David A. Land
61.3.1 Federal Bureau of Investigation
61.3.2 U.S. Postal Inspection Service
61.5 HANDLING EVIDENCE AND THE CHAIN OF CUSTODY
61.7 ASK LAW ENFORCEMENT TO GIVE BACK
61.9 KEEPING YOUR OPERATION RUNNING DURING AN INVESTIGATION
61.10 NONELECTRONIC RECORDS AND THE INSIDER THREAT
61.11 INFORMATION SHARING (THE HUMAN FACTOR)
Today, working with law enforcement is likely one of the most important aspects of computer security, and of our collective need to protect our sites and our sites' information. The entire paradigm has shifted to one where you will need law enforcement, and they will most certainly need you. In times past, however, this was not the case. Understanding their needs before, during, and after the commission of a crime significantly enhances your organization's opportunity to come back online quickly, with, it is hoped, little or no disturbance to your users or customers. Likewise, conveying your needs to law enforcement prior to an incident will serve you well later on. Working with law enforcement is, however, not your opportunity to assume the role of law enforcement. You must know your limitations and at what point to engage your law enforcement contacts.
Most organizations, whether they support the corporate or the government sector (.com or .edu), will at some point have a need to meet, or otherwise collaborate with, a local, state, or federal law enforcement or intelligence agency. The term “intelligence agency” is included here to remind the reader that entities, such as the Federal Bureau of Investigation (FBI) and other government departments within the United States, have an intelligence role tied directly to computer incidents or cyber-related investigations. Furthermore, as cyber-related crimes know no geographical bounds, there is also the possibility that investigative agencies of other nations, such as the Royal Canadian Mounted Police and Interpol, might need to become involved. The need for collaboration with any of these agencies is driven by the inevitable reality that at some point, a computer or cyber-related crime will be committed where the computers or information of an organization are the targets of unwelcome attacks.
The goals of law enforcement tend to vary based on jurisdiction and the intended mission of an investigating organization. Where a computer or cybercrime may be of little or no prosecutorial value to one agency, another may find there is indeed value in pursuing. Keep that in mind when making that first contact. Also keep in mind that there is absolutely nothing wrong with selling your company's desire to pursue an investigation to law enforcement. It may be the case that you must do some of the initial investigative legwork to make it more attractive for law enforcement to pursue. Much will depend on the nature of the crime and any losses your organization may have experienced.
These threats may involve external threats from hackers, crackers, phreakers, and the like, or an internal threat involving a trusted employee(s) or a competitor attempting to steal, acquire, or otherwise damage information critical to your organization's viability. Even more likely are issues of fraud, waste, and abuse by an individual who has legitimate and authorized access to organizational networks or computing systems. To address these inevitabilities, it is prudent to examine your organization for potential vulnerabilities and to develop a logical path forward in addressing these vulnerabilities. In the planning process, identify your supporting law enforcement organizations and meet with them in order to put in place some form of memorandum of agreement (MOA). This memorandum should clearly articulate the responsibilities of each entity; creating this document will save everyone a substantial amount of time, avoid potential miscommunications, and ensure that organizational information and assets are handled in an appropriate manner.
In examining computer crime laws, it is worthwhile to understand which laws, and which law enforcement agencies, are responsible for responding to you or your organization. It is equally necessary to know when the need for law enforcement involvement is warranted and unwarranted. When does a computer crime break a federal, state, or local law? Exhibit 61.1 lists crimes that should be reported whenever they are discovered or when there is any uncertainty as to their status as a crime. Exhibit 61.2 presents a list of activities you should not report.
When you know when and whom to call, dealing with any type of significant cyberincident can be manageable. Leaving things to chance or uncertainty, or assuming that someone else is responsible and will take care of things can leave your organization in a very precarious situation. Know who is responsible for the conduct of a computer-related investigation and, where possible, train for such likelihoods. These efforts can greatly reduce the time from discovery to prosecution.
Source: http://i.i.com.com/cnwk.1d/i/tr/downloads/home/computer_crimej'eporting_checklist.pdf.
They can also reduce the potential of having agencies involved that would otherwise not have a need to know (e.g., the local press). (See Exhibit 61.3.)
The Federal Bureau of Investigation (FBI) is responsible for the investigation and prosecuting of more than 200 federal statutes. Relative to the cyber world, the FBI has two primary responsibilities:1 First, it is the lead law enforcement agency for investigating cyber attacks by foreign adversaries and terrorists. The FBI also works to prevent criminals, sexual predators, and others intent on malicious destruction from using the Internet and online services to steal from, defraud, and otherwise victimize citizens, businesses, and communities.
Source: http://i.i.com.com/cnwk.1d/i/tr/downloads/home/computer_crimej'eporting_checklist.pdf.
