APPENDIXDSample Language for Search Warrants and Accompanying Affidavits to Search and Seize Computers

United States Department of Justice Computer

Crime and Intellectual Property Section

This appendix provides sample language for agents and prosecutors who wish to obtain a warrant authorizing the search and seizure of computers. The discussion focusesfirst on the proper way to describe the property to be seized in the warrant itself, which in turn requires consideration of the role of the computer in the offense. The discussion then turns to drafting an accompanying affidavit that establishes probablecause, describes the agent’s search strategy, and addresses any additional statutory or constitutional concerns.

I.Describing the Property to Be Seized for the Warrant

The first step in drafting a warrant to search and seize computers or computer data is to describe the property to be seized for the warrant itself. This requires a particularized description of the evidence, contraband, fruits, or instrumentality of crimethat the agents hope to obtain by conducting the search.

Whether the property to be seized should contain a description of information (such as computer files) or physical computer hardware depends on

281

the role of the computer in the offense. In some cases, the computer hardware is itself contraband, evidence of crime, or a fruit or instrumentality of crime. In these situations, Federal Rules Criminal Procedure P. 41 expressly authorizes the seizure of the hardware, and the warrant will ordinarily request its seizure. In other cases, however, the computer hardware is merely a storage device for electronic files that are themselves contraband, evidence, or instrumentalities of crime. In these cases, the warrant should request authority to search for and seize the information itself, not the storage devices that the agents believe they must seize to recover the information. Although the agents may need to seize the storage devices for practical reasons, such practical considerations are best addressed in the accompanying affidavit. The property to be seized described in the warrant should fall within one or more of the categories listed in Rule 41(b):

1. “property that constitutes evidence of the commission of a criminal offense”

This authorization is a broad one, covering any item that an investigator “reasonably could … believe” would reveal information that would aid in a particular apprehension or conviction.Andresen v. Maryland, 427 U.S. 463, 483 (1976). Cf.Warden v. Hayden, 387 U.S. 294, 307 (1967) (noting that restrictions on what evidence may be seized result mostly from the probable cause requirement). The wordpropertyin Rule 41(b)(1) includes both tangible and intangible property. SeeUnited States v. New York Tel. Co., 434 U.S. 159, 169 (1977) (“Rule 41 is not limited to tangible items but is sufficiently flexible to include within its scope electronic intrusions authorized upon a finding of probable cause.”);United States v. Biasucci, 786 F.2d 504, 509-10 (2d Cir. 1986) (holding that the fruits of video surveillance are property that may be seized using a Rule 41 search warrant). Accordingly, data stored in electronic form is property that may properly be searched and seized using a Rule 41 warrant. See_United States_v. Hall, 583 F. Supp. 717, 718-19 (E.D. Va. 1984).

1. “contraband, the fruits of crime, or things otherwise criminally possessed”

Property is contraband “when a valid exercise of the police power renders possession of the property by the accused unlawful andprovides that it may be taken.”Hayden, 387 U.S. at 302 (quotingGouled v. United States, 255 U.S. 298, 309 (1921)). Common examples of items that fall within this definition include child pornography, seeUnited States v. Kimbrough, 69 F.3d 723, 731 (5thCir. 1995), pirated software and other copyrighted materials, seeUnited States v. Vastola, 670 F. Supp. 1244, 1273 (D.N.J. 1987), counterfeit money, narcotics, and illegal weapons. The phrase “fruits of crime” refers to property that criminals have acquired as a result of their criminal activities. Common examples include money obtained from illegal transactions, seeUnited States v. Dornblut, 261 F.2d 949, 951 (2d Cir. 1958) (cash obtained in drug transaction), and stolen goods. SeeUnited States v. Burk__een, 350 F.2d 261, 264 (6th Cir. 1965) (currency removed from bank during bank robbery).

1. “property designed or intended for use or which is or had been used as a means of committing a criminal offense”

Rule 41(b)(3) authorizes the search and seizure of “property designed or intended for use or which is or had been used as a means of committing a criminal offense.” This language permits courts to issue warrants to search and seize instrumentalities of crime. SeeUnited States v. Farrell, 606 F.2d 1341, 1347(D.C. Cir. 1979). Computers may serve as instrumentalities of crime in many ways. For example, Rule 41 authorizes the seizure of computer equipment as an instrumentality when a suspect uses a computer to view, acquire, and transmit images of child pornography. SeeDavis v. Gracey, 111 F.3d 1472, 1480 (10th Cir. 1997) (stating in an obscenity case that “the computer equipment was more than merely a ‘container’ for the files; it was an instrumentality of the crime.”);United States v. Lamb, 945 F. Supp. 441,462 (N.D.N.Y. 1996). Similarly, a hacker’s computer may be used as an instrumentality of crime, and a computer used to run an illegal Internet gambling business would also be an instrumentality of the crime.

Here are examples of how to describe property to be seized when the computer hardware is merely a storage container for electronic evidence:

1. All records relating to violations of 21 U.S.C. § 841(a) (drug trafficking) and/or 21 U.S.C. § 846 (conspiracy to traffic drugs) involving [the suspect] since January 1, 1996, including lists of customers and related identifying information; types, amounts, and prices of drugs trafficked as well as dates, places, and amounts of specific transactions; any information related to sources of narcotic drugs (including names, addresses, phone numbers, or any other identifying information); any information recording [the suspect’s] schedule or travel from 1995 to the present; all bank records, checks, credit card bills, account information, and other financial records.

The terms_records_and_information_include all of the foregoing items of evidence in whatever form and by whatever means they may have been created or stored, including any electrical, electronic, or magnetic form(such as any information on an electronic or magnetic storage device, including floppy diskettes, hard disks, Zip disks, CD-ROMs, optical discs, backup tapes, printer buffers, smart cards, memory calculators, pagers, personal digital assistants such as Palm Pilot computers, as well as printouts or readouts from any magnetic storage device); any handmade form (such as writing, drawing, painting); any mechanical form (such as printing or typing); and any photographic form (such as microfilm, microfiche, prints, slides, negatives, videotapes, motion pictures, photocopies).

1. Any copy of the X Company’s confidential May 17, 1998, report, in electronic or other form, including any recognizable portion or summary of the contents of that report.

2. [For a warrant to obtain records stored with an ISP pursuant to 18 U.S.C. § 2703(a)] All stored electronic mail of any kind sent to, from, and through the e-mail address [[email protected]], or associated with the user name “John Doe,” account holder [suspect], or IP Address [xxx.xxx.xxx.xxx] / Domain name [x.com] between Date A at Time B and Date X at Time Y. Content and connection log files of all activity from January 1, 2000, through March 31, 2000, by the user associated with the e-mail address [[email protected]], user name “JohnDoe,” or IP Address [xxx.xxx.xxx.xxx] / Domain name [x.x.com] between Date A at Time B and Date X at Time Y, including dates, times, methods of connecting (e.g., Telnet, FTP, HTTP), type of connection (e.g., modem, cable / DSL, T1 / LAN), ports used, telephone dial-up caller identification records, and any other connection information or traffic data. All business records, in any form kept, in the possession of [Internet Service Provider], that pertain to the subscriber(s) and account(s) associated with thee-mail address [[email protected]], user name “John Doe,” or IP Address [xxx.xxx.xxx.xxx] / Domain name [x.x.com] between Date A at Time B and Date X at Time Y, including records showing the subscriber’s full name, all screen names associated with that subscriber and account, all account names associated with that subscriber, methods of payment, phone numbers, all residential, business, mailing, and e-mail addresses, detailed billing records, types and lengths of service, and any other identifying information.

Here are examples of how to describe the property to be seized when the computer hardware itself is evidence, contraband, or an instrumentality of crime:

1. Any computers (including file servers, desktop computers, laptop computers, mainframe computers, and storage devices such as hard drives, Zip disks, and floppy disks) that were or may have been used as a means to provide images of child pornography over the Internet in violation of 18 U.S.C. § 2252A that were accessible via the World Wide Web site addresswww.[xxxxxxxx].com.

