.
Today the fraud examiner has access to new and evolving
search engines, databases, open source tools, chat rooms,
blogs, online gaming communities and social networks in
their efforts to curb crime.
Introduction to the Internet and WWW
The Internet is a worldwide, free-broadcast medium for the
general public and is the “interconnection of computer
networks”. It is a massive hardware combination of
millions of personal, business, and governmental
computers, all connected like roads and highways. Using a
PC, Mac, smartphone, Xbox, movie player, or GPS, you
can access a vast world of messaging and useful content
through the Net.
The Net has sub networks. The biggest sub network is the
World Wide Web, comprising HTML pages and
hyperlinks. Other sub networks are email, instant
messaging, P2P (peer-to-peer) file sharing, and FTP
downloading.
ASSISTING YOUR FRAUD EXAMINATION WITH ONLINE AND OPEN SOURCE INTELLIGENCE
2014 ACFE European Fraud Conference ©2014 2
NOTES Birth of the Net
The Internet grew out of an experiment begun in the 1960s
by the U.S. Department of Defense (DoD). The DoD
wanted to create a computer network that would continue
to function in the event of a disaster, such as a nuclear war.
If part of the network were damaged or destroyed, the rest
of the system still had to work. That network known as
ARPANET linked U.S. scientific and academic researchers
and was the forerunner of today’s Internet.
In 1985, the National Science Foundation (NSF) created
NSFNET, a series of networks for research and education
communication. Based on ARPANET protocols, the
NSFNET created a national backbone service, provided
free to any U.S. research and educational institution. At the
same time, regional networks were created to link
individual institutions with the national backbone service.
As personal computers became more mainstream in the
1980s and 1990s, the Internet grew exponentially as more
users plugged their computers into the massive network.
Today, the Internet has grown into a public spider web of
millions of personal, government, and commercial
computers, all connected by cables and by wireless signals.
No single person owns the Internet. No single government
has authority over its operations.
Some technical rules and hardware/software standards
enforce how people plug into the Internet, but for the most
part, the Internet is a free and open broadcast medium of
hardware networking.
You connect to the Internet through a private Internet
service provider, a public Wi-Fi network, or through your
office’s network.
ASSISTING YOUR FRAUD EXAMINATION WITH ONLINE AND OPEN SOURCE INTELLIGENCE
2014 ACFE European Fraud Conference ©2014 3
NOTES World Wide Web (WWW)
The World Wide Web, or "Web" for short, is a huge
collection of digital pages: that large software subset of the
Internet dedicated to broadcasting content in the form of
HTML pages.
The Web is viewed by using free software called Web
browsers. Born in 1989, the Web is based on hypertext
transfer protocol, the language that allows the user to
“jump” (hyperlink) to any other public Web page. There
are billions of pages on the Web today stored on Web 1.0,
Web 2.0, or the Invisible Web.
Web 1.0
When the World Wide Web was launched in 1989 by Tim
Berners-Lee, it was composed of just text and simple
graphics. Effectively a collection of electronic brochures,
the Web was organised as a simple broadcast-receive
format. We call this simple static format Web 1.0. Today,
millions of Web pages are still quite static, and the term
Web 1.0 still applies.
Web 2.0
In the late 1990s, the Web started to go beyond static
content, and began offering interactive services. Instead of
just Web pages as brochures, the Web began to offer online
software where people could perform tasks and receive
consumer-type services. Online banking, video gaming,
dating services, stocks tracking, financial planning,
graphics editing, home videos, webmail—all of these
became regular online Web offerings before the year 2000.
These online services are now referred to as Web 2.0.
Names like Facebook, Flickr, Twitter, eBay, YouTube, and
Gmail helped to make Web 2.0 a part of our daily lives.
ASSISTING YOUR FRAUD EXAMINATION WITH ONLINE AND OPEN SOURCE INTELLIGENCE
2014 ACFE European Fraud Conference ©2014 4
NOTES The Invisible or Deep Web
Technically a subset of Web 2.0, the Invisible Web refers to
those billions of Web pages that are purposely hidden from
surface search engines.
