Investigating a Shooting using Cyber Approaches
I promised in the previous installment that we would take on the challenge of using current Info Sec paradigms to investigate a drive-by shooting. So let’s start at the beginning, which in police work is the crime scene.
Our crime scene has thirty shell casings lying in the street and a total of twenty-nine bullet holes in a car, a fence and a house. Each of the shell casings represent a gun having been fired once. Each time the gun was fired, a crime was committed. That’s thirty crimes that must now be investigated. Bullet holes only come from bullets, and bullets are only fired from a gun one at a time. So between the thirty shell casings in the street and the twenty-nine bullet holes, we have a total of fifty-nine crimes. Which means we must now assign fifty-nine detectives and all the appropriate resources to investigate these fifty-nine serious felony crimes.
Folly of not collaborating
Each InfoSec detective would arrive at the crime scene and initiate his/her investigation independent of the others. Each detective would gather their one piece of evidence and submit it to the forensics lab. Each witness at the crime scene would be interviewed thirty times. The forensics lab would be overwhelmed with thirty new cases in a single day. To handle this the lab will have to pay overtime to its technicians so they can lift fingerprints, process DNA evidence, and compare ballistics evidence on each shell casing. In the mean time, twenty-nine other detectives are focusing their investigative prowess on each of the individual bullet holes. They too will need to submit their evidence and generate twenty-nine separate requests to the forensics lab. The Photographic Evidence Unit will then have to dispatch either twenty-nine photographers or some smaller number of photographers multiple times in order to document each bullet hole individually.
Some of this investigative effort may result in the recovery of actual bullets. Those bullets must now also be forensically examined to determine if they were all fired from the same gun and like a good InfoSec detective, every attempt will be made to determine which bullet came from which shell casing, because that is really important; it’s actually not important and almost impossible to determine, but if we don’t determine that particular piece of data then we won’t have all the data and if we don’t have all the data, we won’t know what all the data means and we must have all the data!!! Okay, that was my interpretation of what the C-Suite and those not familiar InfoSec or criminal investigations would want to know, usually after a breach or hack has already occurred. From an investigative standpoint, that info is useless. As would be the any effort to determine where the mystery thirtieth round went. Remember, there were only twenty-nine impacts on the car, the fence and the house; where did that thirtieth round go? Not very important information in terms of solving the case, but using current InfoSec paradigms, surly some poor analyst would assigned this nearly impossible task.
For the sake of brevity, lets assume this all plays out and three months later the Chief of the InfoSec Police Department is briefed on the case. The Chief would be briefed on fifty-nine different cases by fifty-nine different detectives. He would likely arrive at the conclusion that the fifty-nine bullet holes were caused by thirty different suspects who all drove by in one car and then each shot the same gun at the parked car, the fence, or the house. He would also be briefed that the investigation in to which bullet was fired from which shell casing and created which hole in the car, fence or the house was unsolved. He would be very concerned with this because if we don’t know which hole was created by which bullet that came from which shell casing, we won’t be able to solve that particular “crime”; if these crimes don’t get solved the city council might not hire him for another term as Chief. And despite the extremely high cost of the DNA processing, the results were
negative on all thirty casings (given the amount of heat and pressure created when a bullet is fired from high-caliber rifle, no surprise there). As a result, the Chief creates a special task force to hunt down and arrest the thirty suspects who committed these crimes, but as we know, twenty-nine of these bad guys don’t even exist!
Mis-allocation of Resources
Furthermore, the Chief will likely advocate to the city council that they hire more police officers using these fifty-nine cases as evidence that more officers and resources are needed. The trend here, in case you missed it, is that the investigation was all about finding any and all available data or evidence, but no effort was made to group or compare the data to itself or take a step back and look a the bigger picture. It would be the same as conducting a investigation at to why there is sand at the beach by only analyzing the sand. The key components responsible for creating the sand lay on either side of it, that being the ocean and a cliff. By not including these two elements into the investigative strategy, the “Beach” case is destined to go unsolved and become a cold case despite any and all resources thrown at.
In the next installment, we’ll break this down more along the lines of how it really would have been investigated and draw some conclusions on how InfoSec could benefit from using law enforcement paradigms instead.
This is part 2 of a 5 post series. To read the other posts, please see the links below: