CHAPTER 61

WORKING WITH LAW ENFORCEMENT

David A. Land

61.1 INTRODUCTION

61.2 RELEVANT LAWS

61.3 PLAN AHEAD

61.3.1 Federal Bureau of Investigation

61.3.2 U.S. Postal Inspection Service

61.3.3 U.S. Secret Service

61.4 MEMORANDUM OF AGREEMENT

61.5 HANDLING EVIDENCE AND THE CHAIN OF CUSTODY

61.6 ISSUES OF LIABILITY

61.7 ASK LAW ENFORCEMENT TO GIVE BACK

61.8 THE KNOCK AT THE DOOR

61.9 KEEPING YOUR OPERATION RUNNING DURING AN INVESTIGATION

61.10 NONELECTRONIC RECORDS AND THE INSIDER THREAT

61.11 INFORMATION SHARING (THE HUMAN FACTOR)

61.12 CONCLUSION

61.13 FURTHER READING

61.14 NOTES

61.1 INTRODUCTION.

Today, working with law enforcement is likely one of the most important aspects of computer security, and of our collective need to protect our sites and our sites' information. The entire paradigm has shifted to one where you will need law enforcement, and they will most certainly need you. In times past, however, this was not the case. Understanding their needs before, during, and after the commission of a crime significantly enhances your organization's opportunity to come back online quickly, with, it is hoped, little or no disturbance to your users or customers. Likewise, conveying your needs to law enforcement prior to an incident will serve you well later on. Working with law enforcement is, however, not your opportunity to assume the role of law enforcement. You must know your limitations and at what point to engage your law enforcement contacts.

Most organizations, whether they support the corporate or the government sector (.com or .edu), will at some point have a need to meet, or otherwise collaborate with, a local, state, or federal law enforcement or intelligence agency. The term “intelligence agency” is included here to remind the reader that entities, such as the Federal Bureau of Investigation (FBI) and other government departments within the United States, have an intelligence role tied directly to computer incidents or cyber-related investigations. Furthermore, as cyber-related crimes know no geographical bounds, there is also the possibility that investigative agencies of other nations, such as the Royal Canadian Mounted Police and Interpol, might need to become involved. The need for collaboration with any of these agencies is driven by the inevitable reality that at some point, a computer or cyber-related crime will be committed where the computers or information of an organization are the targets of unwelcome attacks.

The goals of law enforcement tend to vary based on jurisdiction and the intended mission of an investigating organization. Where a computer or cybercrime may be of little or no prosecutorial value to one agency, another may find there is indeed value in pursuing. Keep that in mind when making that first contact. Also keep in mind that there is absolutely nothing wrong with selling your company's desire to pursue an investigation to law enforcement. It may be the case that you must do some of the initial investigative legwork to make it more attractive for law enforcement to pursue. Much will depend on the nature of the crime and any losses your organization may have experienced.

These threats may involve external threats from hackers, crackers, phreakers, and the like, or an internal threat involving a trusted employee(s) or a competitor attempting to steal, acquire, or otherwise damage information critical to your organization's viability. Even more likely are issues of fraud, waste, and abuse by an individual who has legitimate and authorized access to organizational networks or computing systems. To address these inevitabilities, it is prudent to examine your organization for potential vulnerabilities and to develop a logical path forward in addressing these vulnerabilities. In the planning process, identify your supporting law enforcement organizations and meet with them in order to put in place some form of memorandum of agreement (MOA). This memorandum should clearly articulate the responsibilities of each entity; creating this document will save everyone a substantial amount of time, avoid potential miscommunications, and ensure that organizational information and assets are handled in an appropriate manner.

61.2 RELEVANT LAWS.

In examining computer crime laws, it is worthwhile to understand which laws, and which law enforcement agencies, are responsible for responding to you or your organization. It is equally necessary to know when the need for law enforcement involvement is warranted and unwarranted. When does a computer crime break a federal, state, or local law? Exhibit 61.1 lists crimes that should be reported whenever they are discovered or when there is any uncertainty as to their status as a crime. Exhibit 61.2 presents a list of activities you should not report.

61.3 PLAN AHEAD.

When you know when and whom to call, dealing with any type of significant cyberincident can be manageable. Leaving things to chance or uncertainty, or assuming that someone else is responsible and will take care of things can leave your organization in a very precarious situation. Know who is responsible for the conduct of a computer-related investigation and, where possible, train for such likelihoods. These efforts can greatly reduce the time from discovery to prosecution.

images

EXHIBIT 61.1 Activities You Should Always Report

Source: http://i.i.com.com/cnwk.1d/i/tr/downloads/home/computer_crimej'eporting_checklist.pdf.