These invisible Web pages are private-confidential pages
(e.g., personal email, personal banking statements), and
Web pages generated by specialised databases (e.g., job
postings). Invisible Web pages are either hidden completely
from typical surface search methods, or require special
search engines to locate the data.
IP Address, DNS, and TCP/IP
IP Address
The Internet has as client-server architecture with
computers connected to the Internet acting either as a
client or as a server. The client asks for data and the
server receives the request and returns the data. Both
client and server require an Internet Protocol (IP)
address.
An IP address allows one computer (or other digital
device) to communicate with another via the Internet.
IP addresses allow the location of billions of digital
devices that are connected to the Internet to be
pinpointed and differentiated from other devices. In the
same sense that someone needs your mailing address to
send you a letter, a remote computer needs your IP
address to communicate with your computer.
An Internet Protocol is a set of rules (a complex string
of numbers that acts as a binary identifier for devices
across the Internet) that govern Internet activity and
facilitate completion of a variety of actions on the
World Wide Web. Therefore an Internet Protocol
address is part of the systematically laid-out,
ASSISTING YOUR FRAUD EXAMINATION WITH ONLINE AND OPEN SOURCE INTELLIGENCE
2014 ACFE European Fraud Conference ©2014 5
NOTES interconnected grid that governs online communication
by identifying both initiating devices and various
Internet destinations, thereby making two-way
communication possible.
In short, an IP address is the address that computers,
servers, and other devices use to identify one another
online.
An IP (v4) address consists of four numbers, each of
which contains one to three digits, with a single dot (.)
separating each number or set of digits. Each of the four
numbers can range from 0 to 255. Here’s the IP address
of the ACFE main website: 207.207.34.162. This
innocuous-looking group of four numbers is the key
that empowers users to send and retrieve data over
Internet connections, ensuring that messages, as well as
requests for data and the data requested, will reach their
correct Internet destinations.
IP addresses can be either static or dynamic. Static IP
addresses never change. They serve as a permanent
Internet address and provide a simple and reliable way
for remote computers to contact users. Static IP
addresses reveal information including the continent,
country, region, and city in which a computer is
located; the ISP (Internet Service Provider) that
services that particular computer; and such technical
information as the precise latitude and longitude of the
country, as well as the locale, of the computer. Many
websites provide IP address look-up services to their
visitors, free of charge.
Dynamic IP addresses are temporary and are assigned
each time a computer accesses the Internet. They are, in
effect, borrowed from a pool of IP addresses that are
ASSISTING YOUR FRAUD EXAMINATION WITH ONLINE AND OPEN SOURCE INTELLIGENCE
2014 ACFE European Fraud Conference ©2014 6
NOTES shared among various computers. Since a limited
number of static IP addresses are available, many ISPs
reserve a portion of their assigned addresses for sharing
among their subscribers in this way.
Static IP addresses are considered somewhat less secure
than dynamic IP addresses, since they are easier to track
for data mining purposes.
Domain Name System (DNS)
DNS is the information that you enter into a Web
browser to reach a specific website. When you input a
URL like www.acfe.com/fraud-resources.aspx into a
browser, its domain name is acfe.com. Basically, a
domain name is the human-friendly version of an IP
address. Businesses vie for easy-to-remember domain
names, since they make it easier for people to find them
online. If people had to remember complex IP
addresses to navigate the Internet it would become very
difficult and in effect users would lose interest.
Although it’s possible to enter an IP address into a Web
browser to access a website, it’s a lot easier to enter its
domain name. However, computers, servers, and other
devices are unable to make heads or tails of domain
names; they strictly rely on binary identifiers. The
DNS’s job, then, is to take domain names and translate
them into the IP addresses that allow machines to
communicate with one another. Every domain name has
at least one IP address associated with it.
ICANN
To reach another person on the Internet you have to
type an address into a computer—a name or a number.
That address must be unique so computers know where
to find each other. The Internet Corporation for
ASSISTING YOUR FRAUD EXAMINATION WITH ONLINE AND OPEN SOURCE INTELLIGENCE
2014 ACFE European Fraud Conference ©2014 7
NOTES Assigned Names and Numbers (ICANN) coordinates
these unique identifiers across the world. Without that
coordination, we wouldn’t have one global Internet.
