ONLINE INVESTIGATIONS
As the use of the Internet and mobile technologies, including smartphones, has grown rapidly in
recent years, so has the opportunity for computer-related crime. Unlawful activity can be
committed or facilitated online with criminals trading and sharing information, masking their
identity, gathering information on victims, and communicating with co-conspirators. Websites,
email, chat rooms, and social networks can all provide vital evidence in an investigation of
computer-related crime, and this session assists investigators in their efforts to curb such crime.
DR. STEPHEN HILL, PH.D., CIIP, ICTP
Managing Director
Snowdrop Consulting Ltd
Essex, United Kingdom
Dr. Stephen Hill is the Managing Director of Snowdrop Consulting Ltd, a company with the
aim of providing education and consultancy to the private and public sector in fraud risk
management, prevention/awareness, online investigations, and data security, including ISO27001
and the Data Protection Act.
Stephen spent 11 years working for a top 25 firm of accountants, heading the Fraud and
Forensic Group and leading an expert body advising clients on prevention, detection, and
recovery of fraudulent assets, working closely with the police, HMRC, and private sector.
He is a Trustee Director of the Fraud Advisory Panel, a registered charity that works to raise
awareness of fraud and financial crime and how to protect against it. Stephen chairs the Fraud
Advisory Panel’s Cybercrime Working Group with colleagues from the public, private, and third
sectors, and previously led its charity fraud research project that resulted in the report A Breach
of Trust.
He is also an Associate Member of the Association of Certified Fraud Examiners and an
honorary member on the steering committee of the London Fraud Forum.
Stephen specialises in e-crime and fraud awareness with over twelve years’ experience in
focusing on counter fraud, cyber fraud, not-for-profit fraud, and risk management. He is a
certified practitioner (CIIP) for IS027001, and has worked on a number of guides to fraud
detection data security and prevention for many small to medium enterprises (SMEs) and
charities.
©2013
He has developed and delivered a series of fraud prevention, data security, e-fraud, and
Internet Investigations and OSINT courses aimed at training UK police forces (including
Operation Podium in the buildup to the 2012 Olympics), private-sector fraud units, not-for-profit
organisations, and major world banks.
Stephen has written a book, Corporate Fraud: Prevention & Detection, published by
Bloomsbury Professional, with practical advice on all aspects of fraud and how to prevent it,
with the royalties going to the charity Victim Support.
He has also written for several well-known publications, including The Sunday Times,
“Accountancy Magazine,” “FS Focus,” “Third Sector,” “Charity Finance,” and “Solicitors
Journal,” and commented on Radio 5 and the BBC’s Real Story. Stephen has contributed to
many fraud and risk management publications, including CIMA’s Fraud Risk Management: A
Guide to Good Practice.
With a recent appointment as a Volunteer to the City of London Police Economic Crime
Directive, Stephen assists fraud investigators with online investigations.
“Association of Certified Fraud Examiners,” “Certified Fraud Examiner,” “CFE,” “ACFE,” and the
ACFE Logo are trademarks owned by the Association of Certified Fraud Examiners, Inc. The contents of
this paper may not be transmitted, re-published, modified, reproduced, distributed, copied, or sold without
the prior consent of the author.
©2013
ONLINE INVESTIGATIONS
The use of the Internet and mobile technologies, including
smartphones, has grown rapidly in recent years, as has the
opportunity for computer-related crime. Unlawful activity
can be committed or facilitated online with criminals
trading and sharing information, masking their identities,
gathering information on victims, and communicating with
co-conspirators.
However, the Internet also provides opportunities to fraud
investigators and their acquiring of vital digital intelligence.
The Internet by design is “public” with incredible amounts
of data available to anyone with a computer and a browser.
Today, fraud examiners have access to new and evolving
search engines, databases, open source tools, chat rooms,
