Cyber Stalking and Prevention
A Private Investigator’s Perspective
Cyber Stalking and Prevention, Cyberstalking, Private Investigators, Private Investigations, Threatening Emails
J.A. Hitchcock, the author of Net Crimes and Misdemeanors, stated that the internet enables personal interaction without physical contact, and with the perception of anonymity. Thus, for the person who wishes to intimidate, threaten, and harass others, it is an ideal tool. Her assertion couldn’t be more correct. In the old days, we used to call them telephone tough guys, but with advances in technology, the keyboard is where they hide behind.
Cyber stalking is a form of harassment that takes place online, and much like its physical counterpart, it is a course of behavior that is undertaken with the intent or desire to harass, alarm, or annoy. Most, if not all states have similar wording in their respective laws. Enforcing these laws can often be a challenge due to jurisdictional limitations and the anonymity of the harasser.
Ethical private investigators are bound by laws that prevent certain behaviors – in other words, PI’s have to play by the rules, too.
Those challenges often lead to private investigators being retained to uncover the origins of harassing or threatening emails or social media posts. I want to first manage some expectations by saying that ethical private investigators are bound by laws that prevent certain behaviors – in other words, private investigators have to play by the rules too. Ethical private investigators will not install key loggers or spyware on anyone’s computer unless the owner of that computer gives explicit written consent. An ethical private investigator will not attempt to examine a cell phone without explicit written consent by the owner of that device. Please, get the images of the shady PI breaking into an office to install some secret device on a computer server out of your head. Those actions are unethical and illegal. Any private investigator willing to work outside of the boundaries of those rules will not only be held accountable, but there could also be some application of civil or even criminal liability to those who hired them.
Conducting a cyber investigation from a private investigator’s perspective is not really that much different than conducting a “normal” investigation. In a simplified description, it involves conducting interviews, the collection of and preservation of evidence, establishing timelines, determining motive, and documenting findings in efforts to discover the identity of the harasser. In some instances, the victim may have an idea as to the identity or motive of the harasser, and in other instances it may be totally random. For example, an ex lover may be suspected of sending harassing or threatening emails in efforts to sabotage a subsequent relationship or by trying to rekindle the terminated relationship. Or, a coworker may be angry over being passed over for a promotion. Regardless, the private investigator will try to ascertain as much preliminary information by interviewing the complainant. The interview will determine any possible suspects, possible motives, establish a timeline, and correlate the online activities with any suspicious activities in the physical sense. For example, comments on social media after “checking in” to a location that indicate visual surveillance of the victim.
Once the initial interview is completed, the private investigator will legally obtain as much evidence as possible in order to conduct an analysis in efforts to identify the responsible party. A word of caution regarding evidence collection. There is a profound difference between collecting print outs of emails, text messages, and screen captures of social media posts and what is referred to as a forensic copy or bit by bit copy of a hard drive. In some instances, collecting the copies of emails etc. may provide sufficient value. However, obtaining forensic images of drives or bit by bit copies requires special training and tools in computer forensics, and should not be attempted by any investigator without the required, specialized knowledge. A forensic copy is simply a copy of the drive that is unaltered, and has proof of data integrity via a hash value. A hash is simply an alphanumeric value that is compared before and after the copying – if the hash value matches, the data has integrity. Conversely, if one singular character has changed – including overlooked stuff like the internal clock (always changing value with each second) the hash values will not match, and the copy cannot be considered a forensic copy as the data has changed. Forensic imagery and obtaining forensic copies is a whole topic by itself, but for this writing the reference is simply a high level view of collecting evidence for cyberstalking.
The good news for private investigators about sending information over the internet is that there is almost always a trail. So, when someone sends a threatening email from a made up email account, there is an IP address associated with it. Every network connected device has an IP address. IP stands for Internet Protocol, and is most commonly expressed in IPv4 format, but IPv6 exists. IPv4 is a 32 bit address and is represented by xxx.xxx.xxx.xxx. For example, 192.168.0.0/16 is a private network. Private networks were created due to the finite number of IP addresses to hand out, so the devices on the private networks can reside in this address space and connect to an assigned IP address given to an Internet Service Provider (ISP). Many offices and home networks use private networks in the 192.168.0.0/16 range or the 10.0.0.0/8. The devices on that private network connect to an internet service provider though a gateway. The gateway is a router, which has its own IP address on the network, that routes traffic from one segment of a network to another. Let me simplify this by example. The private network (192.168.0.0/16) is all of the devices inside of the boundary of that gateway, which could be an office network, or your home network for that matter. This includes laptops, desktops, network connected printers, cell phones using wifi, video game consoles; every device.