In more technical terms, ICANN coordinates the
Internet Assigned Numbers Authority (IANA)
functions, which are key technical services critical to
the continued operations of the Internet’s underlying
address book, the Domain Name System (DNS). The
IANA functions include:
The coordination of the assignment of technical
protocol parameters including the management of
the address and routing parameter area (ARPA) top-
level domain
The administration of certain responsibilities
associated with Internet DNS root zone
management such as generic (gTLD) and country
code (ccTLD) Top-Level Domains
The allocation of Internet numbering resources
IANA
The Internet Assigned Numbers Authority (IANA) is
responsible for the global coordination of the DNS
Root, IP addressing, and other Internet protocol
resources (www.iana.org). IANA is a department of
ICANN responsible for coordinating some of the key
elements that keep the Internet running smoothly.
Whilst the Internet is renowned for being a worldwide
network free from central coordination, there is a
technical need for some key parts of the Internet to be
globally coordinated, and this coordination role is
undertaken by IANA.
Understanding the URL
URL stands for Uniform Resource Locator. The URL
specifies the Internet address of a file stored on a host
ASSISTING YOUR FRAUD EXAMINATION WITH ONLINE AND OPEN SOURCE INTELLIGENCE
2014 ACFE European Fraud Conference ©2014 8
NOTES computer connected to the Internet. Every file on the
Internet, no matter what its access protocol, has a unique
URL. Web software programs use the URL to retrieve the
file from the host computer and the directory in which it
resides. This file is then displayed on the user’s computer.
URLs are translated into numeric addresses using the
Internet Domain Name System (DNS). The numeric
address is actually the “real” URL. Since numeric strings
are difficult for humans to use, alphanumeric addresses are
employed by end users. Once the translation is made, the
Web server can send the requested page to the user’s Web
browser.
What Does a Typical URL Look Like?
Here are some examples:
http://www.acfe.com: The home page for the ACFE
https://www.paypal.com/uk/webapps/mpp/home: A
secure version of http using SSL
ftp://rtfm.mit.edu/pub: A directory of files available for
downloading
http://blogs.reuters.com/soccer: A blog or weblog from
the Reuters news agency
The first part of a URL (before the two slashes) tells you
the type of resource or method of access at that address. For
example:
http—a hypertext document or directory
gopher—a gopher document or menu
ftp—a file available for downloading or a directory of
such files
news—a newsgroup
telnet—a computer system that you can log into over
the Internet
WAIS—a database or document in a Wide Area
Information Search database
ASSISTING YOUR FRAUD EXAMINATION WITH ONLINE AND OPEN SOURCE INTELLIGENCE
2014 ACFE European Fraud Conference ©2014 9
NOTES file—a file located on a local drive (your hard drive)
Anatomy of a URL
This is the format of a URL:
https://www.fraudadvisorypanel.org/pdf_show_171.pdf
This URL is associated with a section of the Fraud
Advisory Panel’s website. So what is it telling us?
Protocol: http (how to get their)
Host name: www.fraudadvisorypanel.org
Domain name: fraudadvisorypanel (where to go)
Top-level domain: .org
File name: pdf_show_171.pdf (what to get)
Here are some other important things to know about URLs:
A URL usually has no spaces.
A URL always uses forward slashes.
If you enter a URL incorrectly, your browser will not
be able to locate the site or resource you want.
You can find the URL behind any link by passing your
mouse cursor over the link. The pointer will turn into a
hand and the URL will appear in the browser’s status
bar, usually located at the bottom of your screen.
Web Browsers
The World Wide Web operates on a client-server model.
Users run a Web client on their computer called a Web
browser such as Firefox, Chrome, Safari, and Internet
Explorer. That client contacts a Web server and requests
information or resources. The server locates and then sends
the information to the browser, which displays the results.