blogs, online gaming communities, and social networks in
their efforts to curb crime.
The Internet and World Wide Web
The rise of the Internet offers new possibilities for fraud
examiners globally. The emergence of information
technology (e.g., portable devices, including tablets and
smartphones) has provided fraud examiners access to
information at a rate never before experienced in real time.
With over two billion Internet users worldwide, the level of
online activity is staggering and increasing exponentially,
especially in light of the social media revolution.
The Internet is a vast “interconnection of computer
networks” that spans the globe. It is comprised of millions
of computing devices that trade volumes of information.
Desktop computers, mainframes, tablets, smartphones,
video game consoles, and even the “smart” televisions are
connected to the Internet.
The Internet has had a relatively brief, but explosive,
history thus far. It grew out of an experiment begun in the
©2013
2013 ACFE European Fraud Conference
1
NOTES
ONLINE INVESTIGATIONS
1960s by the U.S. Department of Defense. The DOD
wanted to create a computer network that would continue
to function in the event of a disaster, such as a nuclear war.
If part of the network were damaged or destroyed, the rest
of the system still had to work. That network was
ARPANET, which linked U.S. scientific and academic
researchers, and is the forerunner of today’s Internet.
The Internet houses many layers of information, with each
layer dedicated to a different kind of documentation. These
different layers are called protocols. The most popular
protocols are the World Wide Web, FTP, Telnet,
Gopherspace, instant messaging, and email.
How Does the Web Work?
The World Wide Web, or WWW, is the name given in
1990 by Tim Berners-Lee of CERN to his proposal for
an Internet-based hypertext system. He wrote the first
WWW client and WWW server, and defined standards
such as URL, HTML, and HTTP while working at
CERN. This would link together behind a single, easyto-use interface the various information resources
spread around the Internet, and accessed using many
different systems and protocols.
In 1965, Ted Nelson devised the invention that brings
everything into a single Web using the now familiar
tool known as hypertext. In hypertext, any word can be
associated with a link that points to a specific piece of
information. To be able to display hypertext, Tim
Berners-Lee developed a description language called
Hypertext Markup Language, or HTML for short. The
basic idea behind HTML is to describe the structure of
a document, for example, by saying which part of the
text is a heading, emphasise words or a quotation, and
allow for the way these are finally displayed.
©2013
2013 ACFE European Fraud Conference
2
NOTES
ONLINE INVESTIGATIONS
The World Wide Web is the most popular portion of the
Internet. The Web is viewed through Web browser
software such as Internet Explorer, Firefox, and Safari,
which allows access to Web pages stored on servers
around the globe.
Understanding the Web Addresses (URL)
The World Wide Web has been described as a network
of electronic files stored on computers (servers) all
around the world. Hypertext links these resources
together. Uniform Resource Locators, or URLs, are the
addresses used to locate these files. The information
contained in a URL gives the ability to jump from one
location on the Web to another. Most Web browsers
allow you to type in a URL to access a particular
document or service. When you click on a hypertext
link in an HTML document, your Web browser is
actually sending a request to download a file stored on a
remote computer (server).
What Does a Typical URL Look Like?
Here are some examples:
 http://www.acfe.com—The homepage for the
ACFE
 https://www.paypal.com/uk/webapps/mpp/home—
A secure version of http using SSL
 ftp://rtfm.mit.edu/pub—A directory of files
available for downloading
 http://blogs.reuters.com/soccer—A blog or weblog
from the Reuters news agency
The first part of a URL (before the two slashes) tells
you the type of resource or method of access at that
address. For example:
 http—hypertext document or directory
 gopher—gopher document or menu
©2013
2013 ACFE European Fraud Conference
3
NOTES
ONLINE INVESTIGATIONS





