Computer Crime Investigation
submitted by: cdmorgan
Copied from "Dedicated Computer Crime Units"
(A National Institute of Justice Publication!)
Bulletin Board Stings
---------------------
While most bulletin boards have been established for legitimite purposes there
are also "pirate" or "elite" boards that contain illegal information or have
been established for an illegal activity. Security on these boards is tightly
controlled by the owners. With these bulletin boards, users usually have to
contact the owner directly to obtain a password for access to different levels
of the system. A degree of trust must therefore be established before the
owner will allow access to the board, and the owners develop power over who can
use the system.
These boards have a variety of information on them including the following:
* Stolen credit card account numbers
* Long distance telephone service codes
* Telephone numbers to main frame computers, including passwords
* Procedures for making illegal drugs and explosives
* Hacking programs
* Tips on how to break into computer systems
* Schematics for electronic boxes (e.g. Blue Box)
These boards are obviously a threat to communities, and their exsistance has
gained the attention of police departments.
Sting Operations with Bulletin Boards
Members of the Maricopa County,Arizona, Sheriff's Department were the first in
the country to establish such a board. Their board resulted in over 50 arrests
with the usual charge being telecommunications fraud. In September, 1985, the
Fremont Police Department established a bulletin board for the primary purpose
of gathering intelligence on hackers and phreakers in the area. The operation
was partially funded by VISA, Inc., with additional support from Wells Fargo
Bank, Western Union, Sprint, MCI, and ITT.
After Establishing their bulletin board, They advertised it on other boards as
the newest "phreak board" in the area. Within the first four days over 300
calls were received on the board. During the next three months, the board
logged over 2,500 calls from 130 regular users. Through the bulletin
board,they persuaded these groups that they had stolen or hacked long-distance
telephone service codes and credit card account numbers. (provided by the
aforementioned companies). They were readily accepted and were allowed access
to other pirate boards in the area.
The board was operated for a total of three months. During that period, over
300 stolen credit card account numbers and long distance telephone service
codes were recovered. Passwords to many government, educational, and corporate
computers were also discovered on other boards.
The operation resulted in the apprehension of eight teenagers in the area who
were charged with trafficking in stolen credit card accounts, trafficking in
stolen long distance telephone service codes, and possession of stolen
property. Within the next week, seven more teenagers in California and other
states were arrested based on information from this operation.
It was estimated that this group had been illegally accessing between ten and
fifteen businesses and institutions in California. They were regularly
bypassing the security of these systems with stolen phone numbers and access
codes. One victim company estimated that it intended to spend $10,000 to
improve its security and data integrity procedures. Other victimized
businesses were proceeding along the same lines.
Conclusions
There are several reasons for conducting Sting operations of this type. One of
the most important is that it provides a proactive method of identifying
hackers and phreakers in the area. These groups are particularly hard to find
since they operate in closed circles with personal networks developed from
friendships.
Another byproduct of these operations is the publicity surrounding the cases.
Sting operations result in a considerable amount of attention from the media.
The publicity has the effect of closing down other pirate boards in the area.
One of the greatest fears of these offenders is that their systems will be
taken, and in the Fremont operation over $12,000 of computer equipment was
seized. The publicity associated with these seizures seems to be the primary
reason for others to stop their pirate boards.
These operations also lead to other types of offenses. In Fremont, for
example, drug and alcohol cases were developed as a result of the Sting
operation. This has been typical of these operations.
The Sting operations with bulletin boards have been criticized because
teenagers, rather than hardened criminals, are arrested. Many hackers believe
that they have a right to the data in other systems and that their activities
are not illegal since the companies can afford the losses. On the other hand,
as one investigator observed, the hackers of today may be the sophisticated
computer criminals of tomorrow. It is therefore important to set a lesson
early in their careers steering them away from these offenses.
Public Sector Computer Crime Associations
-----------------------------------------
Federal Computer Investigations Committee (FCIC)
c/o U.S. Secret Service Fraud Division, Room 942
1800 G Street, N.W. Washington, D.C. 20223
Phone: (202) 535-5850
Steve Purdy
This committee is compromised of representatives from federal military
and civilian law enforcement. This organization meets three times a year
for the purpose of enhancing techniques to investigate computer related
crimes. The committee strives to develop universal guidelines for these
types of investigations. Membership is diverse (U.S. Secret Service,
IRS,FBI,Department of Defense, CID, AFOSI, NIS, Department of Labor, and
others)
High Tech Crime Investigator's Association (HTCIA)
c/o L.A. County Sheriff's Department (Forgery/Fraud Detail)
11515 South Colima Road, Rm. M104
Whittier, California 90604
Phone: (213) 946-7212
Jim Black- President
Members include federal, state and local law enforcement personnel as
well as security managers from private industry. The association brings
together private industry and law enforcement officials in order to
educate each other about computer related crimes.