When Web browsers contact servers, they’re asking to be
sent pages built with Hypertext Markup Language
(HTML). Browsers interpret those pages and display them
on the user’s computer. They also can display applications,
ASSISTING YOUR FRAUD EXAMINATION WITH ONLINE AND OPEN SOURCE INTELLIGENCE
2014 ACFE European Fraud Conference ©2014 10
NOTES programs, animations, and similar material created with
programming languages such as Java and ActiveX,
scripting languages such as JavaScript.
Search Engines
The first step to Internet research is to have a thorough
understanding of the search protocols offered by the
various Internet search engines. Google, Yahoo, and Bing
are only three of the several free search engines available
for investigative Internet research; however, fraud
examiners should not rely exclusively on one search
engine.
For best results, experts recommend using multiple search
engines, as each engine only retrieves those pages to which
it is indexed, and no Internet search engine is indexed to all
available information.
Fraud examiners might choose a meta-search site, which
allows queries to be submitted to multiple search engines
simultaneously. Alternatively is it worth considering setting
up an automated search such as Google Alerts.
Automated Searching
Whilst searching the Web on a daily basis for company or
people data during an investigation, the process becomes
timely and resourceful. Some searches can be setup to run
24/7 allowing you time to commit to other areas of your
investigation.
Let’s say for example that you are running a background
search on a company and associated directors linked to
your case. Typically, you would get this kind of
information by running a search on a daily basis, but that’s
a hassle if you end up running the same search every day or
even several times per day.
ASSISTING YOUR FRAUD EXAMINATION WITH ONLINE AND OPEN SOURCE INTELLIGENCE
2014 ACFE European Fraud Conference ©2014 11
NOTES There is a solution that enables the investigator to flip
things around and let the results come to them,
automatically, at designated times.
Tools to assist in running automated searches include:
Google.co.uk/alerts (Google)
Noticraig.com (Craiglist)
Automatedsearches.com (eBay)
Google Alerts are emails sent to you when Google finds
new results such as Web pages, newspaper articles, or
blogs that match your search term. You can use Google
Alerts to monitor anything on the Web. For example,
people use Google Alerts to:
Find out what is being said about their company or
product.
Monitor a developing news story.
Keep up-to-date on a competitor or industry.
Get the latest news on a celebrity or sports team.
Find out what’s being said about them.
How Google Alerts Work
Type a search term into the box, such as Company X or
Person X, and you'll see a preview of what the alert
would look like on the right (it shows the latest articles
that include your search terms).
You could also use Google Alerts to follow a
developing news story or get the latest on your
favourite sports team or celebrity.
Use the Result box to narrow by News, Blogs,
Discussions, Videos, or Books, and set the frequency to
as-it-happens, daily, or weekly.
ASSISTING YOUR FRAUD EXAMINATION WITH ONLINE AND OPEN SOURCE INTELLIGENCE
2014 ACFE European Fraud Conference ©2014 12
NOTES Search Engines (Index)
Databases used by search engines are made by “robots” or
“spiders” that automatically map the Web by following the
links between sites. These robots or spiders read the Web
pages and put the text (or parts of the text) into a large
database or index that you can then access.
None of them cover the whole net; Google, the world’s
largest index of the Internet, only catalogues 8 percent of
the World Wide Web. Other big search engines include
Bing, Ask, and Duck Duck Go.
Search Directories
Search directories are hierarchical databases with
references to websites. The websites that are included are
hand-picked by humans and classified according to the
rules of that particular search service. Yahoo is the leader
of search directories. About, BOTW, and DMOZ are also
very popular.
Useful Search Engines (index and directory)
Ask (www.ask.com)
Bing (www.bing.com)
Blekko (www.blekko.com)
Boolify (www.boolify.org)
Cluuz (www.cluuz.com)
Deeperweb (www.deeperweb.com)
duckduckgo (www.duckduckgo.com)
Exalead (www.exalead.com/search)
Google (www.exalead.com/search)
Gseek (www.gseek.com)
Ixquick (https://ixquick.com)
Yahoo! (www.search.yahoo.com)
Yandex (www.yandex.com)
ASSISTING YOUR FRAUD EXAMINATION WITH ONLINE AND OPEN SOURCE INTELLIGENCE
2014 ACFE European Fraud Conference ©2014 13
NOTES Meta Search
Meta-search engines are search engine tools that pass
queries on to many other search engines or directories and
then summarise the results in one handy interface. A meta-
search engine such as Dogpile collects and sorts the hits,
takes out duplicates, and presents the end result in a simple
format. Popular meta-search websites include Scour,
IXQuick, and Mama.
