Blog

What The Silk Road’s Fall Can Teach Us About Digital Forensics

Everything we do online - from chatting on social networks to browsing digital storefronts - leaves a trail. A set of digital breadcrumbs. All that’s necessary to follow them to their source is for one to know where to look.

Everything we do online – from chatting on social networks to browsing digital storefronts – leaves a trail. A set of digital breadcrumbs. All that’s necessary to follow them to their source is for one to know where to look.

We live in an era where true anonymity is elusive, perhaps even impossible. On the one hand, that has some rather disturbing implications from the perspective of privacy. On the other hand, it means that determining the cause of a cyber attack – and tracking the criminals responsible – is simpler than it’s ever been.

Nowhere is this paradigm more evident than in the fall of the digital black market known as The Silk Road. Created by programmer Ross Ulbricht -(known to his associates as Dread Pirate Roberts) the Silk Road quickly became an international drug empire. In many ways, its story resembles a modern-day, digital rewrite of Scarface, with everything that entails.

The tale of the Silk Road’s fall is as interesting as that of its rise, and paints a very informative portrait of how and where an IT professional might trace the activities of cybercriminals.

“We took chat logs, we took photos, we took diary entries, all of these different things, and we put together a database where we could cross-correlate everything by time,” explained journalist Nick Bilton in a Recode Media podcast last year. “I could look at 3:48 pm on Jan. 11, 2012, and I could see what the ‘Dread Pirate Roberts’ was doing and talking about, what Ross was doing on social media and talking about, and then look for photos that lined up with that. It was amazing how everything came together so succinctly.”

“The detail I was able to get was just staggering,” he added. “There were moments I found things that were just terrifying, that you could figure it out. The EXIF data, the location data in the photo, would lead me to a girlfriend that – I didn’t even know the person’s name…I could have spent a hundred hours with Ross and I [wouldn’t have gotten as much information].”

So what exactly is the lesson here from a disaster recovery perspective? Simply put, that you cannot discount anything as part of your post-breach investigation. Even the smallest detail – a login from a device at an unusual time, the social media history of an employee’s laptop, an unexpected file access request – could provide valuable evidence that helps your organization not only understand the motive behind an attack but the process by which it was carried out.

To that end, our advice is simple. Implement a monitoring system that allows you to track everything that happens on your network. Use a content collaboration system that monitors how your files are accessed and used both inside your network and outside.

And when in doubt, pay attention to what’s happening on social media, and in your employees’ personal lives – as much as you can without violating their privacy.

“Even in a bitcoin universe, it is difficult to remain unrecognized forever,” writes Marcell Nimfeuhr in a Medium piece on anonymity. “Authorities and hackers are in a race to conceal and uncover. Every action on the Internet leaves a trace. At some point, every criminal will make a mistake.”

Share on facebook
Facebook
Share on twitter
Twitter
Share on linkedin
LinkedIn
Archives