Colorado Association of Computer Crime Investigators
c/o Larry Scheideman
Lakewood Police Dept.
Lakewood, Colorado 80226-3105
Phone: (303) 987-7370
Founded: 1986 A professional organization including federal, state, and
local law enforcement personnel and those persons from the private
sector concerned with computer crime. The association assists law
enforcement agencies with resource allocation and
intelligence/investigation of computer related crimes. The association
also provides training on an individual basis.
Law Enforcement Electronic Technology Assistance Committee (LEETAC)
Office of the State Attorney
700 South Park Avenue
Titusville, Florida 32781
Phone: (407) 269-8112
Jim Graham
The organization is comprised of 10 prosecutors from the State's
Attorney's office, 13 officers representing each municipality in the
county, 2 representatives from the sheriff's department, and Nassau.
They provide technical expertise to law enforcement regarding computer
crimes.
International Association of Credit Card Investigators (IACCI)
1620 Grant Avenue
Norato, California 94945
Phone: (415) 897-8800
D.D. Drummond Executive Director
Founded: 1968 Members: 2700 Special agents, investigators, and
investigation supervisors who investigate criminal violations of credit
card laws and prosecute offenders; law enforcement officers, prosecutors
or related officials who investigate, apprehend and prosecute credit
card offenders. The association's objective is to aid in the
establishment of effective credit card security programs; to suppress
fraudulent use of credit cards; and to detect and proceed with the
apprehension of credit card thieves.
Economic Crime Investigators Association (ECIA)
Glendale Police Dept.
7119 N. 57 Drive
Glendale, Arizona 85301
Phone: (602) 931-5511
Wayne Cerow
Members include law enforcement and regulatory personnel. The
association focuses on economic crime, including computer related
crimes. The association holds a yearly training seminar in order to
exchange information, ideas and data on new technological advances.
Institute of Internal Auditors (IIA)
249 Maitland Avenue
Altamonte Springs, Florida 32701
Phone (407) 830-7600
Founded: 1941. Members: 30,000. Staff: 74 Local Group: 183 Professional
organization of internal auditors, comptrollers, accountants, educators
and computer specialists. Individual members have assisted both
state/local police with investigations involving computer crime.
Computer Law Association, Inc.
8303 Arlington Boulevard, Suite 210
Fairfax, Virginia 22031
Phone: (703) 560-7747
Founded: 1973. Members 1200. Lawyers, law students, and others
interested in legal problems related to computer communications
technology. The association sponsors continuing legal education on
computer law. CLA also publishes a reference manual which lists
organizations involved with computer law.
Communications Fraud Control Association (CFCA)
P.O. Box 23891
Washington, D.C. 20026
Phone: (703) 848-9760
Rami Abuhamdeh (executive director)
A security organization involved in investigations of telecommunications
fraud. Membership includes (a) individual and corporate, (b) associate
individual, and (c) vendor.
National Center for Computer Crime Data (NCCD)
2700 North Cahuenga Boulevard
Los Angeles, California 90068
Phone: (213) 874-8233
Jay BloomBecker (director)
Founded: 1978. The center disseminates data and documents in order to
facilitate the prevention, investigation and prosecution of computer
crime. The center sponsors speakers and seminars. The center is also
involved in conducting research and compiling statistics.
Mis Training Institute
Information Security Program
498 Concord Street
Framingham, Massachusetts 01701
Phone: (508) 879-7999
Information security seminars for information security professionals,
EDP auditors, and data processing management. The institute provides
both training and consulting services, and has assisted local police in
investigations of computer-related crimes.
Computer Virus Industry Association
4423 Cheeney Street
Santa Clara, California 95054
Phone: (408) 988-3832
John McAfee (Executive director)
Founded: 1987. Objective is to help identify, and cure computer viruses.
The association has worked with state and local law enforcement agencies
in the investigation and detection of computer related crimes.
Information Systems Security Association (ISSA)
P.O. Box 71926
Los Angeles, California 90071
Phone: (714) 863-5583
Carl B. Jackson
Founded: 1982. Members: 300. Computer security practitioners whose
primary responsibility is to ensure protection of information assets on
a hands-on basis. Members include banking, retail, insurance, aerospace,
and publishing industries. The association's objective is to increase
knowledge about information security. ISSA sponsors educational
programs, research, discussion, and dissemination of information. The
association has regional and state chapters.