2. IBM Thinkpad Model 760ED laptop computer with a black case.

II.Drafting Affidavits in Support of Warrants to Search and Seize Computers

An affidavit to justify the search and seizure of computer hardware and/or files should include,at a minimum, the following sections: (1) definitions of any technical terms used in the affidavit or warrant; (2) a summary of the offense, and, if known, the role that a targeted computer plays in the offense; and (3) an explanation of the agents’ searchstrategy. In addition, warrants that raise special issues (such as sneak-and-peek warrants, or warrants that may implicate the Privacy Protection Act, 42 U.S.C. § 2000aa) require thorough discussion of those issues in the affidavit. Agents and prosecutorswith questions about how to tailor an affidavit and warrant for a computer-related search may contact the Computer Crime and Intellectual Property Section at (202) 514-1026.

A.Background Technical Information

It may be helpful to include a section near the beginning of the affidavit explaining any technical terms that the affiant may use. Although many judges are computer literate, judges generally appreciate a clear, jargon-free explanation of technical termsthat may help them understand the merits of the warrant application. At the same time, agents and prosecutors should resist the urge to pad affidavits with long, boilerplate descriptions of wellknown technical phrases. As a rule, affidavits should only include the definitions of terms that are likely to be unknown by a generalist judge and are used in the remainder of the affidavit. Here are some sample definitions:

AddressesEvery device on the Internet has an address that allows other devices to locate and communicate with it. An Internet Protocol (IP) address is a unique number that identifies a device on the Internet. Other addresses include Uniform Resource Locator (URL) addresses, such as

“http://www.usdoj.gov,” which are typically used to access Web sites or other services on remote devices. Domain names, host names, and machine addresses are other types of addresses associated with Internet use.

CookiesA cookie is a file that is generated by a Web site when a user on a remote computer accesses it. The cookie is sent to the user’s computer and is placed in a directory on that computer, usually labeled “Internet” or “Temporary Internet Files.” The cookie includes information such as user preferences, connection information such as time and date of use,records of user activity including files accessed or services used, or account information. The cookie is then accessed by the Web site on subsequent visits by the user, in order to better serve the user’s needs.

Data CompressionA process of reducing thenumber of bits required to represent some information, usually to reduce the time or cost of storing or transmitting it. Some methods can be reversed to reconstruct the original data exactly; these are used for faxes, programs, and most computer data. Other methods do not exactly reproduce the original data, but this may be acceptable (e.g., for a video conference).

Denial of Service Attack (DoS Attack)A hacker attempting a DoS attack will often use multiple IP or e-mail addresses to send a particular server or Web site hundreds or thousands of messages in a short period of time. The server or Web site will devote system resources to each transmission. Due to the limited resources of servers and Web sites, this bombardment will eventually slow the system down or crash it altogether.

DomainA domain is a group of Internet devices that are owned or operated by a specific individual, group, or organization. Devices within a domain have IP addresses within a certain range of numbers, and are usually administered according to the same set of rules and procedures.

Domain NameA domain name identifies a computer or group of computers on the Internet and corresponds to one or more IP addresses within a particular range. Domain names are typically strings of alphanumeric characters, with each level ofthe domain delimited by a period (e.g., Computer. networklevel1.networklevel2.com). A domain name can provide information about the organization, ISP, and physical location of a particular network user.

EncryptionEncryption refers to the practice of mathematically scrambling computer data as a communications security measure. The encrypted information is calledciphertext.Decryption_is the process of converting the ciphertext back into the original, readable information (known as_plaintext). The word, number, or other value used to encrypt/decrypt a message is called thekey.

File Transfer Protocol (FTP)FTP is a method of communication used to send and receive files such as word-processing documents, spreadsheets, pictures, songs, and video files. FTP sites are online warehouses of computer files that are available for copying by users on the Internet. Although many sites require users to supply credentials (such as a password or user name) to gain access, the IP address of the FTP site is often all thatis required to access the site, and users are often identified only by their IP addresses.

FirewallA firewall is a dedicated computer system or piece of software that monitors the connection between one computer or network and another. The firewall is thegatekeeper that certifies communications, blocks unauthorized or suspect transmissions, and filters content coming into a network. Hackers can sidestep the protections offered by firewalls by acquiring system passwords, hiding within authorized IP addresses using specialized software and routines, or placing viruses in seemingly innocuous files such as e-mail attachments.

HackingHacking is the deliberate infiltration or sabotaging of a computer or network of computers. Hackers use loopholes in computer security to gain control of a system, steal passwords and sensitive data, and/or incapacitate a computer or group of computers. Hacking is usually done remotely, by sending harmful commands and programs through the Internet to a target system. When they arrive, these commands and programs instruct the target system to operate outside of the parameters specified by the administrator of the system. This often causes general system instability or the loss of data.

Instant Messaging (IM)IM is a communications service that allows two users to send messages through the Internet to each other in real time. Users subscribe to a particular messaging service (e.g., AOL Instant Messenger, MSN Messenger) by supplying personal information and choosing a screen name to usein connection with the service. When logged in to the IM service, users can search for other users based on the information that other users have supplied, and they can send those users messages or initiate a chat session. Most IM services also allow files to be transferred between users, including music, video files, and computer software. Due to the structure of the Internet, a transmission may be routed through different states and/or countries before it arrives at its final destination, even if the communicating parties are in the same state.

InternetThe Internet is a global network of computers and other electronic devices that communicate with each other via standard telephone lines, highspeed telecommunications links (e.g., fiber-optic cable), and wireless transmissions. Due to the structure of the Internet, connections between devices on the Internet often cross state and international borders, even when the devices communicating with each other are in the same state.

Internet Relay Chat (IRC)IRC is a popular Internet service that allows users to communicate with each other in real time. IRC is organized around the chat room or channel, in which users congregate to communicate with each other about a specific topic. A chat room typically connects users from different states and countries, and IRC messages often travel across state and national borders before reaching other users. Within a chat room or channel, every user can see the messages typed by other users. No user identification is required for IRC, allowing users to log in and participate in IRC communication with virtual anonymity, concealing their identities by using fictitious screen names.

Internet Service Providers (ISPs)Many individuals and businesses obtain their access to the Internetthrough businesses known as Internet service providers (ISPs). ISPs provide their customers with access to the Internet using telephone or other telecommunications lines; provide Internet e-mail accounts that allow users to communicate with other Internetusers by sending and receiving electronic messages through the ISPs’ servers; remotely store electronic files on their customers’ behalf; and may provide other services unique to each particular ISP.

ISPs maintain records pertaining to the individuals orcompanies that have subscriber accounts with it. Those records could include identifying and billing information, account access information in the form of log files, e-mail transaction information, posting information, account application information, andother information both in computer data format and in written record format. ISPs reserve and/or maintain computer disk storage space on their computer system for the use of the Internet service subscriber for both temporary and long-term storage of electronic communications with other parties and other types of electronic data and files. E-mail that has not been opened is stored temporarily by an ISP incident to the transmission of the e-mail to the intended recipient, usually within an area known as thehome directory. Such temporary, incidental storage is defined by statute aselectronic storage, and the provider of such a service is anelectronic communications service_provider. A service provider that is available to the public and provides storage facilities after an electronic communication has been transmitted and opened by the recipient, or provides other long-term storage services to the public for electronic data and files, is providing a_remote computing service.

IP AddressThe Internet protocoladdress (or simply IP address) is a unique numeric address used by computers on the Internet. An IP address looks like a series of four numbers, each in the range 0 to 255, separated by periods (e.g., 121.56.97.178). Every computer attached to the Internetcomputer must be assigned an IP address so that Internet traffic sent from and directed to that computer may be directed properly from its source to its destination. Most ISPs control a range of IP addresses.

