GettyImages_84080791.jpgIn September 2011, Gauss, a new malware described by the tech-press “as a cyber-espionage tool kit” emerged from the Middle East.  Gauss steals highly sensitive data, including browser passwords, online bank accounts as well as cookies and system configurations.  Gauss closely resembles the malware Flame and Stuxnet, which according to Kaspersky Labs, were created in state-sponsored factories.  Consequently, analysts believe that it too might be state-sponsored.  Since its debut, Gauss appears to have infected 2,500 machines worldwide.  However, the total number of victims may actually be much higher, in the realm of tens of thousands. 

And that number could just keep growing.  Shortly after Gauss was discovered in June 2012, its command and control infrastructure was disabled.  This may sound like a victory, but it is actually far from the truth.  As tech journalist Larry Dignan explains on, the Gauss “malware is dormant waiting for servers to become active.” In other words, it may continue to wreck havoc.

Admittedly, this sort of thing—state-sponsored hackers breaking into bank accounts— could keep one up at night.  What is interesting from an investigative point of view, however, is the way that computer scientists have figured out how to root out the Gauss malware before it causes harm.  Apparently, computer scientists have determined that the font Palida Narrow is used during a Gauss cyber attack.  Therefore, programs designed to detect Gauss check for that particular font to help determine whether the malware is in fact present and needs to be rooted out

To be clear, the font does not cause the theft to occur.  Instead, its presence merely correlates with the malware that does.  It is an indirect and yet highly elegant and quick way to detect whether a problem may exist.

As investigators, we can’t always get exactly to the evidence we want to prove.  Sometimes it merely doesn’t exist.  Often, ethical and legal constraints keep us from being able to obtain the facts we definitively need to prove what we are investigating. 

It’s easy to get lost searching for the unsearchable, pining for that one nugget that will help everything fall into place.  But investigators don’t have that luxury. 

So, we sometimes have to do what the computer scientists have done by pinpointing a font as a sign of trouble: We have to take a step back and look for clues elsewhere.  This may mean getting off one path and onto another. For instance, we may not have direct evidence of wrongdoing, but we can scour the evidence in order to detect patterns that suggest wrongdoing.  Alternatively, we can review the facts to see if we can find any that correlate with what it is we’ve been asked to help prove or disprove.

This is not about making assumptions—we never say that because x exists, therefore y.  Instead, it is about being able to look for solutions that advance our clients’ knowledge, even if they fall short of the ideal solution.