SRI International
Information Security Program
333 Ravenswood Avenue
Menlo Park, California 94025
Phone: (415) 859-2378
Donn B. Parker
Founded: 1947. A staff of senior consultants and computer scientists
preform research on computer crime and security and provide consulting
to private and government clients worldwide. A case file of over 2,500
computer abuses since 1958 has been collected and analyzed. It is
available for use by criminal justice agencies and students FREE of
charge. An electronic bulletin board, Risks Forum, is operated and
sponsored by the Association for Computing Machinery to collect and
disseminate information about risks in using computers.
List of addresses for more Computer Crime information
-----------------------------------------------------
Mr. Anthony Adamski, Jr.
Federal Bureau of Investigation
Financial Crimes Division
Room 3841
10th Street and Pennsylvania Avenue,N.W.
Washington, D.C. 20535
(202) 324-5594
Mr. James R. Caruso
AT&T Corporate Security
Room 4B03
20 Independance Boulevard
Warren, NJ 07060
(201) 580-8304
Mr. J. Thomas McEwen
Institute for Law and Justice, Inc.
1018 Duke Street
Alexandria, VA 22314
(703) 684-5300
Mr. Ken McLeod
504 Edison Avenue
Buckeye, AZ 85326
(602) 935-7220
Sergeant William F. Nibouar
Technical Crimes Investigation
Maricopa County Sheriff's Office
102 West Madison
Phoenix, AZ 85003
(602) 256-1000
Mr. Donn B. Parker
SRI International
333 Ravenswood Avenue
Menlo Park, CA 94025
(415) 859-2378
Mr. James Fitzpatrick
Assistant District Attorney
Philadelphia District Attorney's Office
Economic Crimes Section
1421 Arch Street
Philadelphia, PA 19102
(215) 686-8735
Detective Calvin Lane
Computer Crime Unit
Baltimore County Police Department
400 Kenilworth Avenue
Towson, MD 21204
(301) 887-2225
Detective Larry L. Scheideman
Intelligence Division
Lakewood Police Department
445 South Allison Parkway
Lakewood, CO 80026-3105
(303) 987-7370
BBS (303) 987-7388 1200 baud no parity and 1 stop bit
Mr Jonathan Budd, Project Monitor
National Institute of Justice
633 Indiana Avenue, N.W., Room 801
Washington, D.C. 20531
(202) 272-6040
Special Agent Stephen R. Purdy
United States Secret Service
Fraud Division
1800 G Street, N.W.
Washington, D.C. 20223
(202) 535-5850
These people were major contributors to these books
Advance Preparations and the Actual Search
------------------------------------------
I. Investigative Techniques
A. Record Checks:
1. Attempt to learn as much information about the
personal computer owner as possible, such as:
a. Number of occupants in the private residence
and their relationships.
b. Employment and educational background to determine
which resident is likely to be a computer user.
2. Review telephone records:
a. Often computer sites have multiple lines (e.g.,
one for the bulletin board operation, one for
outbound data traffic, and one for voice .
b. Long-distance dialing company records are valuable
for determining long-distance access code abuse.
B. Informants:
1. Use the informant to acquire evidence before a search
warrant is prepared.
2. Use the informant to better understand the computer habits,
skills, and knowledge of the suspect; identify:
a. Time of operation of target computer.
b. Nature and frequency of illegal activity.
c. Type of computer system used by the suspect.
d. Identity of criminal associates or conspirators.
e. Occupations and employers of suspects and other
people on the premises.
C. Surveillance of computer facilities
D. Pen register or dialed-number recorder (DNR):
1. If telephone access codes are being abused, use pen
registers or DNRs to gather documentation. Frequently,
a prosecutable case is made through the application of
this technique alone.
2. Use this technique to obtain additional criminal
intelligence on additional suspects, target computer
systems, and the extent of computer use.
E. Undercover computer communications with targeted system
and suspects:
1. Consider setting up an electronic bulletin board operation
or attractive host computer that the suspect can access or
attack. However, this method is costly and requires a
substantial commitment of personnel to monitor the
operation.
2. If the suspect maintains his own electronic bulletin board,
consider the feasibility of using a computer to gain
access to his system within the provisions of the
Electronic Communications Privacy Act of 1986 (PL 99-508).
Frequently,suspects allow others to access their systems,
which may contain unauthorized credit card information,
hacking data, and access code files. Consider consensual
use of an informant's access to the suspect's computer
system.
F. Monitoring of computer transmissions
G. False computer data base entries as an investigative tool:
1. Credit bureaus and credit card issuers frequently allow
false information to be "planted" in their data bases for
law enforcement use.
2. If the suspect uses this information, the investigator
can collect evidence through computer audit trails.