Dynamic IP address — When an ISP or other provider uses dynamic IP addresses, the ISP randomly assigns one of the available IP addresses in the range of IP addresses controlled by the ISP each time a user dials into the ISP to connect to the Internet. The customer’s computer retains that IP address for the duration of that session (i.e., until the user disconnects), and the IP address cannot be assigned to another user during that period. Once the user disconnects, however, that IP address becomes available to other customers who dial in at a later time. Thus, an individual customer’s IP address normally differs each time he or she dials into the ISP.

Static IP address — A static IP address is an IP address that is assigned permanently to a given user or computer on a network. A customer of an ISP thatassigns static IP addresses will have the same IP address every time.

Joint Photographic Experts Group (JPEG)JPEG is the name of a standard for compressing digitized images that can be stored on computers. JPEG is often used to compress photographic images, including pornography. Such files are often identified by the “.jpg” extension (such that a JPEG file mighthave the title “picture.jpg”) but can easily be renamed without the “.jpg” extension.

Log FileLog files are computer files that contain records about system events and status, the activities of users, and anomalous or unauthorized computer usage. Names for various log files include, but are not limited to, user logs, access logs, audit logs, transactional logs, and apache logs.

Moving Pictures Expert Group-3 (MP3)MP3 is the name of a standard for compressing audio recordings (e.g., songs, albums, concertrecordings) so that they can be stored on a computer, transmitted through the Internet to other computers, or listened to using a computer. Despite its small size, an MP3 delivers near CD-quality sound. Such files are often identified by the filename extension “.mp3,” but can easily be renamed without the “.mp3” extension.

Packet SniffingOn the Internet, information is usually transmitted through many different locations before it reaches its final destination. While in transit, such information is contained withinpackets. Both authorized users, such as system security experts, and unauthorized users, such as hackers, use specialized technology — packet sniffers — to “listen” to the flow of information on a network for interesting packets, such as those containing logins or passwords, sensitive or classified data, or harmful communications such as viruses. After locating such data, the packet sniffer can read, copy, redirect, or block the communication.

Peer-to-Peer (P2P) NetworksP2P networks differ fromconventional networks in that each computer within the network functions as both a client (using the resources and services of other computers) and a server (providing files and services for use by_peer_computers). There is often no centralized server in such a network. Instead, a search program or database tells users where other computers are located and what files and services they have to offer. Often, P2P networks are used to share and disseminate music, movies, and computer software.

RouterA router is a device on the Internet that facilitates communication. Each Internet router maintains a table that states the next step a communication must take on its path to its proper destination. When a router receives a transmission, it checks the transmission’sdestination IP address with addresses in its table and directs the communication to another router or the destination computer. The log file and memory of a router often contain important information that can help reveal the source and network path of communications.

ServerA server is a centralized computer that provides services for other computers connected to it via a network. The other computers attached to a server are sometimes calledclients. In a large company, it is common for individual employees to have client computers at their desktops. When the employees access their e-mail, or access files stored on the network itself, those files are pulled electronically from the server, where they are stored, and are sent to the client’s computer via thenetwork. Notably, server computers can be physically stored in any location: It is common for a network’s server to be located hundreds (and even thousands) of miles away from the client computers. In larger networks, it is common for servers to be dedicated to a single task. For example, a server that is configured so that its sole task is to support a World Wide Web site is known simply as aWeb server. Similarly, a server that only stores and processes e-mail is known as amail server.

TracingTrace programs are used to determine the path that a communication takes to arrive at its destination. A trace program requires the user to specify a source and destination IP address. The program then launches a message from the source address, and at each hop on the network (signifying a device such as a router), the IP address of that device is displayed on the source user’s screen or copied to a log file.

User Name or User IDMost services offered on the Internet assign users a name or ID, which is a pseudonym that computer systems use to keep track of users. User names and IDs are typically associated with additional user information or resources, such as a user account protected by a password, personal or financial information about the user, a directory of files, or an e-mail address.

VirusA virus is a malicious computer program designed by a hacker to (1) incapacitate a target computer system; (2) cause a target system to slow down or become unstable; (3) gain unauthorized access to system files, passwords, and other sensitive data such as financial information; and/or (4) gain control of the target system to use its resources in furtherance of the hacker’s agenda. Once inside the target system, a virus may begin making copies of itself, depleting system memoryand causing the system to shut down, or it may begin issuing system commands or altering crucial data within the system.

Other malicious programs used by hackers are, but are not limited to,worms,which spawn copies that travel over a network to other systems;Trojan horses, which are hidden in seemingly innocuous files such as e-mail attachments and are activated by unassuming authorized users; andbombs, which are programs designed to bombard a target e-mail server or individual user with messages, overloading the target or otherwise preventing the reception of legitimate communications.

B.Background — Staleness Issue

It may be helpful and necessary to include a paragraph explaining how certain computer files can reside indefinitely in free or slack space and thus be subject to recovery with specific forensic tools:

Based on your affiant’s knowledge, training, and experience, your affiant knows that computer files or remnants of such files can be recovered months or even years after they have been downloaded onto a hard drive, deleted, or viewed via the Internet. Electronic files downloaded to a hard drive can be stored for years at little or no cost. Even when such files have been deleted, they canbe recovered months or years later using readily available forensics tools. When a person “deletes” a file on a home computer, the data contained in the file does not actually disappear; rather, that data remains on the hard drive until it is overwrittenby new data. Therefore, deleted files, or remnants of deleted files, may reside in free space or slack space — that is, in space on the hard drive that is not allocated to an active file or that is unused after a file has been allocated to a set block of storage space — for long periods of time before they are overwritten. In addition, a computer’s operating system may also keep a record of deleted data in aswap_or_recovery_file. Similarly, files that have been viewed via the Internet are automatically downloaded into a temporary Internet directory or_cache. The browser typically maintains a fixed amount of hard drive space devoted to these files, and the files are only overwritten as they are replaced with more recently viewed Internet pages. Thus, the ability to retrieve residue of an electronic file from a hard drive depends less on when the file was downloaded or viewed than on a particular user’s operating system, storage capacity, and computer habits.

C.Describe the Role of the Computer in the Offense

The next step is to describe the role of the computer in the offense, to the extent it is known. For example, is the computer hardware itself evidence of a crime or contraband? Is the computer hardware merely a storage device that may or may not contain electronic files that constitute evidence of a crime? To introduce this topic, it may be helpful to explain at the outset why the role of the computer is important for defining the scope of your warrant request.

Your affiant knows that computer hardware, software, and electronic files may be important to a criminal investigation in two distinct ways: (1) The objects themselves may be contraband, evidence, instrumentalities, or fruits of crime; and/or (2) the objects may be used as storage devices that contain contraband, evidence, instrumentalities, or fruits of crime in the form of electronic data. Rule 41 of the Federal Rules of Criminal Procedure permits the government to search for and seize computer hardware,software, and electronic files that are evidence of crime, contraband, instrumentalities of crime, and/or fruits of crime. In this case, the warrant application requests permission to search and seize [images of child pornography, including those that maybe stored on a computer]. These [images] constitute both evidence of crime and contraband. This affidavit also requests permission to seize the computer hardware that may contain [the images of child pornography] if it becomes necessary for reasons of practicality to remove the hardware and conduct a search off-site. Your affiant believes that, in this case, the computer hardware is a container for evidence, a container for contraband, and also itself an instrumentality of the crime under investigation.

1.__When the Computer Hardware Is Itself Contraband, Evidence, and/or an Instrumentality or Fruit of Crime

If applicable, the affidavit should explain why probable cause exists to believe that the tangible computer items are themselves contraband, evidence, instrumentalities, or fruits of the crime, independent of the information they may hold.

