How Hackers Are Caught Computer Crimes, like Others, Often Leave a Trail
Kazak, David R., Daily Herald (Arlington Heights, IL)
Last week someone, somewhere in the world pushed the "enter" button on a keyboard, and out from that machine slithered a computer virus.
Within days, 600,000 computer systems were crippled and $2.5 billion in business was lost, as techies from Boston to Bangkok struggled to contain the damage.
Investigators now believe the "I LOVE YOU" virus originated with one of three people in the Philippines. But just how did the cyber detectives winnow the list of suspects down to three out a possible 6 billion?
Relatively quickly. On Monday, an international pool of investigators arrested a Philippine bank employee, and are continuing to track his girlfriend and her computer-savvy, unemployed sister.
With only days between initial reports of the virus and the arrest, federal and international investigators made their search seem as easy as dusting for prints and checking the plates on the get-a-way car.
"Computer crime is no different than any other crime," said Don M. Svendson, who oversees forensic and investigative services for Deloitte & Touche, a Chicago-based auditing firm that's assisted authorities in the past
"You follow the historical information and capture all the ingredients needed to prove a case," Svendson said. "Only here, it's a computer trail."
Few details have been released concerning the tracking of the I LOVE YOU hackers. But a common element in all hacker searches is that investigators looking need the same savvy, the same attention to detail, as gumshoes looking into financial crimes or murders, Svendson said.
According to Brian Dennis, an assistant computer professor at Northwestern University, that savvy begins with sifting through the electronic haystack known as "headers."
When a virus is attached to an e-mail message - as the "I LOVE YOU" virus was - investigators look at headers because they contain information about where a single message originated.
"A good virus will be the kind that can change its headers, but mail servers usually keep logs on all messages," Dennis said. "With enough detective work, it is possible to backtrack through the chain to the message's origin."
But it's not too probable, he added.
About the best investigators can hope for by backtracking is finding a specific region of the world on which to focus, such as Africa, America or the Pacific Rim, said University of Chicago Chief Information Officer Gregory Jackson.
That happens when investigators find the moment of "earliest incidence" - the earliest moment in time when the smallest amount of e-mail servers received the virus-tainted message. …