The FBI retains jurisdiction over cases involving national security, including counterintelligence and counterproliferation, terrorism, banking, and organized crime. The U.S. Secret Service retains jurisdiction where the Treasury Department is victimized or whenever computers are attacked that are not under the purview of the FBI. In certain federal cases, the Customs Department, the Commerce Department, or a military organization, such as the Air Force Office of Investigations, Naval Criminal Investigative Service, U.S. Army Intelligence, or U.S. Army Criminal Investigation Division, may also have jurisdiction.
In the United States, a number of federal laws protect against attacks on computers, misuse of passwords, electronic invasions of privacy, and other transgressions. The Computer Fraud and Abuse Act of 1986 is the statute governing most common computer crimes, although prosecutions may take place under other laws. The Computer Abuse Amendments Act of 1994 expanded the 1986 act to address the transmission of viruses and other harmful code.
Source: http://i.i.com.com/cnwk.1d/i/tr/downloads/home/computer_crimej'eporting_checklist.pdf.
Many of the states within the United States have adopted their own computer crime laws.
According to the Federal Investigative Guidelines,2 federal law enforcement can gather only proprietary information concerning an incident in four ways:
Statutes Relevant to Computer Crime
The U.S. Postal Inspection Service is the federal law enforcement arm of the U.S. Postal Service. Postal inspectors enforce over 200 federal laws in investigations of crimes that may adversely affect or fraudulently use the U.S. mail, the postal system, or postal employees. Many fraud schemes that originate over the Internet, such as auction fraud or multilevel marketing schemes, or that involve payment or delivery via the U.S. mail, are under the jurisdiction of the Postal Inspection Service.
The U.S. Secret Service began as a force investigating counterfeit currency; it still enforces all laws relating to “the counterfeiting of obligations and securities of the United States,” which includes financial crimes, identity theft, computer fraud, and any computer-based attacks on the infrastructure of the United States. It is worth noting that the U.S. Secret Service is another investigative agency like the FBI. Both agencies work very well together and collaborate on many cyber-related investigations.
A memorandum of agreement (MOA) between any organization and any law enforcement agency is a prudent measure. With an MOA in place, both sides of any investigation have a clear understanding of what to expect. Within the MOA, specific points enumerate the breadth and depth of responsibilities.
For those interested, the Department of Justice maintains a list of recent computer crimes cases and who was involved in the litigation: www.usdoj.gov/criminal/cybercrime/cccases.html.
Know your limitations. Know when to call the police or FBI and when to deal with a situation yourself. Discuss the inherent problems on both sides, such as public disclosure.
Many different cyber-related investigative agencies and groups can be found on the Web. For seven years, I have been a member of the International Association of Computer Investigative Specialists (http://cops.org), which offers to the public a comprehensive set of directions relative to computer forensics and the collection of electronic evidence. A step-by-step process for the examination and collection of electronic evidence follows.5
In examining any media or conducting any cyber-centric investigation, consideration should be given to these areas:
Inmany situations where law enforcement is notified of an event requiring further investigation, the agency may ask you for everything even remotely connected to the investigation. At the same time, most law enforcement agencies have the ability to give back. They can provide training to key personnel and information on various topics, including identity theft, espionage, equipment theft, access control, and so on.
What do you do if your first indication of a possible security incident is a law enforcement agent appearing at your office with a search warrant? In many cases, nothing could be more unnerving. However, if you have done your homework and you have an established rapport with this law enforcement agency, you have little to fear. You already have a plan in place for just such a situation, and you know the rights and obligations.
Although, under the best of circumstances, stress can still occur, it is important to remain unemotional and to express complete willingness to comply with the search warrant team. Avoid being defensive or giving the appearance that you are trying to hide anything. Offer all assistance possible and take these seven steps:
Any investigation that involves a continued law enforcement presence requires time and resources of the organization to ensure support to clients or customers. In this regard, it is important to anticipate such an occurrence and to develop a plan on how to cooperate with law enforcement without shutting down your operation. For the most part, computer crime specialists can generate data dumps, make secure copies of files, and create logs without carting away all of your organization's computers. Administrators should, however, have a plan in place to allocate requisite resources in a manner that will avoid—or at least minimize—disruptions in business operations. Suggestions that will help to minimize the disruption caused by an on-site investigation follow.
Insiders will not necessarily lose their special knowledge of internal controls when they switch roles from “insider” to “outsider.” These persons may remain a threat to the information system for some time. The distinction becomes even cloudier when some access to information systems remains, without all of the formal controls applied to other employees.7
Paper records, video surveillance tapes, proximity card records, and any other means of tracking employee activity can all play a major role in the investigation of computer crimes and incidents. Admittedly, no one wants to assume the role of “Big Brother,” but at the same time, an organization's livelihood may well depend on these methods of verifying access. No one metric exists that clearly demonstrates the true nature of insider threats. It is, however, reasonable to believe that greater than half of all computer crimes are committed by current or former insiders. To assess, and perhaps better to detect, this threat to organizational computing systems, internal documentation and monitoring become important evidence trails. For example, if video cameras monitor the entrances to the computer processing center or labs, the video surveillance tapes produced document the entrance and exit of any employee at a given time. If the entrances use access cards, the reports or databases containing the access records document employee traffic into sensitive areas. The use of conventional access tracking is not by itself foolproof and will not, for example, preclude “piggybacking.”