The good news about sending information over the internet is that there is almost always a trail.
I’m sorry you had to sit through Networking 101, but I figured I’d give some background to bring this back home for the sweet spot. You see, as a private investigator examining an email, you will be able to identify the IP address of the server that the email was sent from by using a full header. From that point, legal intervention may be necessary to identify any account owner information; i.e. subpoenas or warrants. However, there are still resources that can be used to get closer to discovering identity, or further narrowing the focus of the investigation. There are command line prompts on both Windows machines and Macs, as well as other utilities that can resolve an IP address to a domain name. Registered IP addresses are assigned by the Internet Assigned Numbers Authority (IANA), and the WHOIS protocol is used to query databases that store those registered users of those registered resources. To that end, the private investigator can use WHOIS to determine the registrant, administrator, and technical contacts for the domain name. One more word of caution, some domains are registered through a proxy which will conceal any personal information, but for those that aren’t registered through a proxy, it is a veritable gold mine of information.
Once the evidence is collected and analyzed, the private investigator will be able to make a correlation between the evidence and the information obtained during the interview to establish a timeline of when the incidents began, occurrence over a specified timeframe, and if they have stopped. The prudent investigator will attempt to identify the relationship of the receipt of threatening emails, texts, social media posts etc., to real world incidents in efforts to narrow the scope of the investigation. For example, did the victim’s promotion at the workplace correspond to an increase of threatening emails or text messages? If so, the investigation would likely begin to focus on a coworker. This is a simplification, of course, but you get the idea.
From that point, the private investigator will continue to narrow the scope of the investigation by conducting interviews. In our above simplified example, the investigator would interview coworkers to identify additional information; perhaps it is learned that there is some internal conflict at the workplace, competition for a promotion, or even competition for the affection of another employee. Regardless, even in the age of technology, there is no replacement for solid interviewing skills.
Once the investigation has narrowed to a likely suspect or responsible party, the private investigator would be prudent to interview that individual. It is important to note that people don’t have to cooperate, but most people like to talk. Once a person commits to a story, it is their story – and any inconsistencies in that story can be an indicator that the investigator is on the right track.
The private investigator would be remiss if he/she didn’t recommend methods to the client to prevent further victimization. It’s no different than implementing physical security countermeasures to harden the attacks surface. There are a number of free or low cost solutions that can be enabled to reduce the attack surface or digital footprint of the victim. Even if someone hasn’t been the victim of cyberstalking, these are still some best practices to be implemented.
RECOMMENDATIONS TO PREVENT VICTIMIZATION
Turn off location services or photo geotagging for pictures taken by your smartphone.
When this is enabled, any photo published on social media or the web can be used to locate the exact coordinates of where it was taken. This is done by simply saving the photo, examining the details (which displays GPS coordinates, among other things), and then mapping the coordinates online.
Utilize a password manager to generate complex passwords and manage them for multiple accounts.
There are a number of commercial solutions available that charge a slight fee, and can also be used for mobile devices.
Change your complex passwords often
Don’t overshare on social media, this includes flaming (online arguments)
Manage your privacy settings on social media to restrict access to personal information, to include mobile number, email, friends lists, interests, etc.
All of this information can be used by a cyber stalker to gain information about you.
Block and report users or contacts that harass you online
Save screenshots or hard copies of any harassing correspondence you receive online
Don’t accept friend requests from people you don’t know
Don’t click on links that are from people you don’t know or trust.
(You didn’t just win the lottery, there is no Nigerian prince etc.)
Never, ever leave your computer unattended.
Always lock your screen, and always require a password to access.
ABOUT THE AUTHOR: Christopher Kaszak is a partner at Brown, Kaszak, & Associates, a licensed private investigations firm in Maryland. He is a 22 year industry veteran, and holds several cyber security certifications including CompTIA Advanced Security Practitioner, Certified Ethical Hacker, Certified Authorization Professional, and Security +. Mr. Kaszak has conducted numerous criminal and civil investigations during his tenure in law enforcement and in the private sector. Brown, Kaszak, & Associates has been featured on Dateline and TrueCrime for their investigations into a cold case homicide.
Cyber Stalking and Prevention, Cyberstalking, Private Investigators, Private Investigations, Threatening Emails