II. Supplies Needed to Execute a Search of a Personal Computer Site
A. Diskettes or portable data storage units:
1. Be prepared to copy files for temporary storage unto
5-1/4", 3-1/2", or 8" diskettes. Up to 100 diskettes
may be needed for large storage devices of 50 megabytes
or more. Diskettes should be preformatted to avoid
contamination when the suspect's computer is used.
2. Have a sufficient supply of tape cartridges. Some
compute systems include cartridge-tape decks used
for mass storage backup of hard disk information
or individual program storage.
3. Have plenty of evidence tape, adhesive labels, or some
other means of write protecting the disks.
4. Have a set of utility computer programs for target
computers to retrieve data files.
B. Adhesive colored labels for use in identifying and
cataloging evidence (usually supplied with new diskettes):
1. Place labels on diskette copies specifying the access
commands,the operating system name in which the disk is
formatted, perhaps the program application used to create
the data, and the case or file number of the investigation.
2. These labels are distinctly different from evidence labels
d suspect is cooperative and identifies diskettes
containing incriminating information, write protect them,
then review them on site, and print one or two of the
incriminating files. At this point, print only enough
to establish the basis for the violation. If several
diskettes are to be examined, label them appropriately.
2. If the suspect is not cooperative, attempt to identify
diskettes that may contain incriminating information by
examining the suspect's diskette labels. If the
questionable diskettes are located, write protect them
and print the directory of each diskette, and the contents
of a questionable file. Again, if a number of diskettes
are to be examined, label them.
3. Show the printout to the suspect, after he has been
properly advised of his rights, for possible use in
obtaining a confession.
4. If no further review of the diskettes is nessecary on site
assemble and secure computer programs and documentation
(much of it may be pirated) for inventory and transport to
a storage site.
D. Label the cables connecting various devices to aid in the
reassembly of the system at a later time.
E. Photograph the labeled equipment and cables.
F. Disassemble, tag, and inventory the equipment.
G. Carefully pack seized devices in suitable containers for
transport.
VI Reassembling System at a Remote Location
A. Write-protect all diskettes prior to review, which preserves
the integrity of the evidence examination process and
prevents erasing or accidental damage to information on the
seized diskettes during the review process.
B. Review all seized diskettes.
1. Create a diskette log containing the following headings:
"Diskette Number,""Contents," and "Disposition."
2. Using colored adhesive labels, label each diskette with
a letter of the alphabet, followed by a numeral
sequentially assigned to each diskette reviewed
(e.g., a-1.a-2.a-3). The letter could correspond
to the room where the diskette was located, or it
may correspond to one of many suspects in a case,
for example.
3. Review each diskette and enter its assigned number on the
diskette log.
4. Under the "Contents" column of the log, briefly describe
the diskette contents (e.g., games,credit card
information, access code files).
5. Print a directory of the diskette and label the printout
with an adhesive label bearing the same alphanumeric
designation as the diskette.
6. Determine from the directory which files listed are to be
reviewed.
7. Review questionable files for incriminating information
or copyright violations.
8. If incriminating information is located, print the file
contents and label the printout with an adhesive label
bearing the same alphanumeric designation as the diskette
and the directory printout.
9. Copy the incriminating files onto a formatted blank
diskette established by the reviewing person specifically
for that purpose. Label it appropriately as a copy for
backup purposes.
10. Enter in the "Disposition" column of the diskette log the
action taken with respect to the diskette (e.g., directory
printed,files printed, incriminating information obtained,
file copied).
11. Do not be in a hurry. Although extremely time consuming
and tedious, this process is essential for preserving
evidence and locating it easily during a court case.
C. Review printouts seized on site and those printed from review
of computerized information to determine the appropriate
investigative follow-up
D. Store original diskettes in a safe location, free from
magnetic fields, excessive humidity, or severe temperatures.
E. If the suspect has placed the information on the diskette
using some type of commercial program package
(e.g., D-base III, Lotus), copy the target or incriminating
file onto a separate diskette.Then, and only then, should any
attempt be made to manipulate the information in the file to
a readable or usable format.Even then, the copy of the file
should be used and not the original data.
F. Some of the suspect's critical files may be encrypted, which
would be shown a strings of meaningless characters. If so,
attempt to locate the encryption program or security plug-in
circuit board and description manuals. Attempting to break the
code without the key will be fruitless unless the crypto-
algorithm is extremely simple. If the most well known crypto
algorithm DES (Digital Encryption Standard) was used and a
clear text and a matching encrypted text is available where
the secret key was used, a competent cryptoanalyst could
discover the key using several hours of a Cray 2 computer (the
fastest available) but at a great expense.
G. File subdirectories and files may be stored in a "hidden"
status or "erased" but still present on the disk. Use
commercial utility programs that can search for and obtain
files of this nature.
Back to the master Table of Contents.