Cybersecurity , Forensics , Technology

Paris Attacks: The Cyber Investigation

Digital Forensics Critical to the Case, Experts Say
Paris Attacks: The Cyber Investigation
The Prefecture de Police de Paris has released photographs of two "armed and dangerous" suspects it's seeking.

French authorities continue to investigate the Jan. 7 attack in Paris that claimed the lives of a dozen, including journalists and police officers. As they do so, experts with digital forensics and other information security skills will be crucial for continuing to advance the investigation, says Tim Ryan, a former FBI special agent and supervisor who oversaw the bureau's largest cybersquad.

See Also: Disrupt Attack Campaigns with Network Traffic Security Analytics

"You can't investigate conspiracies without the involvement of cyber," says Ryan, who's now managing director and cyber-practice leader at risk management adviser Kroll. "What you want is a good investigative team that brings together a matrix of individuals with a variety of skill sets, including cyber."

Twelve people, including five cartoonists, were reportedly killed - and another five people critically wounded - after gunmen stormed the Paris offices of satirical magazine Charlie Hebdo (Charlie Weekly).

French police have launched a massive manhunt for the suspected gunmen and issued an alert, saying they are seeking two "armed and dangerous" suspects in connection with the attacks: Chérif Koua, 32, and his brother Said Kouachi, 34, who are both French nationals. Police said one of the brothers was identified via his identity card, which they recovered from the attackers' abandoned getaway car, Israeli newspaper Haaretz reports. Molotov cocktails and jihadist flags were also recovered from the car, Agence France-Presse reports.

A third suspect, 18-year-old Hamyd Mourad, who's also a French national, turned himself in to police late on Jan. 7, after seeing - via social media - that he was wanted for questioning, Britain's Independent newspaper reports. It adds that Mourad says he was attending school at 11:30 a.m. local time, when the attacks occurred, and that overnight, police arrested seven more people who are believed to be family members or associates of the suspects.

While no one has yet claimed credit for the attack, one of the assailants yelled out before getting into his car, "Tell the media that it is al Qaeda in Yemen!" a witness to the attack told French daily newspaper 20 Minutes. The Charlie Hebdo magazine, which has long courted controversy, saw its previous headquarters gutted by a firebomb attack in November 2011, following the publication putting a picture of the Prophet Mohammed on its cover. The magazine's editor, Stephane Charbonnier, was also featured in the 10th edition of al Qaeda in the Arabian Peninsula's Inspire magazine, which "contained a hit list of people who had insulted the Prophet Mohammed," says private intelligence firm Strategic Forecasting, better known as Statfor. In a published analysis of the Charlie Hebdo attack, Stratfor adds: "The last tweet on [the magazine's Twitter account] mocked Abu Bakr al-Baghdadi, the leader of the militant Islamic State, which has taken control of large swathes of Iraq and Syria and called for 'lone wolf' attacks on French soil."

Manhunt: Physical, Digital

Sources have told AFP that the two wanted men have been "located" in northern France and police have reportedly sealed off a gas station where the suspects were spotted. Meanwhile, Paris reportedly remained on lockdown Jan. 8, with heavily armed police - and 800 soldiers - manning the "portes" in and out of the city.

As the manhunt continues, applying "cyberskills" to find - and potentially charge - the suspects will remain a crucial part of that investigation, experts say. "Just about every crime these days has a cyber element, as use of the Internet and electronic communications is a part of our everyday life," says Alan Woodward, a visiting computer science professor at the University of Surrey, as well as a cybersecurity adviser to Europol.

"Skills that will be used by cyber-experts in support of law enforcement efforts include forensic imaging and analysis tools and techniques on phones, computers, Internet history, social media account reconstruction, and removable media tied to those involved," cybersecurity expert Chris Pierson tells Information Security Media Group. "Some of these skills are more forensic-based, while others align to querying and investigative skills. Analysts also will use data aggregation and search tools to query relevant data stores for ways individual data is connected to a larger picture or other persons."

Finding Connections

As quickly as possible, investigators will attempt to map the connections between suspects and other potential accomplices or collaborators. "Once investigators have retrieved the e-mail accounts, usernames and device IDs, they will be able to reconstruct the actions and/or locations - based on IP address, geotagging, network identification, and GUID [globally unique identifier] - of those they are interested in," Pierson says. "The identification of others involved or associated with individuals can also be achieved by combining forensic data with other financial data and history to paint a more accurate picture."

If criminals have been using pseudonyms to communicate online, however, it can be difficult to build up that picture. "Often, e-mail accounts related to the crime also are unearthed by good, old-fashioned police work: You interview known associates, examine where they lived, and so on," Europol adviser Woodward says. "Often the best way to find out what a criminal of any sort has been up to is to 'follow the money.' If you're can find bank accounts [and so on] then it may be possible to track down providers of services used by the criminals."

Tracing Suspects' Communications

Identifying suspects' communications and monitoring them is part and parcel of dismantling would-be criminal or terror plots - preferably as early as possible. "You're trying to get an understanding of how different packets are flowing between individuals, what methodology they're using to hide their communications, to encrypt their communications, so that you can subvert that so you are able to monitor or surveil them in much more real time," Kroll's Ryan says.

But the skills required to quickly identify and track such communications are very specialized. "Tracing communications and individuals - that kind of skill set, understanding how Internet communications occur and how communications are obscured or hidden - those skills can be even more important than host-based forensic skills," Ryan says.

Attackers: Trained To Evade Tracking?

Based on how the Paris attack was conducted, many intelligence analysts believe that the attackers had received related training. "From photos and videos of the attack it appears that the gunmen were trained, from the way they handled their weapons, moved and shot," according to Stratfor's analysis. "This raises the possibility that they had received training in using light arms - perhaps at a jihadist camp overseas - or had fought with jihadists overseas."

But it's not clear whether such training would have extended to organizing a clandestine cell, as well as perhaps avoiding use of the Internet and mobile phones to thwart detection of any plot.

"When a crime such as yesterday occurs, the authorities will doubtless do things such as analyze which mobile devices were in the cells that cover the location of the crime, and then correlate that with devices which passed through cells on the route known to have been taken by the criminals fleeing the scene," Woodward says. "However, most terrorists are technically savvy, and I would be surprised if they were carrying any devices."


About the Author

Eric Chabrow

Eric Chabrow

Host & Producer, ISMG Security Report; Executive Editor, GovInfoSecurity & InfoRiskToday

Chabrow hosts and produces the semi-weekly podcast ISMG Security Report and oversees ISMG's GovInfoSecurity and InfoRiskToday. He's a veteran multimedia journalist who has covered information technology, government and business.

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the Executive Editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, amongst other publications. He lives in Scotland.




Around the Network