Deep Web
The deep Web (or invisible Web) is the set of information
resources on the World Wide Web not reported by normal
search engines. Deep Web content includes information in
private databases that are accessible over the Internet but
not intended to be crawled by search engines. For example,
some universities, government agencies, and other
organisations maintain databases of information that were
not created for general public access. Other sites might
restrict database access to members or subscribers.
The term deep Web was coined by BrightPlanet, an Internet
search technology company that specialises in searching
deep Web content. Although some of the content is not
open to the general public, BrightPlanet estimates that 95
percent of the deep Web can be accessed through
specialised search.
Deep Web search sites include:
Topix.net—a news search engine
Infoplease.com—factual answers to questions
Pipl.com—people-finder search tools
Flightaware.com—real-time flight tracking service
Specialist Search Tools
There are other tools available to the fraud examiner and it
depends on what it is they are looking for as to which site
ASSISTING YOUR FRAUD EXAMINATION WITH ONLINE AND OPEN SOURCE INTELLIGENCE
2014 ACFE European Fraud Conference ©2014 14
NOTES to use. Here is a selection of useful links to add to your
Internet investigation toolbox:
Silo Breaker (www.silobreaker.com)
KGB People (www.kgbpeople.com)
Spokeo (www.spokeo.com)
Verify Email Address (www.verify-email.org)
YouTube (www.youtube.com)
Flickr (www.flickr.co.uk)
Yippy (www.yippy.com)
The Wayback Machine (www.archive.org)
Blog Searching Tools
www.icerocket.com
www.technorati.com/blogs/directory
www.ljseek.com
www.blogcatalog.com/category
People Finder Search Tools
www.yasni.co.uk
www.123people.co.uk
www.kgbpeople.com
www.yatedo.com
www.wink.com
www.yoname.com
www.snitch.name
Image Searching
Image search is evolving rapidly with specialised search
tools and engines able to read the text on the image; see its
colours; identify image location; and classify it based on its
form, shape, and textures.
Here are some of the best image tools and techniques to
assist you in your investigation:
www.images.google.com
www.bing.com/images
ASSISTING YOUR FRAUD EXAMINATION WITH ONLINE AND OPEN SOURCE INTELLIGENCE
2014 ACFE European Fraud Conference ©2014 15
NOTES www.exalead.com/search/image
www.flickr.com
www.instagram.com
www.facesaerch.com
www.delarge.co.uk/gallery/tools/finder
www.tineye.com
www.fotoforensics.com
www.searchinstagram.com
www.regex.info/exif.cgi
Social Media Investigations
Social media has opened up numerous opportunities to the
fraud examiner and is a key component to profiling the
subject of an investigation. The pool of information about
each individual can form a distinctive social signature.
Twitter, Facebook, and LinkedIn (to name but a few) have
embedded themselves in people’s lives. Posting to walls,
tweets, videos, and image updates are emerging as a new
trove of intelligence for the fraud examiner.
Social media evidence can be a valuable addition to an
investigation, revealing the kind of information that, years
ago, would have been difficult, if not impossible, to find.
But it has to be gathered in a way that will hold up in court.
Because it’s such a new source of evidence in
investigations, case law is developing rapidly. A forward-
thinking investigator would be well advised to stay on top
of the latest legislation both locally and internationally.
Once access to social media information has been secured,
either through court order or simply due to public
accessibility, evidence must be gathered in a way that is
legal and useful. Collecting evidence from social media
sites can be challenging for several reasons. Social media is
constantly changing, and users can easily update and delete
material that could be evidence in a case, although once a
ASSISTING YOUR FRAUD EXAMINATION WITH ONLINE AND OPEN SOURCE INTELLIGENCE
2014 ACFE European Fraud Conference ©2014 16
NOTES user is aware of an ongoing investigation, he or she is under
an obligation to preserve social media evidence just as if it
were any other type of evidence.