They can also reduce the potential of having agencies involved that would otherwise not have a need to know (e.g., the local press). (See Exhibit 61.3.)

61.3.1 Federal Bureau of Investigation.

The Federal Bureau of Investigation (FBI) is responsible for the investigation and prosecuting of more than 200 federal statutes. Relative to the cyber world, the FBI has two primary responsibilities:1 First, it is the lead law enforcement agency for investigating cyber attacks by foreign adversaries and terrorists. The FBI also works to prevent criminals, sexual predators, and others intent on malicious destruction from using the Internet and online services to steal from, defraud, and otherwise victimize citizens, businesses, and communities.

images

EXHIBIT 61.2 Activities You Should Not Report

Source: http://i.i.com.com/cnwk.1d/i/tr/downloads/home/computer_crimej'eporting_checklist.pdf.

The FBI retains jurisdiction over cases involving national security, including counterintelligence and counterproliferation, terrorism, banking, and organized crime. The U.S. Secret Service retains jurisdiction where the Treasury Department is victimized or whenever computers are attacked that are not under the purview of the FBI. In certain federal cases, the Customs Department, the Commerce Department, or a military organization, such as the Air Force Office of Investigations, Naval Criminal Investigative Service, U.S. Army Intelligence, or U.S. Army Criminal Investigation Division, may also have jurisdiction.

In the United States, a number of federal laws protect against attacks on computers, misuse of passwords, electronic invasions of privacy, and other transgressions. The Computer Fraud and Abuse Act of 1986 is the statute governing most common computer crimes, although prosecutions may take place under other laws. The Computer Abuse Amendments Act of 1994 expanded the 1986 act to address the transmission of viruses and other harmful code.

EXHIBIT 61.3 Computer Crime Reporting Checklist: Where to Report

images

Source: http://i.i.com.com/cnwk.1d/i/tr/downloads/home/computer_crimej'eporting_checklist.pdf.

Many of the states within the United States have adopted their own computer crime laws.

According to the Federal Investigative Guidelines,2 federal law enforcement can gather only proprietary information concerning an incident in four ways:

  1. Request for voluntary disclosure of information
  2. Court order
  3. Federal grand jury subpoena
  4. Search warrant

Statutes Relevant to Computer Crime

  • Public Law 100-235 (aka Computer Security Act of 1987)
  • Public Law 99-508
  • Title 18 U.S.C. § 1030, Public Law 99-474
  • Title 50 U.S.C. § 783 (b)
  • Title 18 U.S.C. § 794 (a)

61.3.2 U.S. Postal Inspection Service.3

The U.S. Postal Inspection Service is the federal law enforcement arm of the U.S. Postal Service. Postal inspectors enforce over 200 federal laws in investigations of crimes that may adversely affect or fraudulently use the U.S. mail, the postal system, or postal employees. Many fraud schemes that originate over the Internet, such as auction fraud or multilevel marketing schemes, or that involve payment or delivery via the U.S. mail, are under the jurisdiction of the Postal Inspection Service.

61.3.3 U.S. Secret Service.4

The U.S. Secret Service began as a force investigating counterfeit currency; it still enforces all laws relating to “the counterfeiting of obligations and securities of the United States,” which includes financial crimes, identity theft, computer fraud, and any computer-based attacks on the infrastructure of the United States. It is worth noting that the U.S. Secret Service is another investigative agency like the FBI. Both agencies work very well together and collaborate on many cyber-related investigations.

61.4 MEMORANDUM OF AGREEMENT.

A memorandum of agreement (MOA) between any organization and any law enforcement agency is a prudent measure. With an MOA in place, both sides of any investigation have a clear understanding of what to expect. Within the MOA, specific points enumerate the breadth and depth of responsibilities.

For those interested, the Department of Justice maintains a list of recent computer crimes cases and who was involved in the litigation: www.usdoj.gov/criminal/cybercrime/cccases.html.

Know your limitations. Know when to call the police or FBI and when to deal with a situation yourself. Discuss the inherent problems on both sides, such as public disclosure.