Contradictions between access and video records can often document anomalies or possible misdeeds that will require further investigation. For example, if the access control report indicates John Jones entered the computer lab at 6:45 P.M. on 07-12-08, but the videotape for same time shows Sam Smith entering, there is clear indication that Sam has used John's card or access code. The question now remains: Why? Is there a need to call in law enforcement? At first blush, there is no apparent need to make such a call. Only after some initial investigation on the part of your security staff will this perhaps be necessary.
Paper files—personnel records, departmental documents, project logs, programming modification records, sign-out logs for software, and job assignment records—all tell a story. When you want to know who worked on what, or who had access to which project, paper records can often provide the needed history. Audit logs such as those stored on a UNIX or UNIX-type operating system within /var/log can provide even greater illumination.
To date, many information security professionals believe that computer crime usually emanates from an external source. The truth remains that most computer crimes are perpetrated by workers from within. Furthermore, a certain percentage of that crime will be cold cases, crimes that are discovered well after the fact. In investigating cold cases, investigators quickly discover that employees have left and that the pertinent software is no longer in use. To further exacerbate the problem, people's recollections rapidly fade, and remembering who did what, and when, is difficult. Paper records from projects, as well as any backed-up data, may be the best evidence available in cold cases. This is especially true looking well into the past, with a need to compare the new and the old.
When examining paper records, videotape, or any other media, maintain a database of what you have examined and any cross-references against other records. When any documented information is provided to law enforcement, your database will more easily support investigative activities and will further document the chain of custody of any evidence gleaned from these record sources. Such a record will prove to be an invaluable resource in quickly locating information in an investigation.
After 9/11, all law enforcement officers will agree that the sharing of information between any organization and law enforcement is critical to the success of cyber-related investigations. Working with any law enforcement agency has both benefits and consequences. Benefits accrue because:
One of the resources in the United States for forming good relations with law enforcement agencies is the InfraGard. The regional meetings of InfraGard members offer an excellent opportunity for sharing information with trusted members of critical infrastructure organizations and with law enforcement officials. The organization describes itself in this way on its home page:
InfraGard is an information sharing and analysis effort serving the interests and combining the knowledge base of a wide range of members. At its most basic level, InfraGard is a partnership between the Federal Bureau of Investigation and the private sector. InfraGard is an association of businesses, academic institutions, state and local law enforcement agencies, and other participants dedicated to sharing information and intelligence to prevent hostile acts against the United States. InfraGard Chapters are geographically linked with FBI Field Office territories. Learn more about InfraGard.
There is, however, another side to any relationship with law enforcement that must be considered. Despite your efforts to be as forthcoming as possible with law enforcement, situations may arise that will cause you and your organization great angst. There may be times when an investigator is simply not able to fully disclose all information gleaned during the conduct of an investigation. There also may be times when your efforts and your methodologies in investigating, prior to involving law enforcement, will come under scrutiny. Probably the most disconcerting of all situations is where law enforcement is compelled to make public disclosure of an incident. It is during these times that you want to work with your own management and legal staff as well as with the law enforcement agency conducting the investigation. Everyone concerned wants to make the public aware of any known or suspected threats, but this must also be weighed against the potential harm that might result from a public release. Another concern from the company's point of view is public perception of security measures within the organization, and to what extent they can protect information and thus customer investments.
Trying to stay ahead of cybercriminals is not getting easier. Attempts to understand their intent or motivations are rarely successful. The best chance any organization has is to come to know local law enforcement agencies and to help them know you. Articulate your expectations in the event of a significant cyber event, and have them do the same. Working together is the only path to success. Given that not all computer security or cyber law enforcement entities are created equal, you have to be willing to share knowledge, all in pursuit of the same end goal.
Ballou, S., and K. Higgins, eds. Electronic Crime Scene Investigation: A Guide for First Responders. National Criminal Justice Reference Service of the Office of Justice Programs, U.S. Department of Justice, 2001. Available free from www.ncjrs.gov/pdffiles1/nij/187736.pdf.
Computer Crime and Intellectual Property Section. Criminal Division, United States Department of Justice. “Searching and Seizing Computers and Obtaining Electronic Evidence in Criminal Investigations,” 2002. Available free from www.cybercrime.gov/s&smanual2002.htm.
InfraGard home page: www.infragard.net/.
3.137.167.195