One of the cybercrime investigators creeds is that “no cybercriminal is too smart to leave no digital traces.” Smart thieves leave few traces. But there will always be something to link the crime to a suspect.
And that is how a cyber-crime investigator established the name and mobile number of the suspect and gave the information to Uganda Police, who then obtained a court order for a call log printout from the telecom company. Together with the email header information, the physical location of the suspect’s office was established. With a search warrant, police visited the suspect’s offices in Kampala. Key information like payment papers (invoices to the victim), registration and payment details of the rogue website, etc were seized. The major omission made was the failure to seize the physical computers at the offices. Apparently, the search warrant had not specified seizure of the computers and digital devices as required by law. On return, with appropriate instruments for seizure, the office was found empty. With all computers already removed!
Analysis of the call log patterns in addition to satellite geo-location technology tools, the suspects’ home address was ascertained on Google map. The details were given to police who visited and fortunately seized three laptop computers and mobile phones from the suspect. These were then forensically processed to establish whether the emails send to the victim originated from the laptop. An image of the suspect laptop was also created and verified using a message digest (MD5) and analyzed using both Encase Forensic Software and Paraben Forensic Software at Summit Consulting computer forensic & training lab. The findings were telling:
The payment documents for fake website registration and hosting were in the names of the suspect, who was established as external consultant attached to a computer maintenance company working with the victim. Confirmed that the seized laptop sent out the emails which indicated the bank details where money was sent by the victim. Pictures and documents posted on the fake website, were found to contain artifacts in the metadata of the author, which were those of the suspect. Court order to verify bank documents and details on which money was deposited was issued and found the bank account opening forms had photos of the fraudster, with a relative as a co-shareholder in the company.
The suspect was charged with electronic fraud contrary to section 19 of the Computer Misuse Act, 2011 laws of Uganda. This carried punishment of up to 15 years. Also the victim was to pursue civil proceedings to recover money under civil law.
Issues and lessons to consider
Timely reporting of the case to police. This enables effective working relationship with Police and the public, and where need be involved of an external professional to support the case is critical for expeditious execution.
The suspect was an amateur. He used true identities for bank account information, website hosting, mobile phone and physical office. Some criminals are smarter. They use proxy servers and fake identities and collude with some bank officials, thereby making investigation trail difficult. Working swiftly is recommended given the volatile nature of computer evidence. Cyber criminals are making a fortunate in their schemes. Unfortunately, it is difficult to prosecute these people. Once one loses money, recovery is very difficult and a long process!
Always avoid clicking on links in emails or downloading email attachments. For online transactions, always ensure the website has https:www… before www. The s standards for security. It is a security certificate issued to verified legit companies and individuals.