61.5 HANDLING EVIDENCE AND THE CHAIN OF CUSTODY.

Many different cyber-related investigative agencies and groups can be found on the Web. For seven years, I have been a member of the International Association of Computer Investigative Specialists (http://cops.org), which offers to the public a comprehensive set of directions relative to computer forensics and the collection of electronic evidence. A step-by-step process for the examination and collection of electronic evidence follows.5

  1. Examine the media, logically and systematically, by starting where the data of evidentiary value is most likely to be found. These locations will vary depending on the nature and scope of the case. Examples of items to be noted might include:
    • If the media is a hard drive, the number and type of partitions should be noted.
    • If the media is an optical disc then the number of sessions should be noted.
    • File systems on the media should be noted.
    • A full directory listing should be made to include folder structure, filenames, date/time stamps, logical file sizes, and so on.
    • Installed operating systems should be noted.
    • User-created files should be examined using native applications, file viewers, or hex viewers. This includes such files as text documents, spreadsheets, databases, financial data, electronic mail, digital photographs, sound, and other multimedia files, and the like.
    • Operating system files and application created files should be examined, if present. This would include, but is not limited to, boot files, registry files, swap files, temporary files, cache files, history files, and log files.
    • Installed applications should be noted.
    • File hash comparisons may be used to exclude or include files for examination.
    • Unused and unallocated space on each volume should be examined for previously deleted data, deleted folders, slack space data, and intentionally placed data. Previously deleted filenames of apparent evidentiary value should be noted. Files may be automatically carved out of the unallocated portion of the unused space based on known file headers.
    • Keyword searches may be conducted to identify files or areas of the drive that might contain data of evidentiary value and to narrow the examination scope.
    • The system area of the volume (i.e., FAT, MFT, etc.) should be examined and any irregularities or peculiarities noted.
    • Examination of areas of the media that are not normally accessible, such as extra tracks or sectors on a floppy disk, or a host-protected area on a hard drive may be required.
    • To facilitate examination of data, including user settings and device and software functionality, the computer may be booted using either a copy of the boot drive or by using a protected program to determine functionality of the hardware and/or software.
    • The forensic software used during the examination should be noted by its version, and should be used in accordance with the vendors licensing agreement. The software should also be properly tested and validated for its forensic use by the examiner or the examiner's agency.
  2. At the conclusion of the examination process, provide sufficient notation of any discovered material of an apparent incriminating or exculpatory evidentiary nature.
  3. Provide sufficient documentation of all standard procedures and processes initiated, as well as detailed notation of any variations made to the standard procedures.
  4. Properly mark any output of the recovered data with appropriate identifiers in accordance with policies from the examiner's agency.

61.6 ISSUES OF LIABILITY.

In examining any media or conducting any cyber-centric investigation, consideration should be given to these areas:

  • Proprietary information
  • Business-sensitive information
  • Export-controlled information
  • Downloading copyrighted music or videos
  • National defense information

61.7 ASK LAW ENFORCEMENT TO GIVE BACK.

Inmany situations where law enforcement is notified of an event requiring further investigation, the agency may ask you for everything even remotely connected to the investigation. At the same time, most law enforcement agencies have the ability to give back. They can provide training to key personnel and information on various topics, including identity theft, espionage, equipment theft, access control, and so on.

61.8 THE KNOCK AT THE DOOR.6

What do you do if your first indication of a possible security incident is a law enforcement agent appearing at your office with a search warrant? In many cases, nothing could be more unnerving. However, if you have done your homework and you have an established rapport with this law enforcement agency, you have little to fear. You already have a plan in place for just such a situation, and you know the rights and obligations.

Although, under the best of circumstances, stress can still occur, it is important to remain unemotional and to express complete willingness to comply with the search warrant team. Avoid being defensive or giving the appearance that you are trying to hide anything. Offer all assistance possible and take these seven steps:

  1. Read the warrant carefully and understand what the search warrant team wants to search or seize.
  2. Notify both upper management and the legal department of current events.
  3. If the authorities want to search a local machine, the impact on the organization may be minimal. Get the appropriate manager or supervisor to evaluate the impact and to assist the officers in securing the machine. In cases of child pornography, the police will take the entire computer. Work with them to see if backup copies can be made of critical data and programs prior to removal.
  4. If a server is the target, see if copies of relevant portions of the hard drives will satisfy the requirements of the warrant. Where it is not possible to do this, involve your server and network administrators to bring down the server in an orderly fashion. Your plan should also include bringing online any backup server.
  5. Rarely will an entire network have to be taken down. Have your network administrator work with law enforcement to ensure orderly access to parts of the network described in the search warrant.
  6. After the search and seizure, the team will leave you “an officer's return” regarding what property was seized. Retain this document for review by your legal staff. Make arrangements with the team to follow up with them on the status of your equipment. Offer whatever technical assistance to law enforcement that your legal department deems advisable.
  7. Meet with your management, legal counsel, and technical staff after the team leaves to assess the impact of the seizures on your operations. Also, consider what actions need to be taken for continued operations.

