15.1 Preparation and Authorization
15.1 Preparation and Authorization
 |
It is unreasonable to expect everyone to invest in digital evidence collection systems for their networks. This is the equivalent of expecting all victims of burglary to have an alarm system and surveillance camera in their homes. While victims and incidentally involved parties should not be penalized for lack of preparedness, everyone should be informed of the need to preserve digital evidence after an incident.
|
In some cases, digital evidence exists on networks that were not directly involved in a crime and the network administrators are cooperative, often helping digital investigators obtain evidence. Some system administrators even capture useful data routinely to detect and resolve performance and security problems, effectively collecting evidence proactively. However, this proactive evidence gathering might not meet the standards for legal action and digital investigators may need to perform additional steps to preserve this data as evidence. Additionally, there are often more sources of digital evidence on a network than even the system administrators realize. Therefore, to ensure that all relevant data is located, digital investigators must use their understanding of networks in general thoroughly to query system administrators and clearly communicate what types of digital evidence are needed.
CASE EXAMPLE
|
The alibi of a prime suspect in a homicide case depended on his employer's network. Unfortunately, system administrators who assisted investigators did not know about an administrative console that contained key digital evidence and failed to preserve it promptly. By the time the suspect pointed out the console, it was too late - he was accused of fabricating digital evidence on the console after the fact to support his alibi. If the investigators in this case had not relied on the system administrators' incomplete knowledge of their network, the suspect probably would not be in jail today.
|
When system administrator cooperation is not forthcoming, digital investigators have to gather intelligence themselves about the target systems before obtaining authorization to seize evidence. For instance, when a Web site is under investigation, it is necessary to determine where the Web servers are located before obtaining authorization to seize the systems. Additionally, it is useful for digital investigators to know what kinds of computers to expect so that they can bring the necessary tools. Digital investigators might also want to copy as much of the material from the Web site as possible prior to the search to demonstrate probable cause or as a precautionary measure.
Collecting digital evidence from a large network requires significant planning, particularly when the administrators are not cooperative. Obtaining information about the target systems prior to the actual search can be a time consuming process.
CASE EXAMPLE
|
In the investigation of the Starnet online casino, Canadian law enforcement gathered a significant amount of information about the target systems before executing a search warrant. Based on their findings, investigators determined that they needed additional people to assist with the operation and pulled in dozens of agents from the surrounding region. This research and planning enabled them to seize all of the target systems in a matter of minutes.
|
The process of gathering information about a network can involve reviewing purchase orders, studying security audit reports, scanning the system remotely, and examining e-mail headers, searching the Web, Usenet, DNS, and other Internet resources for revealing details.
On a practical level, agents may take various approaches to learning about a targeted computer network. In some cases, agents can interview the system administrator of the targeted network (sometimes in an undercover capacity), and obtain all or most of the information the technical specialist needs to plan and execute the search. When this is impossible or dangerous, more piecemeal strategies may prove effective. For example, agents sometimes conduct on-site visits (often undercover) that at least reveal some elements of the hardware involved. A useful source of information for networks connected to the Internet is the Internet itself. It is often possible for members of the public to use network queries to determine the operating system, machines, and general layout of a targeted network connected to the Internet (although it may set off alarms at the target network). (USDOJ 2002)
|
A network vulnerability assessment is a process of identifying weaknesses that could be exploited by computer intruders. Part of this assessment process involves the same tools and techniques used by computer intruders as described in Chapter 19. Tools that gather information by remotely probing computers may cause a firewall or intrusion detection system on the target network to generate an alarm. For instance, if a suspect is using a personal firewall such as Norton Internet Security and Zone Alarms, he/she will receive an alert regarding remote information gathering probes. Additionally, some tools can disrupt systems and should only be used by trained personnel with proper authority. Therefore, before connecting directly to a suspect's system, digital investigators should weigh their need for the information against the risk of alerting the suspect.
|
This information gathering process is similar to that of network vulnerability assessments, resulting in a list of computers on the network highlighting machines that are likely to contain the most valuable data and summarizing any related information that may be useful for obtaining and analyzing data from the system (Table 15.1).