1. Computer Used to Obtain Unauthorized Access to a Computer(Hacking).Your affiant knows that when an individual uses a computer to obtain unauthorized access to a victimcomputer over the Internet, the individual’s computer will generally serve both as an instrumentality for committing the crime and as a storage device for evidence of the crime. The computer is an instrumentality of the crime because it is “used as a meansof committing [the] criminal offense” according to Rule 41(b)(3). In particular, the individual’s computer is the primary means for accessing the Internet, communicating with the victim computer, and ultimately obtaining the unauthorized access that is prohibited by 18 U.S.C. § 1030. The computer is also likely to be a storage device for evidence of crime because computer hackers generally maintain records and evidence relating to their crimes on their computers. Those records and evidence may include files that recorded the unauthorized access, stolen passwords and other information downloaded from the victim computer, the individual’s notes as to how the access was achieved, records of Internet chat discussions about the crime, and other records that indicate the scope of the individual’s unauthorized access.

2. Computers Used to Produce Child Pornography.It is common for child pornographers to use personal computers to produce both still and moving images. For example, a computer can be connected to a videocamera, VCR, or DVD player by using a device called a video capture board: The device turns the video output into a form that is usable by computer programs. Alternatively, the pornographer can use a digital camera to take photographs or videos and load them directly onto the computer. The output of the camera can be stored, transferred, or printed out directly from the computer. The producers of child pornography can also use a device known as a scanner to transfer photographs into a computer-readable format. All of these devices, as well as the computer, constitute instrumentalities of the crime.

_2._When the Computer Is Merely a Storage Device for Contraband, Evidence, and/or an Instrumentality or Fruit of Crime

When the computer is merely a storage device for electronic evidence, the affidavit should explain this clearly. The affidavit should explain why there is probable cause to believe that evidence of a crime may be found in the location to be searched. This does not require the affidavit to establishprobable cause that the evidence may be stored specifically within a computer. However, the affidavit should explain why the agents believe that the information may in fact be stored as an electronic file stored in a computer.

1. Child Pornography.Your affiant knows that child pornographers generally prefer to store images of child pornography in electronic form as computer files. The computer’s ability to store images in digital form makes a computer an ideal repository for pornography. A small portable disk can contain hundreds or thousands of images of child pornography, and a computer hard drive can contain tens of thousands of such images at very high resolution. The images can be easily sent to or received from other computer users over the Internet. Further, both individual files of child pornography and the disks that contain the files can be mislabeled or hidden to evade detection.

2. Illegal Business Operations.Based on actual inspection of [spreadsheets, financial records, invoices], your affiant is aware that computer equipment was used to generate, store, and print documents used in [suspect’s] [tax evasion, money laundering, drug trafficking, etc.] scheme. There is reason to believe that the computer system currently located on [suspect’s] premisesis the same system used to produce and store the [spreadsheets, financial records, invoices], and that both the [spreadsheets, financial records, invoices] and other records relating to [suspect’s] criminal enterprise will be stored on [suspect’s computer].

D.The Search Strategy

The affidavit should also contain a careful explanation of the agents’ search strategy, as well as a discussion of any practical or legal concerns that govern how the search will be executed. Such an explanation is particularly important when practical considerations may require that agents seize computer hardware and search it off-site when that hardware is only a storage device for evidence of crime. Similarly, searches for computer evidence in sensitive environments (such as functioning businesses) may require that the agents adopt an incremental approach designed to minimize the intrusiveness of the search. The affidavit should explain the agents’ approach in sufficient detail that the explanation provides a useful guide for thesearch team and any reviewing court. It is a good practice to include a copy of the search strategy as an attachment to the warrant, especially when the affidavit is placed under seal. The following subsections contain sample language that can apply recurring situations.

1.**Sample Language to Justify Seizing Hardware

and Conducting a Subsequent Off-Site Search

Based upon your affiant’s knowledge, training and experience, your affiant knows that searching and seizing information from computers often requires agents to seize most or all electronic storage devices (along with related peripherals) to be searched later by a qualified computer expert in a laboratory or other controlled environment. This is true because of the following:

1. _The volume of evidence._Computer storage devices (e.g., hard disks, diskettes, tapes, laser disks) can store the equivalent of millions of information. Additionally, a suspect may try to conceal criminal evidence; he or she might store it in random order with deceptive file names. This may require searching authorities to examine all the stored data to determine which particular files are evidence or instrumentalities of crime. This sorting process can take weeks or months, depending on the volume of data stored, and it would be impractical and invasive to attempt this kind of data search on-site.

2. _Technical requirements._Searching computer systems for criminal evidence is a highly technical process requiring expert skill and a properly controlled environment. The vast array of computer hardware and software available requires even computer experts to specialize in some systems and applications, so it is difficult to know before a search which expert is qualified to analyze the system and its data. In any event, however, data search protocols are exacting scientific procedures designed to protect the integrity of the evidence and to recovereven hidden, erased, compressed, password-protected, or encrypted files. Because computer evidence is vulnerable to inadvertent or intentional modification or destruction (both from external sources or from destructive code imbedded in the system as a booby trap), a controlled environment may be necessary to complete an accurate analysis.

Further, such searches often require the seizure of most or all of a computer system’s input/output peripheral devices, related software, documentation, and data securitydevices (including passwords) so that a qualified computer expert can accurately retrieve the system’s data in a laboratory or other controlled environment.

In light of these concerns, your affiant hereby requests the Court’s permission to seize the computer hardware (and associated peripherals) that are believed to contain some or all of the evidence described in the warrant, and to conduct an off-site search of the hardware for the evidence described, if, upon arriving at the scene, the agents executing the search conclude that it would be impractical to search the computer hardware on-site for this evidence.

_2._Sample Language to Justify an Incremental Search

Your affiant recognizes that the [Suspect] Corporation is a functioning company with approximately [number] employees, and that a seizure of the [Suspect Corporation’s] computer network may have the unintended and undesired effect of limiting the company’s ability to provide service to its legitimate customers who are not engaged in [the criminal activity under investigation]. In response to these concerns, the agents who execute the search will take an incremental approach to minimize the inconvenience to [Suspect Corporation’s] legitimate customers and to minimize the need to seize equipment and data. This incremental approach, which will be explained to all of the agents on the search team before the search is executed, will proceed as follows:

1. Upon arriving at the [Suspect Corporation’s] headquarters on the morning of the search, the agents will attempt to identify a system administrator of the network (or other knowledgeable employee) who will be willing to assist law enforcement by identifying, copying, and printing out paper [and electronic] copies of [the computer files described in the warrant].If the agents succeed at locating such an employee and are able to obtain copies of [the computer files described in the warrant] in that way, the agents will not conduct any additional search or seizure of the [Suspect Corporation’s] computers.

2. If the employees choose not to assist the agents and the agents cannot execute the warrant successfully without themselves examining the [Suspect Corporation’s] computers, primary responsibility for the search will transfer from the case agent to a designated computer expert. The computer expert will attempt to locate [the computer files described in the warrant], and will attempt to make electronic copies of those files. This analysis will focus on particular programs, directories, and files that are mostlikely to contain the evidence and information of the violations under investigation. The computer expert will make every effort to review and copy only those programs, directories, files, and materials that are evidence of the offenses described herein, and provide only those items to the case agent. If the computer expert succeeds at locating [the computer files described in the warrant] in that way, the agents will not conduct any additional search or seizure of the [Suspect Corporation’s] computers.

3. Ifthe computer expert is not able to locate the files on-site, or an onsite search proves infeasible for technical reasons, the computer expert will attempt to create an electronic_image_of those parts of the computer that are likely to store [the computer files described in the warrant]. Generally speaking, imaging is the taking of a complete electronic picture of the computer’s data, including all hidden sectors and deleted files. Imaging a computer permits the agents to obtain an exact copy of the computer’s stored data without actually seizing the computer hardware. The computer expert or another technical expert will then conduct an off-site search for [the computer files described in the warrant] from the “mirror image” copy at a later date. If the computer expert successfully images the [Suspect Corporation’s] computers, the agents will not conduct any additional search or seizure of the [Suspect Corporation’s] computers.

