Microsoft Planning Portal to Aid Police Investigations

Rhett Pardon
MONTEREY, Calif. — Microsoft, with enormous resources and intimate knowledge of its software, is planning a website that will aid police in investigating Internet crime.

The announcement, made at the High Technology Crime Investigation Association’s 2005 International Training Conference & Expo in Monterey, Calif., comes in the wake of last month’s FBI’s Microsoft-aided probe into the origins of the Zotob worm, which crippled U.S. businesses in August.

Resources for the Microsoft site will include online training sessions on how to conduct Internet investigations, extract information from hard drives and trace an IP address back to its source to identify website owners.

The portal, which does not yet have an official address, also will offer information on recently passed legislation relative to Internet crime.

In other conference news, cybercrime instructor Glenn Lewis at the conference said that most computer forensic investigations using web browser date are easy for police — but only if the suspect employs Internet Explorer.

Lewis said that Internet Explorer hides nothing from investigators who examine PCs to discover which sites the user has visited. Those investigators typically know the location of the IE browser cache, cookie files and history, and they know how to read those files.

The investigations, however, find trouble when it comes to alternative web browsers such as Firefox and Opera because those programs use different structures, files and naming conventions for the data that investigators are after, he said.

Files also are in a different location on the hard drive, which can cause trouble for investigators, and in many instances forensics software may not support the web browsers, he said.

Lewis told attendees that one specific challenge with Firefox and Opera is identifying which web addresses have been entered manually as opposed to having been clicked on in a hyperlink. The distinction may be key to a case where a suspect claims he did not intend to visit a site but accidentally clicked on a link or was sent to a site automatically.

Firefox and Opera store data on typed URLs in a different file than Internet Explorer does, making the files harder to decipher, Lewis said.