| IP ADDRESS | HOSTNAME | FUNCTION | DIGITAL EVIDENCE | TYPE/VERSION | PRIORITY | NOTES |
|---|---|---|---|---|---|---|
| 192.168.1.32 | mail.co rpX.com | SMTP/PO P/IMAP | Suspect's e-mail content, logs, backup tapes, syslogs | Solaris 8 | 3 | Too large to copy entire disk. Just copy e-mail logs |
| 192.168.1.33 | dc1.cor pX.com | Domain controller | NT Event, IAS, and IIS logs | Windows 2000 | 3 | |
| 192.168.1.34 | www.cor pX.com | WWW, shell | Web and shell access logs, syslogs, config files | Redhat Linux 8 | 3 | Web access logs in /data /logs |
| 192.168.1.42 | ids.cor pX.com | Snort IDS | Snort logs and configuration files, syslogs and system config files/details | FreeBSD 5 | 2 | Logs backed up daily to compact disk |
| 192.168.1.45 | flow.co rpX.com | NetFlow Collectoror | NetFlow logs in raw and text format | Solaris 8 | 2 | Also stored in Oracle database to facilitate searching |
| 192.168.52.23 | srv1.co rpX.com | File server | Bitstream copy of disk | Windows NT 4 | 1 | |
| 192.168.98.34 | wks34.c orpX.com | Suspect's Workstation | Bitstream copy of disk | Windows NT 4 | 1 |
Before conducting an online investigation, corporate security professionals and law enforcement officers alike should obtain permission to proceed. Even the process of scanning the target system to gather information may create a liability if the target system views this as a malicious attack, particularly if it disrupts their systems. Privacy laws relating to data stored on and transmitted using computers are complex and must be carefully considered to avoid spoiling a case. For instance, a university may not be authorized to probe student or faculty computers for information unless there is a policy that allows such actions under certain circumstances. Law enforcement officers who decide to investigate online child pornography without proper authorization have been accused of illegal activity themselves. Security professionals can only intercept network traffic and review log files without explicit authorization under specific circumstances detailed in privacy legislation. Security professionals can minimize the risk of being criticized for violating a system owner's rights by obtaining written instructions from their attorneys and management. Law enforcement officers can take similar measures to protect themselves legally and professionally.
Once likely sources of digital evidence have been identified, it is often necessary to deploy several groups to preserve everything in a timely manner. Without a clear procedure, there is likelihood that each group will collect evidence differently. Therefore, it is advisable to rehearse likely scenarios and develop a detailed plan with associated checklists, logic diagrams, and customized programs or scripts to maintain consistency and even use two-way radios to maintain communication during the collection process.
As noted in Chapter 3, the difficulty in obtaining authorization to search e-mail, network communications, and other data on networks varies depending on the situation, the country, the type of data, and who is collecting it. In the United States, getting authorization to search recent or unread e-mail is more difficult than old e-mail because of the higher degree of invasiveness. Monitoring network traffic is even more invasive, requiring very strong justification before a court will permit it. In fact, law enforcement may have to demonstrate that they have exhausted all other possibilities before a search warrant will be granted. However, system administrators are permitted to monitor traffic on their network when this is necessary to protect the network and data it contains.
When seeking authorization to search a network and digital evidence that may exist in more than one jurisdiction, it is advisable to obtain a search warrant for each location whenever possible.
When agents can learn prior to the search that some or all of the data described by the warrant is stored remotely from where the agents will execute the search, the best course of action depends upon where the remotely stored data is located. When the data is stored remotely in two or more different places within the United States and its territories, agents should obtain additional warrants for each location where the data resides to ensure compliance with a strict reading of Rule 41(a). (USDOJ 2002)
Also, using passwords obtained during investigation to access remote sources of digital evidence usually requires additional authorization. This issue becomes more complex when dealing with different countries. In 2002, legal action was brought against an investigator for gaining remote, unauthorized access to a suspect's computer and collecting evidence over the Internet.
CASE EXAMPLE (SEATTLE 2000):
|
The FBI successfully prosecuted two Russian computer intruders, Aleksey Ivanov and Gorshkov, for breaking into a number of e-commerce sites in the United States. The FBI lured Ivanov and Gorshkov to the United States for a fictitious job interview and used Winwhatwhere to capture passwords to the suspects' systems in Russia. Investigators used the passwords to collect incriminating evidence remotely from the suspects' computers. As a result of this action, the Russian government initiated criminal proceedings against one FBI agent for unauthorized access to computers in Russia.
|
When drawing up an affidavit for a warrant, it is important to specifically mention all desired digital evidence. Without specificity, a search warrant may miss important evidence or might just as easily be overly broad if it authorizes the search and seizure of evidence that is not supported by probable cause. It often helps to speak with the operators of the system involved to determine what types of systems and information they have. If this is not possible, it is generally acceptable to request a range of information provided limiting language is used to specify the crime, the suspects, and relevant time period. It is also recommended to include explicit examples of the records to be seized and indicate that the records may be seized in any form, including digital and paper. An example of such a request is provided here:
All records associated with the subscriber and account, including screen name(s) and/or account name(s), phone number(s), address(es), credit card numbers used to establish the account, connection records, to include logon dates and times, IP address assigned for each session, origination information for each call, phone number used for access to the system, newsgroups logs, e-mail logs, quantity of local storage provided and percentage utilized (non content information), credit, and billing information for any and all accounts held in the name of John Doe and the address(s) 192.168.12.14, 192.168.12.16, and <john.doe@home.com>, for the period of (insert date and time covered as nearly as possible and limited to the period of suspected criminal activity). Furthermore, company policy and activities pertaining to the frequency of backup operations and retention periods of information requested herein. The term "records" includes all of the foregoing items of evidence in whatever form and by whatever means they may have been created or stored.
