An endless number of computer crime cases are available for you to read. Most of the ones in the following sections come from the Department of Justice web- site, which is at http://www. cybercrime .gov . In these cases, we'll look at several types of computer crime and how computer forensic techniques were used to capture the criminal. The five cases presented here illustrate some of the techniques that you will become familiar with as you advance through this book. As a forensic investigator , you never know what you may come across when you begin an investigation. As the cases in this section show, sometimes you find more than you could have ever imagined.
Adrian Lamo, 22, was charged in a Manhattan federal court with hacking into the internal computer network of the New York Times. Lamo illegally accessed a database containing confidential information such as home telephone numbers and Social Security numbers for over 3,000 contributors. The records he accessed included entries for former President Jimmy Carter, Democratic campaigner James Carville, former secretary of state James Baker, actor Robert Redford, columnist William F. Buckley, Jr., and radio personality Rush Limbaugh among others.
Investigators found that the hacker had added an entry for Adrian Lamo, listing personal information such as a cellular telephone number, (415) 505-HACK, and a description of Lamo's areas of expertise including computer hacking, national security, and communications intelligence. Lamo also created five fictitious user accounts with a fee-based, online subscription service that provides news and legal and other information to customers. Over the course of three months, those five accounts were used to conduct upwards of 3,000 searches, incurring charges of approximately $300,000.
Source: Security Focus, September 5, 2003, http://www.securityfocus.com/news/6888; U.S. Department of Justice, Computer Crime and Intellectual Property Section (CCIPS), http://www.cybercrime.gov/lamoPlea.htm .
In addition, Lamo admitted responsibility for a series of other computer intrusions on networks at Cingular, Excite@Home, MCI WorldCom, Microsoft, SBC Ameritech, and Yahoo!. If convicted, Lamo faces a maximum sentence of 15 years in prison and a $500,000 fine.
By using computer forensic techniques, his trail could be traced through proxy server logs, the accounts he created while on the internal network, and unauthorized LexisNexis searches for such information as his name, other individuals with the last name 'Lamo,' searches using his parents' Northern California home address, and searches for some of his known associates .
Stealing and selling proprietary information has become big business. The next two cases are examples of just that. When proprietary information is stolen, a computer forensic investigator may work in tandem with corporate human resources and compliance professionals to help not only examine how the theft occurred but also provide evidence for prosecution .
Daniel Jeremy Baas, age 25, of Milford, Ohio, pled guilty to exceeding authorized access to a protected computer and obtaining information. Baas was charged with illegally accessing a protected computer and stealing customer databases from Acxiom, a Little Rock, Arkansas-based company that maintains customer information for automotive manufacturers, banks, credit card issuers , and retailers, among others. The intrusion and theft of data cost Acxiom more than $5.8 million, which, in addition to the value of the stolen information, included employee time and travel expenses, and the cost of security audits and encryption software.
Baas worked as a computer systems administrator for a Cincinnati-based company that did business with Acxiom, which made files available for download for Baas' employer. With that access, Baas ran a password-cracking program on Acxiom computers, illegally obtaining about 300 passwords, including one with administrator-level privileges. That user account allowed him to down- load files belonging to other Acxiom customers, which contained confidential identification information.
Baas faced a maximum prison sentence of five years, a fine of $250,000 or twice the amount of gain or loss, and three years of supervised release.
Source: U.S. Department of Justice, Computer Crime and Intellectual Property Section (CCIPS), http://www.cybercrime.gov/baasPlea.htm .
In this case, the forensic examiner might have found the program used to crack the password. If the program was deleted, parts of all of it could have been recovered as well as the password file. Other evidence might include the actual downloaded files or fragments of them. The download program itself might have a log file that would have recorded who accessed the program and what was downloaded. The forensic examiner has a wide variety of tools available to extract data and deleted information.
Brian A. Salcedo, Adam W. Botbyl, and Paul G. Timmins were indicted on November 19, 2003, by a federal grand jury on sixteen counts of unauthorized computer access, attempted possession of unauthorized access devices computer fraud, conspiracy , intentional transmission of computer code, and wire fraud.
Salcedo, Botbyl, and Timmins first accessed the wireless network at a Lowe's retail store in Southfield, Michigan. They subsequently hacked into the central computer network at Lowe's Companies, Inc. in North Carolina and then into computer systems in Lowe's retail stores across the United States. The men installed a program on computers in several of the retail locations that captured customers' credit card account numbers. If convicted on all counts, Salcedo, Botbyl, and Timmins face maximum sentences of 170 years in prison.