ftp—file available for downloading or a directory of
such files
news—newsgroup
telnet—computer system that you can log into over
the Internet
WAIS—database or document in a Wide Area
Information Search database
file—file located on a local drive (hard drive)
The second part of a URL is typically the address of the
computer where the data or service is located.
Additional parts may specify the names of files, the port
to connect to, or the text to search for in a database.
Most of the URLs start with http, which stands for
Hypertext Transfer Protocol. Http is the method by
which HTML files are transferred over the Web. Here
are some other important things to know about URLs:
 A URL usually has no spaces.



A URL always uses forward slashes.
If you enter a URL incorrectly, your browser will
not be able to locate the site or resource you want.
You can find the URL behind any link by passing
your mouse cursor over the link. The pointer will
turn into a hand and the URL will appear in the
browser’s status bar, usually located at the bottom
of your screen.
Tools for Effective Searching
The first step to Internet research is to have a thorough
understanding of the search protocols offered by the
various Internet search engines.
Google, Yahoo, and Bing are only three of the several free
search engines available for investigative Internet research;
however, fraud examiners should not rely exclusively on
©2013
2013 ACFE European Fraud Conference
4
NOTES
ONLINE INVESTIGATIONS
one search engine. For best results, experts recommend
using multiple search engines, as each search engine only
retrieves those pages to which it is indexed, and no Internet
search engine is indexed to all available information. Fraud
examiners may wish to choose a “metasearch” site, which
allows queries to be submitted to multiple search engines
simultaneously. Alternatively it is worth considering setting
up an automated search such as Google Alerts.
Search Engines (Index)
Databases used by search engines are made by “robots”
or “spiders” that automatically map the Web by
following the links between sites. These robots or
spiders read the Web pages and put the text (or parts of
the text) into a large database or index that you can then
access. None of them cover the whole Internet; Google,
the world’s largest index of the Internet, only
catalogues 8 percent of the World Wide Web. Other big
search engines include Bing, Ask, and DuckDuckGo.
Search Directories
Search directories are hierarchical databases with
references to websites.
The websites that are included are hand-picked by
humans and classified according to the rules of that
particular search service. Yahoo is the leader of search
directories. About and Alive are also very popular.
Pandia Plus Directory (Pandia PowerSearch) is based
on the Open Directory, a catalogue made by enthusiasts
from all over the world.
Directories are very useful when you only have a
general notion of what you are looking for. The first
page normally gives you the most general categories
(e.g., Government or Education).
©2013
2013 ACFE European Fraud Conference
5
NOTES
ONLINE INVESTIGATIONS
Click your way down the hierarchy to the right
category, select the website you find most interesting,
and start researching!
Metasearch
Metasearch engines are search engine tools that pass
queries on to many other search engines or directories,
and then summarise all the results in one handy
interface.
A metasearch engine, such as Dogpile, collects and
sorts the hits, takes out duplicates, and presents the end
result in a simple format.
Popular metasearch websites include Scour, IXQuick,
and Browsys.
Deep Web
The Deep Web, or Invisible Web, is the set of
information resources on the World Wide Web not
reported by normal search engines.
Deep Web content includes information in private
databases that are accessible over the Internet but not
intended to be crawled by search engines. For example,
some universities, government agencies, and other
organisations maintain databases of information that
were not created for general public access. Other sites
may restrict database access to members or subscribers.
The term Deep Web was coined by BrightPlanet, an
Internet search technology company that specialises in
searching deep Web content. Although some of the
content is not open to the general public, BrightPlanet
estimates that 95 percent of the Deep Web can be
accessed through specialised search.
©2013
2013 ACFE European Fraud Conference
6
NOTES
ONLINE INVESTIGATIONS
Deep Web search engines include CompletePlanet,
Surfwax, and Pipl.
Specialist Search Tools
There are other tools available to fraud examiners, and
it depends upon what it is they are looking for as to
which site to use. Here is a selection of useful links to
add to your Internet investigation toolbox:
 Silo Breaker: www.silobreaker.com
 KGB People: www.kgbpeople.com

Spokeo: www.spokeo.com





Verify Email Address: verify-email.org
YouTube: www.youtube.com
Flickr: www.flickr.co.uk
Yippy: yippy.com
The Wayback Machine: www.archive.org
Social Media Search Tools
Social media has opened up numerous opportunities to
the fraud examiner and is a key component to profiling
the subject of an investigation. The pool of information
about each individual can form a distinctive social
signature.
Twitter, Facebook, and LinkedIn, to name but a few,
have embedded themselves in people’s lives. Posting to
walls, tweets, and video and image updates is emerging
as a new trove of intelligence for the fraud examiner.
Useful links for social media intelligence gathering
include:
 www.socialmention.com
 whostalkin.com
 www.kurrently.com
 fbsearch.us
 tweetalarm.com
©2013
2013 ACFE European Fraud Conference
7
NOTES
ONLINE INVESTIGATIONS






tweetcharts.com
www.weknowwhatyouredoing.com
www.tweetdeck.com/desktop
www.twitscoop.com
www.facesaerch.com
monitter.com
Note: There are limitations to the information you can
access on a social network due to privacy settings, and
anonymity and legal advice may be required before
using social media evidence against an individual.
Open Source Intelligence
Open source intelligence (OSINT) is a form of
intelligence collection management that involves
finding, selecting, and acquiring information from
publicly available sources and analysing it to produce
actionable intelligence.
In the intelligence community (IC), the term open refers
to overt, publicly available sources (as opposed to
covert or classified sources).
OSINT includes a wide variety of information and
sources:
 Media
 Government sources
 Academic and professional sources
 Web-based communities
Useful Links
 osint.deepwebtech.com/categories.html




©2013
www.intelligencesearch.com
www.onstrat.com/osint
www.osint.org.uk
opendatasearch.org
2013 ACFE European Fraud Conference
8
NOTES
ONLINE INVESTIGATIONS



NOTES
publicdata.eu
www.eurosint.eu/
rr.reuser.biz/
How to Trace an Email Address
Learn How to Trace an Email Address
Trace an email address in the most popular programs
such as Microsoft Outlook, Hotmail, Yahoo, Gmail,
and AOL by finding the header.
What is an Email Header?
Each email you receive comes with headers. The
headers contain information about the routing of the
message and the originating Internet Protocol address
of the message. Not all electronic messages you receive
will allow you to track them back to the originating
point and, depending on how you send messages,
determines whether they can trace an email address
back to you. The headers do not contain any personal
information.
At most, the results of the trace will show you the
origination IP and the computer name that sent the
email. After viewing the trace information, the
initiating IP can be looked up to determine from where
the message was sent. IP address location information
DOES NOT contain your street name, house number, or
phone number. The trace will most likely determine the
city and the ISP the sender used.
How Do I Get the Header to Start the Trace Email
Process?
Each electronic messaging program will vary as to how
you get to the message options. I will cover the basics
to start the trace … the rest is up to you.
©2013
2013 ACFE European Fraud Conference
9
ONLINE INVESTIGATIONS






Outlook—Right-click the message while it is in the
inbox and choose Message Options. A window will
open with the headers in the bottom of the window.
Windows Live—Right-click the correspondence
while it is in the inbox, choose Properties, then click
the Details tab.
GMail—Open the correspondence. In the upper
right corner of the email, you will see the word
Reply with a little down arrow to the right. Click the
down arrow and choose Show Original.
Hotmail—Right-click the message and select View
Message Source.
Yahoo!—Click the Actions dropdown menu and
select View Full Header.
AOL—Click Action, then View Message Source.
You can see that no matter the program, the headers are
usually just a right-click away.
I Have the Header, Now How Do I Start the Trace?
The next step to trace an email address is to find the
originating IP listed in the header. An easy way to read
the header of an email is to use the email header tool on
www.whatismyipaddress.com.
Simply copy the header information from the email and
paste it into the relevant box on the “what is my IP
address?” email header Web page.
Tracing an Internet Address to a Source
Just as every house has an address, every computer
connected to the Internet has an address. This is referred to
as an Internet Protocol (IP) address.
©2013
2013 ACFE European Fraud Conference
10
NOTES
ONLINE INVESTIGATIONS
Identifying the Owner of a Website
There are a number of domain lookup tools available,
and in this example we are going to use
whois.domaintools.com.
Once on the website, enter in the domain name and
click on “Lookup.”
Once the Lookup search has been entered, you will be
able to identify who is registered as the owner of the
website.
The registration details lists a number of important
things—the registrant (can be an individual or a
company), the registrant’s address, who they registered
the website with (Registrar), and dates indicating
registration, renewal, and last updated.
Identifying the Hosting Provider of a Website
It is important to also identify the hosting provider (i.e.,
who runs the Web server where the website you are
investigating resides).
At the top of the page you are currently on, you will see
a series of tabs, including “Server Stats.”
Click on the Server Stats tab and you will see an IP
Address of the Hosting Provider. Click on the IP
Address to be able to identify the details of the Hosting
Provider, including key contacts.
Identifying Which Bodies Could Also Be Contacted
IANA (WWW.IANA.ORG)
The Internet Assigned Numbers Authority (IANA)
is a department of ICANN responsible for
coordinating some of the key elements that keep the
©2013
2013 ACFE European Fraud Conference
11
NOTES
ONLINE INVESTIGATIONS
Internet running smoothly. Whilst the Internet is
renowned for being a worldwide network free from
central coordination, there is a technical need for
some key parts of the Internet to be globally
coordinated—and this coordination role is
undertaken by IANA.
Specifically, IANA allocates and maintains unique
codes and numbering systems that are used in the
technical standards (protocols) that drive the
Internet.
ICANN (WWW.ICANN.ORG)
To reach another person on the Internet, you have to
type an address into your computer—a name or a
number. That address has to be unique so computers
know where to find each other. ICANN coordinates
these unique identifiers across the world. Without
that coordination, we would not have one global
Internet.
ICANN was formed in 1998. It is a not-for-profit
partnership of people from all over the world
dedicated to keeping the Internet secure, stable, and
interoperable. It promotes competition and develops
policy on the Internet’s unique identifiers.
ICANN does not control content on the Internet. It
cannot stop spam and it does not deal with access to
the Internet. But, through its coordination role of the
Internet’s naming system, it does have an important
impact on the expansion and evolution of the
Internet.
©2013
2013 ACFE European Fraud Conference
12
NOTES
ONLINE INVESTIGATIONS
Regional Bodies
The Internet is split into 5 regions—Africa, North
America, Asia-Pacific, Latin America/Caribbean, and
Europe/Middle East/Central Asia. Each region has a
regional internet registry (RIR) that has responsibilities
in regards to the Internet.
These RIRs and their contact email addresses are:
 AfriNIC: [email protected]
 ARIN: [email protected]

