Sunday, February 16, 2014

Cyberbullying Investigations - Finding who is behind the IP Part 4

If the IP discovery comes back as the “Smiths' household” you may not know for sure which member sent the cyberbullying messages. You can usually rule out grandma and the toddlers. But, since the Lori Drew/Megan Meier case, you can’t rule out neighborhood moms anymore.
That’s where old-fashioned investigation techniques come in. Who was home at the time the communication was sent or posted? Who wasn’t? Who had access to the devices or accounts used? Are they accessible via mobile devices? Are there spelling, grammar, or other ways to match the suspected cyberbully to the message? Who was working, who was at school, and who was out of reach? If that’s not the answer, they move to the suspect’s computer itself.
Lawyers (and tech-savvy law enforcement officers) appreciate computer forensics and looking into hard drives during discovery and investigations. They can usually find far more than in conventional discovery and investigation methods. Luckily, defendants/suspects often think that getting rid of evidence on your computer is as simple as clicking the “delete” button. But all that does is take it off your desktop so you can’t see it. Your computer knows it’s there and can retrieve it with the right programs.

The only way to make sure it’s really gone is by reformatting your hard drive and over-writing the data. That means you write over the old information, like recording over an old audio or videotape. (Understand that law enforcement and good cyber-forensic experts can often still retrieve it after reformatting the hard drive several times. Some “scrub” programs will remove them permanently, undiscoverable from anyone other than the best in the business.) Back-up drives, programs, and tapes often keep copies even if you are able to truly delete the file from one computer.

It is very difficult to ever be sure that something is deleted entirely. If someone wants it badly enough, like the RIAA, an irate spouse, or someone you’ve attacked online, they will almost always find it.

Parry’s advice to lawyers is: “If you’re the lawyer and on the side seeking the information, always ask for a mirror-image of the drive and a copy of whatever software is needed to read it. If you’re on the other side, defending a client, offer to print out whatever they need. If they are na├»ve enough to accept that offer, they deserve what they get.” Any network or website that works with Parry’s new company,, will have to make this easy for police and provide an investigator’s guide. If you see a site or network displaying the WiredTrust Best Practice Seal, have the community police officer or your SRO request a copy of the Investigator’s Guide. It’s free to law enforcement. You should also ask them for a copy of their School Guide.