Useful links for social media intelligence gathering:
www.socialmention.com
www.kurrently.com
www.topsy.com
www.tweetcharts.com
www.weknowwhatyouredoing.com
www.tweetdeck.com
www.twitscoop.com
www.facesaerch.com
www.globaltweets.com
www.social-searcher.com
www.twellow.com
www.whostalkin.com
www.tweetreach.com
www.thudit.com
www.twitpic.com
www.searchinstagram.com
www.hootsuite.com
There are limitations to the information you can access on a
social network due to privacy settings and anonymity; legal
advice might be required before using social media
evidence against an individual.
Tracing an Internet Address to a Source
Just as every house has an address, every computer
connected to the Internet has an address. This is referred to
as an Internet Protocol (IP) address.
Identifying the Owner of a Website
There are a number of domain lookup tools available and in
this example we are going to use
ASSISTING YOUR FRAUD EXAMINATION WITH ONLINE AND OPEN SOURCE INTELLIGENCE
2014 ACFE European Fraud Conference ©2014 17
NOTES http://whois.domaintools.com. Once on the website, enter a
domain name and click lookup. When the lookup has been
entered you will be able to identify who is registered as the
owner of the website. The registration details a number of
important things—the registrant (can be an individual or a
company), the registrant’s address, who they registered the
website with (registrar), and dates indicating registration
and renewal and last update.
Identifying the Hosting Provider of a Website
It is important to also identify the hosting provider (i.e.,
who runs the Web server where the website you are
investigating resides). At the top of the page you are
currently on you will see a series of tabs including Server
Stats.
Click on the Server Stats tab and you will see an IP
address of the hosting provider.
Click on the IP address to identify the details of the
provider, including key contacts
Identifying Which Bodies Could Also Be Contacted
IANA (www.iana.org)
The Internet Assigned Numbers Authority (IANA) is a
department of ICANN responsible for coordinating
some of the key elements that keep the Internet running
smoothly. Whilst the Internet is renowned for being a
worldwide network free from central coordination,
there is a technical need for some key parts of the it to
be globally coordinated—and this coordination role is
undertaken by IANA. Specifically, IANA allocates and
maintains unique codes and numbering systems that are
used in the technical standards (protocols) that drive the
Internet.
ASSISTING YOUR FRAUD EXAMINATION WITH ONLINE AND OPEN SOURCE INTELLIGENCE
2014 ACFE European Fraud Conference ©2014 18
NOTES ICANN (www.icann.org)
To reach another person on the Internet you have to
type an address into your computer—a name or a
number. That address has to be unique so computers
know where to find each other. ICANN coordinates
these unique identifiers across the world. Without that
coordination we wouldn’t have one global Internet.
ICANN was formed in 1998. It is a not-for-profit
partnership of people from all over the world dedicated
to keeping the Internet secure, stable, and interoperable.
It promotes competition and develops policy on the
Internet’s unique identifiers. ICANN doesn’t control
content on the Internet. It cannot stop spam and it
doesn’t deal with access to the Internet. But through its
coordination role of the Internet’s naming system, it
does have an important impact on the expansion and
evolution of the Internet.
Regional Bodies
The Internet is split into five regions—Africa, North
America, Asia-Pacific, Latin America/Caribbean, and
Europe/Middle-East/Central Asia. Each region has a
Regional Internet Registry (RIR) that has responsibilities in
regard to the Internet. These RIRs and their contact email
addresses are:
AfriNIC: [email protected]
ARIN: [email protected]
APNIC: [email protected]
LACNIC: [email protected]
RIPE NCC: [email protected]
Typically these bodies are reluctant to get involved;
however, they can be a useful last course of action.
What to Look for in Terms of Suspicious Setups
Key indicators to watch for are:
ASSISTING YOUR FRAUD EXAMINATION WITH ONLINE AND OPEN SOURCE INTELLIGENCE
2014 ACFE European Fraud Conference ©2014 19
NOTES Websites registered in one country but hosted in
another. This becomes more suspicious when the
registrant is in the UK but is hosted in Russia, Eastern
Europe, or Africa. Also look out for typical havens,
such as Switzerland and Andorra.
