Naming John Doe: How Digital Forensics Can Unmask Online

By Johnathan Bridboard in Legaltech News

Photo by Dan Nelson on Unsplash

As cyberstalking, online harassment and other similar issues continue to grow in frequency and complexity, digital forensics will be an important element in supporting the justice process with user attribution.

When a U.S.-based insurance company dismissed a rogue employee, its executives never expected to become the targets of an extensive online harassment campaign. Shortly after the employee’s departure, a series of harmful fake websites and fake emails began to flood the company and its market. They were accompanied by graphics designed to impersonate the company and its leaders, all with the aim of spreading false information and damaging the company’s reputation.

Though the company strongly believed the former employee was responsible, the perpetrator’s identity had been expertly masked. To effectively stop the harassment and pursue damages, the company would have to uncover and prove who was behind the mask.

The threat of bad actors, whether practiced criminals, scammers or disgruntled employees, who aim to use the internet for cyberstalking, libel, copyright infringement and harassment is a persistent one. Social media, combined with readily available tools that allow people to create convincing content and images quickly and easily, continue to promote the perception that crimes can be committed online anonymously.

In fact, according to a report from RAND Corporation, the number of federally prosecuted cyberstalking cases has grown steadily since 2014. The report also found that the legal system is underprepared to handle these cases due to a lack of training for how to investigate, collect and analyze subscriber records and compelled data. The advancement of artificial intelligence making it easier to create convincing deepfake images, videos and audio will further exacerbate the issue.

Digital forensics experts have been working to develop technical solutions for this problem. The ability to track, trace and attribute an identity to a criminal act requires a combination of legal process, technology and traditional investigatory workflows. For example, investigators may utilize technology, data and information from publicly available databases to piece together multiple indicators that can in concert point toward an individual or additional clues. Additionally, data records may be obtained through legal processes and under the Federal Stored Communications Act, which may help shed light on ownership of websites or online accounts. Experts who can analyze proprietary data formats and interpret and report on complex and disparate data are able to support user attribution in online investigations.

In a recent copyright and trade secrets matter, digital forensics investigators leveraged open-source intelligence, legal tools and data from subpoena returns, to identify a bad actor. The case involved a university that was trying to determine who had made incorrect, publicly facing Wikipedia entries about the school and its research. By tracking IP addresses connected to the Wikipedia entries, the forensics team was able to trace the activity to an individual working on behalf of a startup company. The investigation ultimately found that the company was taking research and stealing other proprietary information from the university and aiming to undermine the institution through false Wikipedia entries.

Another example is an investigation that was spurred by a high-worth individual who was targeted by an anonymous group in an aggressive defamation and libel campaign. The legal team worked with investigators to issue subpoenas requesting records that would help reveal the identity behind the campaign. Investigators again analyzed various data artifacts and IP address information to form leads and support counsel with the subpoena process. The effort ultimately connected the defamation and libel activities to another high-worth individual who was attempting to compete with the victim. In the ensuing lawsuit, the investigation’s records were certified and authenticated for use as evidence.

These methods can also be used to help prove innocence in certain disputes. A recent DOJ case serves as an example. An online marketplace had been accused of retaliating against certain sellers after they had publicly criticized the marketplace’s activities. The sellers became the targets of online harassment that was tied to individuals within the company. One executive was caught up in the accusations and sought investigatory support to prove that he wasn’t part of the cadre of employees involved in harassing the couple. Ultimately, investigators were able to uncover sufficient evidence to show that this executive wasn’t involved with or aware of the harassment, and the DOJ did not pursue criminal charges against him.

In the insurance company case shared earlier, digital forensics professionals were successful in using IP addresses and other unique identifiers to definitively and defensibly pin the harassment campaign to the former rogue employee. While the original lawsuit had named the bad actor as John Doe/Jane Doe, the results of the investigation enabled counsel to name the person in the suit, so the company could pursue appropriate damages in court.

Data is a powerful tool in shedding light on criminals attempting to hide in the dark corners of the internet. Whether someone is faking an account, claiming that their accounts were hijacked or impersonating a rival, digital fingerprints, public records, open-source intelligence and legal tools can piece together the true facts and prove the identities of bad actors in disguise. As cyberstalking, online harassment and other similar issues continue to grow in frequency and complexity, digital forensics will be an important element in supporting the justice process with user attribution.

Johnathan Bridbord is a 23-year veteran practitioner in the digital forensics and investigations field, with a decade of experience in the Criminal Division of the U.S. Department of Justice. Mr. Bridbord has been qualified as an expert witness in Federal District Courts and is sought by clients for his extensive knowledge and skills in handling high-stakes, technically-sophisticated and complex digital forensic investigations and disputes. Mr. Bridbord has led and supervised Digital Investigative analysts in forensic examinations, provided nationwide expertise to federal prosecutors and agents on cutting-edge data forensic issues and provided expert witness testimony in numerous federal district courts.