4. If imaging proves impractical, or even impossible for technical reasons, then the agents will seize those components of the [Suspect Corporation’s] computer system that the computer expert believes must be seized to permit the agents to locate [the computer files described in the warrant] at an off-site location. The components will be seized and taken in to the custody of the FBI. If employees of [Suspect Corporation] so request, the computer expert will, to the extent practicable, attempt to provide the employees with copies of any files [not within the scope of the warrant] that may benecessary or important to the continuing function of the [Suspect Corporation’s] legitimate business. If, after inspecting the computers, the analyst determines that some or all of this equipment is no longer necessary to retrieve and preserve the evidence, the government will return it within a reasonable time.

_3._Sample Language to Justify the Use of Comprehensive Data Analysis Techniques

Searching [the suspect’s] computer system for the evidence described in [Attachment A] may require a range of data analysis techniques. In some cases, it is possible for agents to conduct carefully targeted searches that can locate evidence without requiring a time-consuming manual search through unrelated materials that may be commingled with criminal evidence. For example, agents may be able to execute a_keyword_search that searches through the files stored in a computer for special words that are likely to appear only in the materials covered by a warrant.

Similarly, agents may be able to locate the materials covered in the warrant by looking for particular directory or filenames. In other cases, however, such techniques may not yield the evidence described in the warrant. Criminals can mislabel or hide files and directories; encode communications to avoid using key words; attempt to delete files to evade detection; or take other steps designed to frustrate law enforcement searches for information. These steps may require agents to conduct more extensive searches, such as scanning areas of the disk not allocated to listed files, or opening every file and scanning its contents briefly to determine whether it falls within the scope of the warrant. In light of these difficulties, your affiant requests permissionto use whatever data analysis techniques appear necessary to locate and retrieve the evidence described in [Attachment A].

E.Special Considerations

The affidavit should also contain discussions of any special legal considerations that may factor into thesearch or how it will be conducted. These considerations are discussed at length in Chapter 1. Agents can use this checklist to determine whether a particular computer-related search raises such issues:

1. Is the search likely to result in the seizure of anydrafts of publications (such as books, newsletters, Web site postings, etc.) that are unrelated to the search and are stored on the target computer? If so, the search may implicate the Privacy Protection Act, 42 U.S.C. § 2000aa.

2. Is the target of the searchan ISP, or will the search result in the seizure of a mail server? If so, the search may implicate the Electronic Communications Privacy Act, 18 U.S.C. §§ 2701-12.

3. Does the target store electronic files or e-mail on a server maintained in a remote location? If so, the agents may need to obtain more than one warrant.

4. Will the search result in the seizure of privileged files, such as attorneyclient communications? If so, special precautions may be in order.

5. Are the agents requesting authority to execute a “sneak-and-peek” search? If so, the proposed search must satisfy the standard defined in 18 U.S.C. § 3103a(b).

6. Are the agents requesting authority to dispense with the “knock and announce” rule? If so, has the agent demonstrated sufficient “probable cause” to justify and warrant a judicial “No Knock” warrant.

Forensic Computer Crime Investigation Text

Contributing Author Biographies

Chapter 2, The Digital Investigative Unit: Staffing, Training, and Issues — Chris Malinowski

Prior to joining the faculty at Long Island University, Mr. Malinowski commanded the NYPD’s Computer Crime Squad in their Detective Bureau. His experiences in IS vary from the systems programming (IBM Mainframes) to investigations of computer crimes. As a manager, he had to deal with both the technical aspects, as well as the personnel-related aspects of maintaining technical working environments for the NYPD. Currently, he instructs both undergraduate, as well as graduate students in networking and computer security related courses. As NYPD’s commanding officer of Computer Crimes, he participated in the National Cybercrime TrainingPartnership (DOJ sponsored). Additionally, he has lectured to states and local prosecutors for the National District Attorney’s Association. Recently, he presented a paper on the training considerations of a computer forensics curriculum at ISECON 2004 inNewport, RI. Mr. Malinowski also serves as a Practitionerin-Residence for the University of New Haven.

Chapter 3, Criminal Investigation Analysis and Behavior:

Characteristics of Computer Criminals — Dr. William Tafoya

William L. Tafoya is Professor of the National Security and Public Safety Graduate Program at the University of New Haven (CT). A retired FBI Agent, he was assigned to the Behavioral Science Unit at the FBI Academy in the

299

mid-80s – early 90s. Followingthe arrest of Theodore Kaczynski in 1996, Dr. Tafoya gained considerable notoriety for his 1993 profile of the infamous UNABOMber. Also in 1993, Dr. Tafoya was the first law enforcement investigator to make use of the Internet in the UNABOMber case. Dr. Tafoya received his Ph.D. in Criminology from the University of Maryland in 1986.

Chapter 4, Investigative Strategy and Utilities — Ross Mayfield

Ross Mayfield is a nationally recognized expert in information systems and the field of computer law enforcement investigations. Currently he holds the faculty position of Practitioner-in-Residence at the University of New Haven, in the field of Cybercrime and Computer Forensics, and also serves as an instructor for SEARCH, Inc. He is a sworn Deputy Sheriff in Marion County, Kansas, served as a sworn Reserve Police Officer and Computer Forensic Investigator for Torrance, California, is a State of California Certified Computer Crime Investigator, an Institute of Criminal Investigation Certified Instructor, and has testified as an expert witness on information systems and computer forensics. Mr. Mayfield served nearly four years as Adjunct Professor of Management Information Systems and lectured on Technology Management at Pepperdine University. He has been a featuredlecturer on Internet security at U.S. Justice Department sponsored symposiums. He is the discoverer of Mayfield’s Paradox, a fundamental principle of Information Security proven by the Mathematics Department of the University of Southern California. Mr. Mayfield is a patent holder. He was a recipient of Citicorp’s highest Technical Achievement Award.

Chapter 5, Training Strategies for Computer Cops — Fred Cotton

Mr. Cotton is currently a Computer Training Specialist for SEARCH, Inc., The National Consortiumfor Justice Information and Statistics, where he provides technical assistance and training to local, state, and federal criminal justice agencies. He instructs a variety of technology crimes courses for SEARCH at its National Criminal Justice Computer Laboratory and Training Center in Sacramento, California, and at other sites nationwide. From 1986 until 2004, Mr. Cotton was the Director of Training Services, and oversaw the development of the National Criminal Justice Computer Laboratory and Training Center from its inception until his semi-retirement in 2004. Mr. Cotton has helped shape law enforcement training in the field of Computer Crime Investigation and Digital Evidence Recovery training thousands of investigators and other Criminal Justice Practitioners across the nation. He has also taught Advanced Officer courses and officer safety subjects in

Forensic Computer Crime Investigation Text301

the Basic Police Academy, and was an invited guest of Norway’s National Bureau of Criminal Investigation where he provided training on computer investigations. Mr. Cotton has 28 years of law enforcement service as a Field Supervisor with experience in operations, investigations, records, training and data processing. In addition to his duties at SEARCH, he has served as a Reserve Police Officer with the Yuba City, California, Police Department where he is assigned to the Sacramento Valley High-Tech Crimes Task Force, and a Specialist Reserve Officer with the Los Angeles Police Department where he is assigned to the Organized Crime and Vice Division.

Chapter 6, Internet Crimes Against Children — Monique Ferraro & Joseph Sudol

Monique Mattei Ferraro is an Assistant Professor of Criminal Justice at Post University in Connecticut. She is a Certified Information Systems Security Professional who has written and lectured extensively on Internet safety and child exploitation. She has worked in several different capacities within the Connecticut Department of Public Safety for eighteen years. She is a former chairperson ofthe Connecticut Bar Association’s Computer Law Section. She is the 2003 recipient of the Connecticut Law Tribune’s New Leaders of the Law “Inspiration” Award. Her book,Investigating Child__Exploitation: the Internet, Law and Forensic Science, co-authoredwith Eoghan Casey, was published in 2004. She holds a Master’s Degree from Northeastern University and a Law Degree from the University of Connecticut School of Law.