Websites operating in the UK, aimed at a UK market,
but where the registered owner is based outside of the
UK.
Websites registered by a third-party company and
therefore masking the real owner. Again, typically these
third parties will be located in havens.
Websites with obviously incorrect or misleading
details.
Following the Money: Who Registered or Paid for the
Domain Registration?
Domain names are typically registered for a two-year
period and can only be renewed within a couple of months
of the expiry date. Some other domains can be registered
for longer periods, and are typically offered at a discounted
rate registered for five or ten years at a time. Understanding
how a domain registration has been paid for could help the
investigation. Remember hosting services and domain
registration requires a fee, so follow the money. In the
domain name entry: when you view the details of a domain
name entry in the list of your domain names, the user ID of
the billing contact will be shown. Click on the domain
name to see the details. In some cases the website you are
investigating will need to be maintained and updated so the
server log maintained by the registrar will indicate how the
web manager accesses the site providing you with more
vital digital evidence.
Viewing the Internet Archive
Visit the Internet Archive’s Wayback Machine page at
www.archive.org, which can take you back as far as 1996.
ASSISTING YOUR FRAUD EXAMINATION WITH ONLINE AND OPEN SOURCE INTELLIGENCE
2014 ACFE European Fraud Conference ©2014 20
NOTES Locate the box labelled “Web”. You’ll find another box
to the right of the icon for the Internet Archive’s
Wayback Machine.
Click this box to the right of the insignia for the
Wayback Machine. Type the website you want to find
into this box.
Press the Enter key on your keyboard to submit the
search, or click the “Take Me Back” button.
Wait a few moments. The machine has lots of items to
search for, covering lots of dates over the last 10 to 15
years.
Click on one of the dates displayed. This date is the
date the robot came along and cached a view of the
exact page you enquired about.
Wait for the page to display. You’ll be delighted to see
the page as it appeared on the date selected.
NB - Links to pages further in on the Web aren’t always
archived on the same day as the page you enquired about.
You’ll get an error message when you try to do something
on the page. Use the Wayback Machine to view the page
only. Some of the older archives are missing pictures. In
this case, keep clicking different dates until you find a
working one.
How to Trace an Email Address
Trace an email address in the most popular programs like
Microsoft Outlook, Hotmail, Yahoo, Gmail, and AOL, by
finding the header.
What Is an Email Header?
Each email you receive comes with headers. The
headers contain information about the routing of the
message and the originating Internet Protocol address
of the message. Not all electronic messages you receive
will allow you to track them back to the originating
ASSISTING YOUR FRAUD EXAMINATION WITH ONLINE AND OPEN SOURCE INTELLIGENCE
2014 ACFE European Fraud Conference ©2014 21
NOTES point, and on how you send messages determines
whether they can trace an email address back to you.
The headers don’t contain any personal information. At
most, the results of the trace will show you the
origination IP and the computer name that sent the
email. After viewing the trace information, the
initiating IP can be looked up to determine from where
the message was sent. IP address location information
does not contain your street name, house number, or
phone number. The trace will most likely determine the
city and the ISP the sender used.
How Do I Get the Header to Start the Trace Email
Process?
Each electronic messaging program varies as to how
you get to the message options.
Outlook—Right click the message while it’s in the
inbox and choose Message Options. A window will
open with the headers in the bottom of the window.
Windows Live—Right click the correspondence
while it’s in the inbox, choose Properties, and then
click the Details tab.
Gmail—Open the correspondence. In the upper
right corner of the email you’ll see the word Reply
with a little down arrow to the right. Click the down
arrow and choose Show Original.
Hotmail—Right click the message and select View
message source.
Yahoo!—Click the Actions dropdown menu and
select View Full Header.
AOL—Click Action and then View Message
Source.
You can see that no matter the program, the headers are
usually just a right click away.
