"The disk forensic market is strong with products from Guidance, Access Data and other sound imaging and searching tools available to our members," says Todd Shipley (right), HTCIA president. "Following crimes online and trying to document evidence is less understood. The process has yet to be formally defined to develop standards around."

Manual processes took up the bulk of work when Michael McCartney set out to find a spammer selling penny stocks. "In 2006, the Anti-Spam ListServ was tracking a spammer who was talking a lot about proxy bot networks to send out the spam from home computers," says McCartney, who was the senior investigator with the New York State Attorney General's office at the time. "The zombie virus was known at the time as Mitglider 32."

Aided by two members from the Anti-Spam ListServ, McCartney's team set up honeypot decoy computers that looked like new broadband user machines waiting to be taken over. It didn't take long for the machines to become bot infected and start sending messages to their controllers, all of which resolved to the same ISP provider block at the same dedicated hosting service provider in Denver.

Working with the ISP in Denver, the investigators were able to track down the suspect, Eddie Davidson, to a remote area in Arapahoe County. "Our suspect got sloppy and we got lucky," says McCartney (left), now a forensics consultant and president of the Northeast chapter of the HTCIA. "Normally it's much harder to track through all the hoops and ISPs professional criminals usually hide behind."

Once they subpoenaed Davidson's bank records, McCartney's team also tracked down the source of several large deposits. That led into a larger investigation by the U.S. Securities and Exchange Commission (SEC) involving $4.6 million in securities fraud perpetrated by the nephew and uncle team of Darrel and Jack Uselton.

Interestingly, the SEC's investigation also began with the spammer, in this case from an email that landed in the mailbox of James Valentino, an attorney with the SEC.  "The email blasts seemed to be associated with the promoters of a stock dump and also the actual trading of stock to make it appear the stock was being maintained at an artificial level," Valentino explains. "That led to our investigation."

Domain registration lookups on the penny stock sellers led to an elaborate scheme in which the Useltons and the companies they controlled would receive shares from penny stock companies for little or no money and then manipulate that stock to sell at a few pennies up.

In May 2008, Eddie Davidson was sentenced to 21 months for falsifying email header information, as well as tax evasion, and was ordered to pay back more than $700,000. Three months later, he walked off a minimum-security prison in Florence, Colo., and shot to death his wife, 3-year-old daughter and himself while sparing his 8-month-old son.

The Useltons, meanwhile, agreed to pay $4 million in penalties and fines to the SEC and were given 10 years of deferred adjudication for first-degree charges of engaging in organized criminal activity.

Another case involving the use of honeypots and manual tracking over the internet was conducted by researchers at security firm NetWitness - in this case to find the source of Zeus fund transfer bots targeting businesses and municipalities. Using domain registration lookups, the NetWitness investigative team tracked most of the bot controllers to a single registrant named Hilary Kneber (which is why this version of Zeus was called the Kneber bot).

Unfortunately, the team was unable to get domain services to shut down the bot controllers because too many were hosted in shady, international jurisdictions that are uncooperative with U.S. investigations. Instead, NetWitness investigators tracked down and notified more than 400 U.S.-based businesses and government organizations whose login credentials, identities and other sensitive information had been funneled to criminal entities. "Looking up organizations through their domain registrations was limiting," says Alex Cox, principal research analyst at NetWitness. "Getting the right person at the right time is key to control damage, so it would help if organizations kept their domain registration information up to date."