FBI: Cyber investigations no different from real world

Cyber attribution is a contentious topic because some will say the nature of digital evidence means it is nearly impossible to meet the burden of proof beyond a reasonable doubt. However, the FBI told SearchSecurity that cyber investigations are not much different from traditional cases.

SearchSecurity sat down with David West, assistant section chief of the FBI's Cyber Division, operational section four, at the Black Hat conference in Las Vegas to talk about how FBI cyber investigations are performed and how the agency meets the burden of proof.

According to West, FBI Cyber Division operational section four is one of the five operational sections in the Cyber Division that focuses on the FBI's:

• extraterritorial cyber ALAT (assistant legal attachés) program;
• rapid response cyber action team;
• advanced digital forensics and malware investigators; and
• undercover programs, confidential human sources and operations that are threat-agnostic.

Editor's note: This interview has been edited for clarity and length.

Can you give an overview of the FBI's cyber investigation process if there's an attack?

David West: As most people know, one of the FBI's strengths is that we're located throughout the United States and throughout the world. While Cyber Division is headquarters, the investigations primarily and mostly occur in one of the field offices. We have 56 field offices throughout the U.S.

So, typically, we will receive a threat or indicator, we'll receive some type of notification that an intrusion has occurred, and the Cyber Division focuses on computer intrusions, be they socially motivated, financially motivated or state sponsored. In some cases, we will notify victims that they are likely victims of an intrusion through an ongoing investigation that we have to help protect them.

Basically, the steps we take are, we get a notification, we will look into it, we will see if there is a legal nexus for us to open an investigation because, as the FBI, we're constitutionally based, so everything we do is based on adherence to the Constitution.

The question I often get is, 'What level of case do you work?' That is dependent. And when I say, 'what level? What is the monetary loss?' it really is dependent on where the case is initiated where the venue exists.

In a criminal case, you may have a half million-dollar threshold in a larger city or a $50,000 threshold in a smaller city. That's all dependent upon what the local U.S. Attorney's Office has decided.

Once we get an investigation going, we will assign a team and look and see if anybody else in the FBI knows anything about it if they're working it. Sometimes, if it's an ongoing investigation, we'll collect the information and share with the office that's already ahead of us, and that's pretty much the way it goes.

The one key point that I'd like to make is that every investigation that we work is initiated based on the actions of a human being. A lot of people think about cyber as some computer crime that happens somewhere. Basically, every investigation we open is because of a man behind a keyboard or a woman behind a keyboard or some person behind a keyboard violating a federal statute.

Can you explain where notifications come from, and how FBI cyber investigations are triggered based on those notifications?

West: It could be as simple as a complaint; someone picks up the phone calls us. Someone goes to the FBI webpage and sends in, 'hey, I believe this is a crime.' It can be a referral from another law enforcement organization. Really, we take in everything and evaluate it based on its merit.

An example is the Internet Crime Complaint Center -- IC3.gov -- they get a countless number of notifications of people who have been victims of, maybe, an internet scam. And whether they've lost money or not, they will report it.

Think of the old days where we had the Nigerian fraud schemes. The FBI didn't primarily work those because we didn't think they were big enough. It was maybe an individual losing one, two, three thousand dollars. But because of the work of an organization like IC3, where they basically compiled [information] and found out it was a multibillion-dollar scheme going on, then the FBI got involved, and we primarily worked that in the Cyber Division.

But, over the years, it's become less computer intrusion and more computer fraud, and so our Criminal Division will now work it. When IC3 bundles information together, that will allow a law enforcement organization, both state and federal, to look at a potential crime because of a victim venue or a subject venue.

Do you have an automated process to sort through those notifications or is it human power looking through?

West: Yes, primarily, it's human power. IC3 may have their own collection and distribution, but, as I said, most investigations are worked in the field. The field agent will look at it contact the victim company or do a database check to see if it's something that should be referred to another office. That information is collected, and on an individual, case-by-case basis, it's rolled up.

So it is very labor-intensive. There are some automated steps that help us with collecting it, sorting it, putting it in the right location, but the majority of the work is manpower.

Once FBI cyber investigations are started, how do they compare to traditional investigations?

West: The most mundane way to put it is that a cybercrime is not much different than a traditional crime. The difference is the type of evidence that's collected, for the most part.

In the bigger FBI, we deal with more in the cybercrime area. But, in the Cyber Division, we deal with computer intrusion. What we're looking at is an individual that has utilized a computer and, by utilizing that computer, they violate some federal law, and it reaches a threshold and reaches our attention.