61.9 KEEPING YOUR OPERATION RUNNING DURING AN INVESTIGATION.

Any investigation that involves a continued law enforcement presence requires time and resources of the organization to ensure support to clients or customers. In this regard, it is important to anticipate such an occurrence and to develop a plan on how to cooperate with law enforcement without shutting down your operation. For the most part, computer crime specialists can generate data dumps, make secure copies of files, and create logs without carting away all of your organization's computers. Administrators should, however, have a plan in place to allocate requisite resources in a manner that will avoid—or at least minimize—disruptions in business operations. Suggestions that will help to minimize the disruption caused by an on-site investigation follow.

  • Schedule meetings with key organizational members of your information technology organization, as well as other key legal and management employees, and develop a plan that can be implemented should a significant event take place during either normal or noncritical work periods. Once your plan is developed, test it!
  • If any part of the network needs to come down in support of investigative activities, arrange, where feasible, for this outage to take place during nonpeak hours. Your law enforcement counterparts may be of a different mind, with a greater sense of urgency to take down suspect systems. If possible, work out such details beforehand.
  • Depending on the operating system environment your organization operates in, you will need to know where to acquire the necessary logs and audit files. These files should be identified now rather than during the heat of a significant investigation. Doing this up front will help minimize the amount of staff time necessary to retrieve the files when needed.
  • Make sure law enforcement does not take software or database files for which no copy or backup exists. Prior to this, and as a matter of policy, ensure that all organizational employees and contractors are following required backup and copying procedures to avoid any unnecessary loss of vital data. Should any law enforcement agency show up with a warrant or subpoena, you are compelled to provide any and all information specified within those documents.
  • Keep the investigation compartmentalized, on a need-to-know basis. This action will reduce the amount of staff involved and protect the investigation. The more people cognizant of an ongoing investigation, the greater the possibility that information central to the investigation may be compromised.
  • Keep the lines of communication open with law enforcement. Knowing about the needs for records or access to information systems in advance can save staff time and system downtime. In short, do not wait for law enforcement to visit you, visit them, and do it frequently. This will establish good rapport and create trusts that may be needed at some future time.
  • Encourage on-site copying of memory and any magnetic media rather than their removal. Computer forensics specialists possess this capability (aka: fly-away kits), and not all cases require the removal of equipment to a forensics lab. With law enforcement cooperation, you can schedule these procedures during nonpeak hours and keep your equipment on the premises and in service.

61.10 NONELECTRONIC RECORDS AND THE INSIDER THREAT

Insiders will not necessarily lose their special knowledge of internal controls when they switch roles from “insider” to “outsider.” These persons may remain a threat to the information system for some time. The distinction becomes even cloudier when some access to information systems remains, without all of the formal controls applied to other employees.7

Paper records, video surveillance tapes, proximity card records, and any other means of tracking employee activity can all play a major role in the investigation of computer crimes and incidents. Admittedly, no one wants to assume the role of “Big Brother,” but at the same time, an organization's livelihood may well depend on these methods of verifying access. No one metric exists that clearly demonstrates the true nature of insider threats. It is, however, reasonable to believe that greater than half of all computer crimes are committed by current or former insiders. To assess, and perhaps better to detect, this threat to organizational computing systems, internal documentation and monitoring become important evidence trails. For example, if video cameras monitor the entrances to the computer processing center or labs, the video surveillance tapes produced document the entrance and exit of any employee at a given time. If the entrances use access cards, the reports or databases containing the access records document employee traffic into sensitive areas. The use of conventional access tracking is not by itself foolproof and will not, for example, preclude “piggybacking.”

Contradictions between access and video records can often document anomalies or possible misdeeds that will require further investigation. For example, if the access control report indicates John Jones entered the computer lab at 6:45 P.M. on 07-12-08, but the videotape for same time shows Sam Smith entering, there is clear indication that Sam has used John's card or access code. The question now remains: Why? Is there a need to call in law enforcement? At first blush, there is no apparent need to make such a call. Only after some initial investigation on the part of your security staff will this perhaps be necessary.

Paper files—personnel records, departmental documents, project logs, programming modification records, sign-out logs for software, and job assignment records—all tell a story. When you want to know who worked on what, or who had access to which project, paper records can often provide the needed history. Audit logs such as those stored on a UNIX or UNIX-type operating system within /var/log can provide even greater illumination.

To date, many information security professionals believe that computer crime usually emanates from an external source. The truth remains that most computer crimes are perpetrated by workers from within. Furthermore, a certain percentage of that crime will be cold cases, crimes that are discovered well after the fact. In investigating cold cases, investigators quickly discover that employees have left and that the pertinent software is no longer in use. To further exacerbate the problem, people's recollections rapidly fade, and remembering who did what, and when, is difficult. Paper records from projects, as well as any backed-up data, may be the best evidence available in cold cases. This is especially true looking well into the past, with a need to compare the new and the old.