Joe Sudol is a Senior State police officer experienced in computer crime, arson and insurance fraud, criminal investigations, and law enforcement administration. He has twenty-six years of law enforcement experience; fourteen years in a supervisory position. As a guest lecturer at international law enforcement conferences, universities, and training seminars, he’s been the subject of numerous television and print media interviews on computer crimes involving online fraud, child pornography and misuse of computer systems. Mr. Sudol has conducted high-profile homicide investigations and sensitiveinternal investigations. He’s completed training for certification as a State Fire Marshal. He’s served as Executive Officer for the Division of Scientific Services, encompassing the computer crime and electronic evidence unit, forensics lab, and toxicology laboratory. He’s responsible for administrative oversight of all three divisions, and charged with managing over one million dollars in state and federal grants. Mr. Sudol is accountable for daily computer crime investigation, forensic examinations of electronic evidence, and training of both law enforcement agencies and the public.

Chapter 7, Digital Forensic Evidence and Legal Issue — Dr. Fred Cohen

Dr. Fred Cohen is best known as the inventor of computer virus defense techniques, the principal investigator whose team defined the information assurance problem as it relates to critical infrastructure protection today, as a seminal researcher in the useof deception for information protection, and as a top flight information protection consultant. But his work on information protection extends far beyond these areas. In the 1970s, he designed network protocols for secure digital networks carrying voice,video, and data; and he helped develop and prototype the electronic cash watch for implementing personal digital money systems. In the 1980s, he developed integrity mechanisms for secure operating systems, consulted for many major corporations, taught short courses in information protection to over 10,000 students worldwide, and in 1989, he won the prestigious international Information Technology Award for his work on integrity protection. In the 1990s, he developed protection testing and audit techniques and systems, secure Internet servers and systems, defensive information warfare techniques and systems, early systems using deception for information protection, and bootable CDs designed for forensics and secure server applications. All told, the protection techniques he pioneered now help to defend more than three quarters of all the computers in the world. Dr. Cohen has authored almost 200 invited, refereed, and other scientific and management research articles. He received his M.S. Information Science from the University of Pittsburgh in 1980 and his Ph.D. in Electrical Engineering from the University of Southern California in 1986.

Chapter 8, International Hacking Crimes — Dario Forte, CISM, CFE

Dario Forte, CFE, CISM, a 36-year-old former police detective, is the DFlabs Founder. He has been a top-profile operator in the area of Information security since 1992. Member of the Computer Security Institute, USENIX and Sage, Mr. Forte has been requested to send his subject-area-related articles for publicationall over the world and was a contributor and/or panelist at numerous international conferences on Information Warfare, such as RSA Conference, DFRWS, Computer Security Institute, U.S. Department of Defense Cybercrime Conference, and US Department of Homeland Security (NYECTF). He was also the keynote speaker at Black hat conference in Las Vegas, NE. As an Info Security Analyst, Dario worked both in the Government and Corporate sectors, and is a member of the IS International project, under NdA. Mr. Forte teaches classes and presents lectures on Information Security

Management at universities and other accredited institutions worldwide.

Forensic Computer Crime Investigation Text303

Over the last 10 years, Dario, who is present in the International Editorial Board of “Network Security” and “The International Journal of Digital Investigations” (Elsevier Science Group) has been working on a global scenario with a number of government agencies, such as NASA, US Army/Navy, providing his services to aid resolving incident-response matters, setting up forensics procedures, and successfully finalizing many important hackingrelated investigations. Currently, Dario is Adjunct Faculty Professorat the University of Milan, Italy, and President of the European Chapter of HTCIA (High Tech Crime Investigation Association). He started IRItaly Project and is Project Leader of the Italian Honeynet Project. Finally, he provides security consulting and Incident Response/Forensics services to the Italian Government, law enforcement agencies, and the corporate world.

Index

A

Abraham, Abigail, 2

Anderson, Michael, 2

Antiforensic and antibacktracing tools, 180 Onion Routing, 181–188 using covert channels (NCovert), 180

B

Backtracing procedure (international level),

188

chain of attack reconstruction/worldwide task forces interface, 189–190

coordinate with foreign colleagues,

190–191

_normalize_inputs in electronic format, 190

_See also_Network forensics/commonly used tools

Bank embezzlement by software modifications, 1

_Beyond Tolerance,_134

BindView, 180

Bishop, Matt, 4

Black hats/_gray hats,_57

Brandeis University (CyberPsychology Institute), 71

Bresinksky, Dirk, 60

Brooks, Pierce, 63

Brussel, James A., 61, 69

C

Carl, Peter, 60

Carnegie-Mellon Institute (computer emergency response teams/CERT), 4

Case board, 95 examples, 96–99

type of intelligence gathered, 95–96

Cell (Onion Routing), 184–186

305

Application Proxy (AP), 184

Core (C), 184–185

Crypto Processor (CP), 185

Database Engine (DB), 184

Input Funnel (IF), 186

Output Funnel (OF), 186

Responder Proxy (RP), 186

Checkmate system, 81

Child pornography, 133 free access to, 131_grooming,_130 growth of, 129–130

availability of digital

cameras/videos/scanners, 131

_preferential sex offender,_130, 133 study of traffickers, 133–134 use of citizens' band (CB) radio, 132

_S__ee also_Internet crimes against children

Chronological case log, 94, 108

CIBA (cyber investigative behavioral assessment), 58, 67, 83

Citibank, electronic attack on, 5

CLF (common logic format) paradigm,

196–198

Computer Analysis Response Team

(CART/FBI), 6

Computer criminals/profiles of, 55–56black hats/_gray hats,_57 future directions, 80, 82–83 Checkmake system, 81 neurolinguistic analysis, 81 neurotechnology research, 81

insider threat, 82 methodology, 80 predictive indicators, 78–80 profileprocess, 74–76 serial computer criminals (crackers), 56

differences from other crimes, 57

uncertainties common to criminal inquiries, 69

conceptual considerations, 69–70 interagency obstacles, 70–71 investigative dilemmas, 70 profiling as a recognized discipline,

71–72 scholarly concerns, 71_See also_CIBA; Profiling

Computer Investigation and Technology

Unit (CITU)/NYPD, 22 as example of investigative unit, 30–31

Computer Security Incident Handling Guide,

241, 265–266 incident response capability and

recommendations, 266–270

containment/eradication/recovery,

277–278

denial of service (DoS) incidents, 266,

271–272detection and analysis, 275–277 inappropriate usage incidents, 274 malicious code incidents, 272–273 multiple component incidents, 275 post-incident activity, 279

unauthorized access incidents,

273–274

_Computers at Risk,_role in forensic investigation field, 239–240

Computers in crime coordinated attacks problem, 179

damage to information, 180

data availability criterion violation,

180 extortion attacks, 179–180 information theft, 180

distributed-attack scheme, 197–198,199f

agent, 198 final target, 198 handler, 197–198 master, 197

preventive methods (information sharing/honeynets), 198–203

as repository of criminal evidence, 15,

19–20, 293–294 as targets of criminal activity, 15, 19 risk levels, 76

as tools for criminalactivity, 15, 20,

292–293 first case of embezzlement, 1 largest reported/prosecuted case, 1

_See also_Cyber Terrorism; Internet crimes against children

Cooper, Gary, 2

Cotton, Fred, 3

Covert channels, 180

Crackers, 58

_See also_Computer criminals/profiles of

Crime scene behavioral assessment of, 76–77

typology, 77–78 victimology, 77

_See also_Electronic crime scene

Crimes Against Children (CAC) task force/FBI, 143–144

Innocent Images Initiative, 143

Cyber Crimes Program (FBI), 144

_See also_Innocent Images Initiative

Cyber jihad, 212

Cyber security research, 235

Cyber terrorism, 226 Al Qaeda capabilities, 213 case studies

Former Republic of Yugoslavia

(FRY)/Nato conflict in Kosovo, 212

Israeli/Palestinian conflict, 211–212

Pakistan/India conflict, 211

U.S.China spy plane incident,

212–213

characteristics, 256 cyber attack tools, 217 and cyber intelligence, 222–224

Homeland Security Department principles for information systems development, 208, 256–257

homeland security support (U.S.A.),

207–208

infrastructure attacks, 209 policy issues, 210–211 potential terrorist attacks, 213