ASSISTING YOUR FRAUD EXAMINATION WITH ONLINE AND OPEN SOURCE INTELLIGENCE
2014 ACFE European Fraud Conference ©2014 22
NOTES Tracing the Header
The next step to trace an email address is to find the
originating IP listed in the header. An easy way to read
the header of an email is to use the email header tool on
www.whatismyipaddress.com.
Simply copy the header information from the email and
paste into the relevant box on the “what is my IP
address” email header webpage.
Protecting Your ID When Online
Every time you surf the Internet, your IP address is publicly
visible to everyone on target network resources. It is
important, therefore, to disguise your ID and online
presence.
Creating a Sock Puppet (False ID)
Four steps to create a sock puppet:
Create a fake ID—use name generator
Create fake profiles and user accounts on Facebook
or Twitter for example
Fake or disguised email, phone, and IP details
Consider payment method—pre-paid credit card
Documenting Online Investigation Intelligence
Record URLs (especially Facebook)
Email communications (keep copies of relevant
correspondence)
Screen capture—Print screen, Save As or apps such
as Camtasia
Depending on nature of case, keep hard copies of
screen shots, emails, etc.
Creating a Digital Case File
Documentation—Dates, times, accounts, IDs,
images, video, chat, messages
ASSISTING YOUR FRAUD EXAMINATION WITH ONLINE AND OPEN SOURCE INTELLIGENCE
2014 ACFE European Fraud Conference ©2014 23
NOTES Recordings—Screen records of the detailed
investigation
Website details—HTML, links, bookmarks, etc.
Don’t Leave Digital Finger Prints!
Every time you surf the Internet, your IP address is publicly
visible to everyone on target network resources. There are
numerous Internet proxy servers offering anonymous Web
browsing capability (www.hidemyass.com and
www.torproject.org are two such examples). Accessing
websites via these proxies hides your public IP address
from Web servers, helping to protect your identity online.
Remember that when using a proxy server, you give them
your ID. Proxy and VPN services are recommended when
investigating online as they re-route your Internet traffic
and change your IP.
A proxy is like a Web filter—it will only secure traffic
via the Internet browser using the proxy server settings.
A VPN encrypts all of your traffic—VPNs replace your
ISP and route all traffic through the VPN server,
including all programs and applications.
Other things to consider when protecting yourself online:
Browse the Internet safely by using a secure Web
browser such as Firefox and always run the updates
when released.
Turn on your browser’s “private mode,” usually found
under Preferences, Tools, or Settings.
Use the privacy settings on social networks such as
Facebook and use a strong password.
Clear out temporary Internet files, cache, and history
files (also monitor third-party cookies).
Use a search engine such as DuckDuckGo that
distinguishes itself with a “We do not track” feature.
Secure wireless networks as unprotected Wi-Fi
(wireless) networks are vulnerable.
ASSISTING YOUR FRAUD EXAMINATION WITH ONLINE AND OPEN SOURCE INTELLIGENCE
2014 ACFE European Fraud Conference ©2014 24
NOTES Enable WPA2 (Wi-Fi Protected Access).
Do not auto-connect to open Wi-Fi networks.
Be careful which Wi-Fi hotspots you connect to.
Install firewalls onto your IT systems to prevent outside
parties from gaining access to information.
Keep anti-virus and anti-spyware software up-to-date
and download the latest security updates.
Use strong passwords for online login and always
ensure that you are on a secure site before leaving any
sensitive information (https).
Use encryption to protect information contained in
emails or stored on laptops or other portable devices
such as memory sticks.
How Safe Is Your Web Browser?
Panopticlick is an online tool by the Electronic Frontier
Foundation (EFF) that tests your browser with one click. It
shows you the browser’s characteristics, including plugins,
screen size, time zone, and others. From this information it
detects how unique your browser is and how easily it can
be identified by the owners of the websites you visit online.
To test your browser visit https://panopticlick.eff.org.
Useful Links: Email Privacy
www.hushmail.com
www.riseup.net/en
www.zoho.com/mail
Useful Links: Shield IP via VPN (fee required)
www.witopia.net
www.privatvpn.se/en
www.strongvpn.com
Useful Links: Browser Add-on for Privacy
www.ghostery.com
www.abine.com/dntdetail.php