When examining paper records, videotape, or any other media, maintain a database of what you have examined and any cross-references against other records. When any documented information is provided to law enforcement, your database will more easily support investigative activities and will further document the chain of custody of any evidence gleaned from these record sources. Such a record will prove to be an invaluable resource in quickly locating information in an investigation.

61.11 INFORMATION SHARING (THE HUMAN FACTOR).

After 9/11, all law enforcement officers will agree that the sharing of information between any organization and law enforcement is critical to the success of cyber-related investigations. Working with any law enforcement agency has both benefits and consequences. Benefits accrue because:

  • Most law enforcement agencies have, or are quickly coming online with, a cyber-investigative capability. Many of the federal agencies have taken steps to train and educate investigators to ensure that the most comprehensive investigation is conducted with the least amount of disturbance to the victim agency.
  • Law enforcement agencies are also being funded to establish, or better train officers in, cyber-investigative disciplines that, in most instances, facilitate the acquisition of personnel, equipment, and training.
  • Working with law enforcement agencies can serve as a conduit to training and education for on-site first responders and cyber security personnel. The FBI or any other law enforcement agency benefits from better educating you as to what it wants and needs, as this helps to ensure that all evidence is properly collected and remains intact. Exhibit 61.4 is a draft example of how a memorandum of understanding (MOU) or an (MOA) between two or more entities might be constructed for the purpose of sharing law enforcement data.

One of the resources in the United States for forming good relations with law enforcement agencies is the InfraGard. The regional meetings of InfraGard members offer an excellent opportunity for sharing information with trusted members of critical infrastructure organizations and with law enforcement officials. The organization describes itself in this way on its home page:

InfraGard is an information sharing and analysis effort serving the interests and combining the knowledge base of a wide range of members. At its most basic level, InfraGard is a partnership between the Federal Bureau of Investigation and the private sector. InfraGard is an association of businesses, academic institutions, state and local law enforcement agencies, and other participants dedicated to sharing information and intelligence to prevent hostile acts against the United States. InfraGard Chapters are geographically linked with FBI Field Office territories. Learn more about InfraGard.

EXHIBIT 61.4 Information-Sharing Example

images

images

images

There is, however, another side to any relationship with law enforcement that must be considered. Despite your efforts to be as forthcoming as possible with law enforcement, situations may arise that will cause you and your organization great angst. There may be times when an investigator is simply not able to fully disclose all information gleaned during the conduct of an investigation. There also may be times when your efforts and your methodologies in investigating, prior to involving law enforcement, will come under scrutiny. Probably the most disconcerting of all situations is where law enforcement is compelled to make public disclosure of an incident. It is during these times that you want to work with your own management and legal staff as well as with the law enforcement agency conducting the investigation. Everyone concerned wants to make the public aware of any known or suspected threats, but this must also be weighed against the potential harm that might result from a public release. Another concern from the company's point of view is public perception of security measures within the organization, and to what extent they can protect information and thus customer investments.

61.12 CONCLUSION.

Trying to stay ahead of cybercriminals is not getting easier. Attempts to understand their intent or motivations are rarely successful. The best chance any organization has is to come to know local law enforcement agencies and to help them know you. Articulate your expectations in the event of a significant cyber event, and have them do the same. Working together is the only path to success. Given that not all computer security or cyber law enforcement entities are created equal, you have to be willing to share knowledge, all in pursuit of the same end goal.

61.13 FURTHER READING

Ballou, S., and K. Higgins, eds. Electronic Crime Scene Investigation: A Guide for First Responders. National Criminal Justice Reference Service of the Office of Justice Programs, U.S. Department of Justice, 2001. Available free from www.ncjrs.gov/pdffiles1/nij/187736.pdf.

Computer Crime and Intellectual Property Section. Criminal Division, United States Department of Justice. “Searching and Seizing Computers and Obtaining Electronic Evidence in Criminal Investigations,” 2002. Available free from www.cybercrime.gov/s&smanual2002.htm.

InfraGard home page: www.infragard.net/.

61.14 NOTES

1. www.fbi.gov/cyberinvest/cyberhome.htm.

2. www.cert.org/tech_tips/FBI_investigates_crime.html.

3. www.ifccfbi.gov/aboutus/partners.asp.

4. www.bbc.co.uk/crime/fighters/ussecretservice.shtml.

5. www.iacis.com/iacisv2/pages/forensicprocedures.php.

6. www.securityfocus.com/infocus/1523.

7. http://abyss.usask.ca/~roebuck/threats.HTML.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.137.167.195