Domain Name Service (DNS) attacks,

213–214

routing vulnerabilities, 214

Web defacements, 213 potential terrorist targets, 208–209, 209t,

256research issues, 224–225 silo phenomenon, 208

U.S. policy, 214–215 cyberspace protection, 215–218 infrastructure sectors protection, 215

See also_Information warriors;_National

Strategy for the Physical

Protection of Critical Infrastructures and Key Asset__s; National Strategy to Secure

Cyberspace; Net War

Cyber Tip Line, 135, 141

Cyber War, 220–222

Cybercrime squad (NYPD), 22

CyberForensic Associates, 103

CyberPsychology Institute (Brandeis

University), 71

Cypberprofiling._See_Computer criminals/profiles of

D

Dartmouth University, 4

Daubert Guidelines, 175–176

Davis v. Gracey(1997), 19

DDoS (distributed denial of service)._See_Computers in crime/distributed- attack scheme; Honeynets

Deception Toolkit, 203

Decoy Server (Symantec), 201

Department of Homeland Security._See_Cyber terrorism

Domain Name Service (DNS) attacks, 213–214

DoS (denial of service) incidents, 266,

271–272, 286 containment/eradication/recovery

recommendations, 277–278

E

Education and training, 231–232, 237 cyber security research investment, 235 Education Training Matrix, 231t new academic discipline emergence,

232–235 steps to meet new requirements, 235–237

_See also_Training computer crime investigators

Electronic crimedata locations computer hard drive, 8 databases, 8 electronic record systems, 8 file servers (computer), 8

Electronic crime scene, 5–6

evidence fragility, 5 evidence hiding techniques, 5 file hiding techniques, 6 first responders' guidelines, 6–7, 10–14

crime scene management, 9 crime scene procedures, 10–14 equipment/information value, 7 information collection, 8–9 legal access to information

repositories, 8

global nature of evidence/jurisdiction, 5

_See also_Evidence recovery from electronic media; Forensic computer investigation; Investigative tools

Electronic Crime Special Agent Program

(ECSAP/Secret Service), 6

Encryption, 105–106, 286 and evidence hiding, 5

Equity Funding Insurance Company, largest recorded/prosecuted computer crime, 1

European Electronic Crime Task Force, 202

Evidence recovery from electronic media,

103

analysis (good practice), 174 computer fallibility, 177 Daubert Guidelines, 175–176

digital data as_part_of overall picture,

176–177process of elimination, 174–175 scientific method, 175

deleted evidence recovery, 104 disk utilities, 104–105 drive duplication utilities, 103 forensic suite software, 106 graphic and file viewer utilities, 104 hash/checksum utilities, 105 network drive storage, 106–107 passwords and encrypted media, 105 RAM memory, 106 search utilities, 104 traffic analysis, 181See also_Backtracing procedure (international level); Forensic computer investigation;_Sample Language for Search Warrants and Accompanying Affida__vits to Search and Seize Computers

Evidence recovery from electronic media/challenges to, 149, 178

evidence analysis, 167

content, 167 contextual information, 167–168 good practices, 174–177 inadequate expertise, 170–171 location, 170 meaning, 168 ordering/timing, 169–170 process elements, 168–169 reconstructing elements of digital

crime scene, 172–174

relationships, 169 simulated reconstructions, 171–172 unreliable sources, 171

evidence collection, 154 audit trails, 155 chain of custody, 155 consistency of evidence, 155–156 establishing presence, 154–155 forensic imaging, 157–158 how evidence was created, 155

nonstored transient information,

158–159 proper handling during collection,

156 secret science and countermeasures,

159–160

selective collection and presentation,

156–157

evidence identification, 152

common misses, 152–153 false evidence, 153 "good practice," 154 nonstored transient information, 153 overlooked information, 153

evidence storage, 165

best practices principles, 166 decay over time, 165–166 evidence of integrity, 166

_fabricated/fabrication/fabricating,_172 faults and failures, 149–150

false positives/negatives, 149 "good practices," 151 latent nature of evidence, 150–151

legal issues, 150

prejudicial value, 150 probative value, 150 refuting challenges, 151–152 seizure errors, 160

acting for law enforcement, 161 collection limits, 162–163 detecting alterations, 162 faulty type review, 164 good practice, 163–164 warrant scope excess, 160–161wiretap limitations/Title, 3, 161–162

transport of evidence, 164

good practice, 165 packaging for transport, 164–165 possession/chain of custody, 164 time requirements for due care, 165

F

Fielding Institute (Santa Barbara, CA), 71

Forensic computer investigation, 239 case example, 92–93 future directions, 229–230 importance of, 92–93 initiating investigative protocol, 14–16 strategy, 91–92, 109–110 chain of custody, 108 critical success factors identification, 99 evidence gathering/locations, 100 exhibits/reports/findings, 108 expert testimony, 109 intelligence gathering, 94–99 jurisdiction issues, 94 probable cause determination, 94

processing/critical evidence recovery,

103–107 securing evidence/warrant execution,

100–103 system view/inputs, 93

University of New Haven program, 4, 52

_See also_Antiforensic and antibacktracing tools; Evidence recovery from electronic media; Evidence recovery from electronic media/challenges to; Investigative unit in computer crime; Investigators into computer crimes; Network forensics/commonly used tools

"44 Minutes" documentary (case example),

92–93

Fourth Amendment, 16–17 and access to information repositories, 8

_See also_Legal issues in computer search/seizure

"Frankel Case" (CT), 11

Freeware, 191–192

Frequency-based policies, 201

G

Gantt chart use by investigative units, 41–42 Global issues in electronic crime, 5

H

Hackers/hacking, 58, 287

Hazelwood, Roy, 56, 64

Hess, Markus, 60

High Technology Criminal Investigation

Association (HTCIA), 2, 51

Honeynets, 199 benefits, 200 distributed scheme for information gathering, 200f

and Electronic Privacy Act, 201 honey wall, 202–203 Honeyed example, 202 honeypots, 199 low- and high-interaction honeypots,

198–201

_sticky_honeypots (no-interaction),

203 noise reduction, 199 use by investigators, 203 variations, 201–203

_See also_Deception Toolkit; Operation

Root Kit

Horton v. California(1990), 18

Huebner, Hans (Pengo), 60

I

"I love you" virus (2000), 5

ICAC task force._See_Internet crimes against children/task force

Icove, David J., 64

Identity theft, 5–6

Illinois School of Professional Psychology, 71 Inappropriate usage incident, 266, 274 Information Technology Working Group, 3

"Training the Trainers" strategy, 3

Information warriors, 218–220

Innocent Images Initiative, 143 history of, 144f

International Association of Crime

Investigative Specialists (IACIS), 2

International cooperation in computer crime investigation, 205

Operation Root Kit example, 203–204

Internet crimes against children, 129–133,

146 assumed privacy vs. Internet access agreements, 131–132

distribution of child pornography, 131 e-groups, 135

ICAC task force, 136, 143, 145–146, 147f

Internet usage by children/teens, 132 chat rooms/profiles, 140–142 and online relationships, 133, 139

investigations, 134–135 law enforcement efforts, 142–146 newsgroups, 134 pornography traffickers, 133–134 Web sites, 134–135