And so, in doing that, the typical statute we use is 18 USC [U.S. Code] 1030, and if it's a group of people, we may include conspiracy charges 371, or even, if it's financially motivated, wire fraud or other types of charges.

But, basically, from an investigative standpoint, in a non-cybercrime, we have an investigator go to the scene, look for clues, collect those clues in a detective way, and do that investigation. From a cyber standpoint, same thing happens. The difference is, not only are you looking for traditional physical clues, you're looking for the digital clues, also.

A lot of people tend to be skeptical about digital evidence because that can be easier to fake, including spoofing an IP address.

West: Absolutely. But in modern crimes or in normal crimes, you can stage a crime scene to make it seem like a certain way to obfuscate what you've done and how you're doing it. Same is true in the digital world. So, we have several steps that we go through.

There are things that we do to make sure that the information we have is defendable and irrefutable. We realize that there are certain steps that a bad actor could take to obfuscate who he is where he is.

But, again, this is a human being relying on human behavior, as well as technical tools. Human behavior is flawed sometimes. We look for those flaws. Technical tools sometimes are flawed; they sometimes leak information that it may be a particular obfuscation technique [being] used. It's not 100%.

How do FBI cyber investigations reach the burden of proof? How do you know that you've successfully bypassed those obfuscation techniques?

West: The bottom line is, the same way [you react to] a non-cyber event, you would with a cyber event. There are things that you're trained in doing that will help you.

We're fact-finders, so we go out to find the facts. And if the facts don't line up, then there are things you can do to say, 'this just doesn't look right, that doesn't work.' Same thing in a regular case.

So, yes, we know people use hidden services. They use tools and techniques that will obfuscate what they're doing.

We know people use hidden services. They use tools and techniques that will obfuscate what they're doing ... It may be you're finding a needle in a needle stack.

There are additional things we can do to validate when we think we know who they are. It may be you're finding a needle in a needle stack. We may be looking at 500 IP [addresses], and then that one IP where it bleeps the wrong IP. And through our legal process, we may find out that that IP is tied to a specific subject that requires us to look at that subject. I am sworn to protect the citizens' rights, so I do not want to put the wrong person in jail.

Part of our process when we're looking at things when we first seize the evidence, there's a chain of custody there's a forensic analysis that's done on the machine. One of the things we do is to look and see if there are viruses on that machine that could cause the actions that you're saying happened. It's a common defense, but it's easily proven to be false in a court.

What's the timetable on FBI cyber investigations? Obviously, digital moves pretty fast, so if you find an IP address that connects to somewhere, that person might be gone.

West: You're absolutely right. One of the things that I can say on the back end, when we get to the point where we've met the burden of proof to [begin the] legal process to do a search warrant or a seizure on your home, that device itself may have the information to put the other pieces together. But long before we go there, we have what we're looking for, and we believe that, basically, the information that is at your location will help prove that you committed this crime.

So there are things that happen in that way. And, again, there are things that can be done to overcome some of the obfuscations.

And I have to say that, from a timing standpoint, it is a challenge because, by the time we serve a legal process, the digital evidence may be gone. That lead dries up just like any other lead. That's not the only lead we follow.

And most criminals who reach our threshold are repeat offenders. We very seldom look at [a] person that did one crime and got away with it. By the time it reaches the federal level, they are usually pretty good at what they do; they've inflicted a certain amount of harm, and there's a history of who they are and what they've done. And, also, this is an underground community where people know people.

So we rely on not only human techniques, but technical techniques, and that's why the FBI [doesn't] lose very many cases, if any, because if I'm an investigator and I'm working on a crime, I will assess the information you've received identify what your motivation is behind it. Just because you're motivated because you don't like this guy, doesn't mean he didn't do it. I take all that into consideration. I will take that information go through our legal process and steps to either prove or disprove that he did it.

And the reason why is, a lot of times, we either identify that we don't have enough evidence to prove he did it or, flat out, we don't think he did it and we go on a different trail after someone else that may have done it if it's tied to a large enough case.

But if we are looking at the evidence and we don't think he did it, we can't present to a U.S. Attorney to take it to court because, by the time it gets to court, we've gone through the burden of proof. We have basically collected the evidence that we believe will withstand any scrutiny. And we [can] prove beyond a reasonable doubt that this person committed the crime that they're charged with.