Source: U.S. Department of Justice, Computer Crime and Intellectual Property Section (CCIPS), http://www.cybercrime.gov/salcedoIndict.htm .
The previous case spanned several states. Several federal agencies and various state and local agencies had to work together to track the illicit computer accesses . By compromising the system and then capturing credit card information, the three suspects unwittingly left a trail of forensic evidence. Some of the evidence possibly included the actual credit card information or remnants of this information, in addition to the program or parts of the program used to capture the information and log file records that indicated access to various locations on the corporate network.
The next case is one of employee revenge and destruction. This type of criminal activity has become common as more employees who are computer savvy try to find ways to get back at employers .
Timothy Allen Lloyd, of Wilmington, Delaware, was sentenced to 41 months in prison for launching a programming bomb on Omega Engineering Corp.'s network that resulted in approximately $10 million in damages. Lloyd, a computer network program designer for New Jersey-based Omega for 11 years, was terminated from his position on July 10, 1996. Twenty days later, a logic bomb was activated that permanently deleted all of the company's design and production software for measurement and control instruments used by the U.S. Navy and NASA.
A virus or other program that is created to execute when a certain event occurs or a period of time passes . For example, a programmer might create a logic bomb to delete all his code from the server on a future date, most likely after he has left the company.
In addition to the monetary loss in sales and contracts, the attack led to 80 layoffs within Omega. The case is apparently one of the most expensive computer sabotage cases in U.S. Secret Service history.
Source: U.S. Department of Justice, Computer Crime and Intellectual Property Section (CCIPS), http://www.cybercrime.gov/lloydSent.htm .
In this case, computer forensic evidence may include the actual program or logic bomb, the date and time the file was created, and the username of the file creator. Time and date stamps are an important part of the computer forensic process. You will learn about these and other forensic techniques later in the book.
The following graphic is from the website of the Computer Crime and Intellectual Property Section of the Criminal Division of the U.S. Department of Justice. Here you can find a lot of useful information and additional cases. The last case concerns a computer crime committed by a child.
A juvenile, who goes by the name 'c0mrade' on the Internet, accepted responsibility in a U.S. District Court in Miami for illegally accessing a military computer used by the Defense Threat Reduction Agency (DTRA), stealing usernames and passwords, and capturing e-mail messages exchanged between DTRA staff. DTRA, a Department of Defense agency, is responsible for reducing the threat from nuclear , biological, chemical, conventional, and special weapons to the United States and its allies .
Over a two-month period beginning in August 1999, the juvenile accessed the DTRA network by secretly installing a backdoor on a server in Virginia. In addition to capturing over 3,300 e-mail messages, he acquired at least 19 usernames and passwords of DTRA staff, 10 of which were on military computers.
A software program that allows access to a system without using security checks.
The juvenile also admitted to illegally accessing 13 computers located at NASA's Marshall Space Flight Center on June 29 and 30, 1999, and downloading proprietary software worth approximately $1.7 million. The intrusions and data theft forced NASA to shut down the computer systems for 21 days in July, resulting in approximately $41,000 in contractor labor and computer equipment replacement costs.
Source: U.S. Department of Justice, Computer Crime and Intellectual Property Section (CCIPS), http://www.cybercrime.gov/comrade.htm .
This case marks the first time a juvenile hacker was sentenced to serve time. In addition to his six-month sentence in a detention facility, c0mrade was required to write letters of apology to the Department of Defense and NASA and allowed public disclosure of information about the case.
What kind of information was found that led to his arrest and conviction ? A forensic investigator might have been able to recover a significant number of the captured e- mails if they were deleted. They might have been hidden in a directory or on a hard disk partition. In addition, a forensic investigator probably was able to trace the downloaded software, possibly to the suspect's computer.
The ability of a company to recover from an occurrence inflicting widespread destruction and distress.
These cases illustrate that computer forensic investigators have no idea where their cases will end up. As a computer sleuth, you may be required to work across state lines and with various agencies. You may end up working with several companies in various countries . You may up at a dead end because it takes too long to get the information you need or the employer decides not to prosecute . At any rate, the computer forensics world is full of surprises .
A set of recommended guidelines that outline a set of good controls.