_See also_Child pornography; Crimes Against Children (CAC) task force/FBI

Investigative strategy and utilities.See

Forensic computer investigation

Investigative tools, 16 case board, 95–99 chronological case log, 94

Investigative unit in computer crime, 21–22,

53–54

investigations proactive vs. reactive investigation

type, 32–33

productivity and metrics, 33 resources, 34–36 responsibility, 31–32

liaisons with training organization, 119 mission statement, 22–23

examples defining scope of unit's work, 24–29

general mandate example, 29–30

staffing, 36–38

administrative issues, 43 advancement/reward structure,

44–47

case example/dual roles, 40–42 case investigator, 38–39 civil service constraints, 42 interviewing, 48–50 lab specialist, 39–40 other agency participation, 42 recruitment/hiring/retention, 42–43 retirement, 43–44 training, 50–53

unit name, 22

_See also_Computer Investigation and

Technology Unit (CITU)/NYPD

Investigators into computer crimes, 19 coordination of computer science and criminal justice education programs, 3–4

as determined intruder, 107 marketability, 42 pioneer investigators, 2

_See also_Training computer crime investigators

IRS Criminal Investigation Division

(IRS-CID), 2

J

Jenkins, Philip, 134

K

Kelso, Robert, 2

Koch, Karl (Hagbard), 60

Kolodney, 2

Kruse, Warren, 202

L

Landslide Web portal investigation, 134–135

Law enforcement computer forensic teams (U.S.), 6

Legal issues in computer search/seizure, 8,

16–17 Rule, 41, 19 with a warrant, 18–19 without a warrant, 17–18

Lent, Cynthia, 72

Levin, Vladimir, 5

"Linkage Blindness," 70

_Liturgical examination,_198 Lovelace, Mark, 180

M

Malicious code incidents, 266, 272–273 containment/eradication/recovery incidents, 278

Mann Act, 142–143

Manson, Kevin, 2

Mayfield's Paradox, 91, 107–108

Mitnick, Kevin, 65

Mix (Onion Routing), 183–184

Moore's law, 34

Multiple component incidents, 266, 275 containment/eradication/recovery incidents, 278

MyDoom Virus, 56

N

National Center for Missing and Exploited

Children, 135, 146

National Institute of Justice/Technical

Working Group for Electronic

Crime

Scene Investigation (TWGECSI),Electronic

_Crime Scene Investigation,_6, 10, 16

National Strategy for the Physical Protection of Critical Infrastructures and Key

_Assets,_240, 253–254 case for action, 255–256 mission/objectives, 254

national policy/guiding principles,

256–257 organization/partnering, 257

cross-sector security priorities,

261–263 federal lead departments/agencies,

258–259

federal responsibilities, 258

private sector responsibilities,

260–261 state and local government responsibilities, 259–260

shared responsibility, 254–255 unique protection areas, 263–264National Strategy to Secure Cyberspace,

214–215, 240, 243–244 government role, 245–246

Department of Homeland Security role, 246–247

national effort, 250–251 priorities, 247

national cyberspace security

awareness and training program,

249

national cyberspace security response

system, 247–248

national cyberspace security

threat/vulnerability reduction program, 248

national/international security cooperation, 250

securing governments' cyberspace,

249–250

strategic objectives, 244 threat and vulnerability, 244–245

National White Collar Crime Center, 3, 51

Naval Postgraduate School

Campus/Monterey, 4

NCovert, 180

Net War, 220–222

Network forensics

CLF (common logic format) paradigm,

196–198 commonly used tools, 191 freeware and open source, 191–192 other tools, 194–195 sanitize, 192–194 Snort, 195–196 tcpdump, 192

Trinux, 191–192, 194

Network infrastructure/security concerns, 230

New York Electronic Crimes Task Force, 116

North Hollywood shoot-out case (computer forensic investigation example),

92–93

Northwestern University, 71

O

Onion Routing, 181–182 applications, 187–188 dangers, 186–187 differences with other anonymity services, 182–183

roadmap, 183 terminology, 183–186

_cell,_184–186_mix,_183–184

Open source, 191–192

Operation Avalanche, 134–135, 136f–138f

Operation Candyman, 135, 139f Operation Root Kit, 203–204

P

Passwords, 105–106

Peace Officer Standards and Training

(POST) instruction, 3

President's Critical Infrastructure Group, 2

Profiling, 58–59, 65–67 criticism of, 73

demonstrations of efficacy, 74–76 as non-traditional approach, 73–74

cyber investigative behavioral assessment

_(CIBA),_58education/training, 72–73 FBI development of, 62–63, 72

Police Fellows program, 64–65

"Profiler" computer program, 64

Violent Criminal Apprehension

Program (VICAP), 63–64 future directions, 80 Checkmate system, 81 neurolinguistic analysis, 81 neurotechnology research, 81

history of, 59

"Mad Bomber" profile, 60–62 study of Hitler, 59–60

_The Unabomber,_62 literature review, 67–68 predictive indicators, 78–80 successes/failures, 65 uncertainties applicable to computer criminal profiling, 69–72

authenticitiesof profilers, 69 professional recognition, 71–72 profiling skeptics, 71

_See also_Computer criminals/profiles of

Project Honeynet, 83 Purdue University, 4

R

RAM CACHE communication, 7

Reno, Janet, 3

Rosenblatt, Ken, 2

Routing vulnerabilities, 214

S

_Sample Language for Search Warrants and Accompanying Affidavits to Search and Seize Computers,_241, 281

describing property to be seized, 281–285

drafting affidavits supporting warrants,

285 background staleness issue, 291–292 background technical information,

285 computer role in offense, 292–294 search strategy, 294–297 special considerations, 297–298

drafting affidavits supporting warrants/background technical information

addresses, 285 cookies, 285–286 data compression, 286 denial of service (DoS) attack, 286

domain, 286 domain name, 286 encryption, 286 file transfer protocol (FTP), 286–287

firewall, 287 hacking, 287 instant messaging (IM), 287

Internet, 287

Internet RelayChat (IRC), 287–288

Internet Service Providers (ISPs), 288

IP Address, 288–289

Joint Photographic Experts Group

(JPEG), 289 log file, 289 Moving Pictures Expert Group

(MP3), 289 packet sniffing, 289 peer-to-peer (P2P) networks,

289–290

router, 290 server, 290 tracing, 290 user name/ user ID, 290 virus, 291

Sanitize, 192–194

Schmidt, Howard, 2

SEARCH Group, Inc., 2–3

Seized Computer Evidence Recovery Team

(SCER/IRS), 6

Serial computer criminals (crackers), 56

_See also_Computer criminals/profiles of

Simple Nomad, 180

Snort, 195–196

Spafford, Eugene, 4

Spernow, Bill, 3

_Spoofare,_202

Spoofing schemes, 5

Statutory law and computer crime, historical developments, 2–3

Steganography, and evidence hiding, 5

"Stepping stones," 180, 183f System, definition, 93

T

TCP-Reduce, 195 Tcpdpriv, 195 tcpdump, 192

Technical Working Group for Electronic

Crime Scene Investigation

(TWGECSI), 6

_See also_Electronic crime scene/first responders' guidelines

Thackeray, Gail, 2

Threat spectrum, 217–218, 218t

Tracelook, 195

Training computer crime investigators,

50–53 budget requirements, 52 certification requirements, 50–51 early training issues, 1, 3 education programs, 4, 20, 72–73 future directions, 229–230 importance of, 50

instructor development resources,

119–120 opportunities for law enforcement personnel, 51–52

risks, 53

the training organization, 111, 127–128course design/course map, 114–115 equipment, 120–122 funding, 123–124 hands-on environment, 111–114 materials, 123 personnel, 117–120 record keeping, 124–126 specialized/update training, 115–117 testing/certification, 127

"Training the Trainers" strategy,3

_See also_IRS Criminal Investigation

Division (IRS-CID); University of New Haven computer forensics program Trinux, 191–192

U

Unauthorized access incidents, 266, 273–274 containment/eradication/recovery incidents, 278

United States v. Carey(1999), 18

Un__ited States v. Gawrysiak(1997), 18–19

United States v. Hall(1998), 17United States v. Whitfield(1991), 17

University of California/Davis, 4

University of New Haven computer forensics program, 4, 52, 72 University of Virginia, 71

V

Vattis, Michael, 4

Viruses, 291

"I love you" (2000), 5

MyDoom, 56

W

Web defacements, 213

Whitledge, Tony, 2

Windows and DOS systems basics for forensic investigation, 14