APNIC: [email protected]


LACNIC: [email protected]
RIPE NCC: [email protected]
Typically, these bodies are reluctant to get involved;
however, they can be a useful last course of action.
What to Look Out for in Terms of More Suspicious
Setups
Key indicators to look out for are:
 Websites registered in one country but hosted in
another. This becomes more suspicious when the
registrant is in the UK but is hosted in Russia,
Eastern Europe, or Africa. Also, look out for typical
havens, such as Switzerland and Andorra.
 Websites operating in the UK, aimed at a UK
market, but where the registered owner is based
outside of the UK.
 Websites registered by a third-party company, and

therefore masking the real owner. Again, typically,
these third parties will be located in havens.
Websites with details that are obviously incorrect or
misleading.
©2013
2013 ACFE European Fraud Conference
13
NOTES
ONLINE INVESTIGATIONS
Following the Money—Who Registered/Paid for the
Domain Registration?
Domain names are typically registered for a two-year
period and can only be renewed within a couple of
months of the expiry date. Some other domains can be
registered for longer periods, and are typically offered
at a discounted rate registered for five or ten years at a
time. Understanding how a domain registration has
been paid for could help the investigation.
Remember, hosting services and domain registration
requires a fee, so follow the money. In the domain
name entry, when you view the details of a domain
name entry in the list of your domain names, the User
ID of the billing contact will be shown. Click on the
domain name to see the details.
In some cases, the website you are investigating will
need to be maintained and updated, so the server log
maintained by the registrar will indicate how the “Web
Manager” accesses the site, providing you with more
vital digital evidence.
Protecting Your Privacy
Every time you surf the Internet, your IP address is publicly
visible to everyone on target network resources.
There are numerous Internet proxy servers offering
anonymous Web browsing capability (e.g.,
www.hidemyass.com and www.torprojectorg).
Accessing websites via these proxies hides your public IP
address from Web servers, helping to protect your identity
online. Remember, when using a proxy server, you give
them your ID.
©2013
2013 ACFE European Fraud Conference
14
NOTES
ONLINE INVESTIGATIONS
Other Things to Consider When Protecting Yourself
Online
 Browse the Internet safely by using a secure Web
browser such as Firefox, and always run the updates
when released.
 Turn on your browser’s private mode, usually found
under Preferences, Tools, or Settings.
 Use the privacy settings on social networks such as
Facebook, and use a strong password.
 Clear out temporary Internet files, cache, and
history files (also monitor third-party cookies).











Use a search engine such as DuckDuckGo, which
distinguishes itself with a “We do not track”
feature.
Secure wireless networks, as unprotected Wi-Fi
(wireless) networks are vulnerable.
Do not broadcast your SSID (Service Set
IDentifier).
Enable WPA2 (Wi-Fi Protected Access).
Restrict access by MAC address (filtering) when
using a Wi-Fi network.
Do not auto-connect to open Wi-Fi networks.
Be careful which Wi-Fi hotspots you connect to.
Install firewalls onto your IT systems to prevent
outside parties from gaining access to information.
Keep anti-virus and anti-spyware software up-todate, and download the latest security updates.
Use strong passwords for online login, and always
ensure you are on a secure site (i.e., https) before
leaving any sensitive information.
Use encryption to protect information contained in
emails or stored on laptops or other portable devices
such as memory sticks.
©2013
2013 ACFE European Fraud Conference
15
NOTES