There are two nuances in this example that deserve emphasis. First, e-mail content is not requested, thus avoiding the privacy issues related to stored personal communications, making it easier to obtain a search warrant. Investigators may be able to obtain a significant amount of information quickly and with relative ease by making this clear distinction between subscriber information and the contents of the individual's account. Some organizations, such as E-bay, can even provide law enforcement with certain information about their users (e.g. name, address) without a court order because their user agreement permits such disclosure. Second, note that log files and "origination information for each call" are included in this sample request. The "origination information for each call" generally refers to the fact that some ISPs have Automatic Number Identification (ANI) on their dial-up modem banks, thus enabling digital investigators to trace a connection back to a very specific location (e.g. house, apartment, room).
In large fraud cases in which a network was used to store relevant documents, it might be argued that only the documents were relevant and that investigators should not have be authorized to search log files or other sources of evidence on the network. This argument does not take into account the need for multiple independent sources of digital evidence to corroborate important events and to establish the continuity of offense. Investigators can expect to have their work challenged in court, but can expect reasonable results provided they follow the rules. In one case, the defendant argued that investigators should have been present when a major Internet Service Provider collected digital evidence in response to a search warrant.
CASE EXAMPLE (BACH v. MINNESOTA 2002):
|
Accused of possessing child pornography, Bach argued that his Fourth Amendment rights were violated because a law enforcement officer was not present when his Internet Service Provider (Yahoo!) collected information relating to his account on their system. Initially, the district court agreed that the warrant was executed outside the presence of a police officer when Yahoo! employees seized e-mail from Yahoo!'s servers in violation of 18 U.S.C. 3105 and sections 626.13 and 626A.06 of the Minnesota Statutes, and thus the Fourth Amendment.
Sergeant Schaub investigated this incident, discovered that "dlbch15" was Bach and that he had been convicted of criminal sexual conduct in 1996. Eventually, Schaub obtained a state search warrant to retrieve from Yahoo! e-mails between the defendant and possible victims of criminal sexual conduct, as well as the Internet Protocol addresses connected to his account. Both the warrant itself and Schaub's affidavit indicated that the warrant could be faxed to Yahoo! in compliance with section 1524.2 of the California Penal Code. Schaub faxed the signed warrant to Yahoo!. Yahoo! technicians retrieved all of the information from Bach's account at <dlbch15@yahoo.com> and AM's Yahoo! e-mail account. According to Yahoo!, when executing warrants, technicians do not selectively choose or review the contents of the named account. The information retrieved from Bach and AM's accounts was either loaded onto a zip disc or printed and sent to Schaub. E-mails recovered from Bach's account detail him exchanging pictures with other boys and meeting with them. One e-mail contained a picture of a naked boy. The information retrieved from Yahoo! also included Bach's address, date of birth, telephone number, and other screen names.
Investigators then obtained a search warrant for Bach's house, where they seized a computer, disks, a digital camera, and evidence of child pornography. Based on this information, and the information obtained from Yahoo!, Bach was indicted for possession, transmission, receipt, and manufacturing of child pornography in violation of 18 U.S.C. 2252A(a) (1) and (2), 2252A(a)(5), 2252A(b)(2), 2252(a)(4), 2252(a)(1) and (2), 2252(b)(2), 2251 (a) and (d), and 2253(a). Bach moved to suppress the evidence seized from the execution of both warrants. The district court suppressed the information obtained from the warrant executed by Yahoo! (but not the information obtained from the subsequent search of his home) because an officer was not present during Yahoo's execution of the first warrant in violation of 18 U.S.C. 3105 and sections 626.13 and 626A.06 of the Minnesota Statutes, both of which, according to the district court, codify the Fourth Amendment.
Prosecutors appealed this ruling and the court found that Yahoo!'s execution of the search warrant did not violate Bach's Fourth Amendment rights.
|
Another defendant unsuccessfully appealed on the grounds that information he provided to AOL was private and should not have been made available to investigators (Cox v. Ohio).
EAN: 2147483647
Pages: 279