Internet Vulnerabilities & Criminal Activity Investigation & Prosecution 12.2 December 5, 2011 Profiling “Differentiate behavior patterns in order to narrow the range of suspects in a given crime.” Three Basic Components of a Crime • Motive - What made the offender act • Opportunity - Why did the offender chose a particular victim • Means - What are the details of how the crime was committed Profiling Aim • Identify personal & behavioral characteristics of unknown perpetrator • Examine actions taken before, during, and after crime • Isolate identifiable behaviors of actions of how a physical or psychological need is fulfilled Two Types of Profiling • Inductive – Current perpetrator share characteristics with those who have previously committed same type of crime • Deductive – Explicit conclusions drawn from actual evidence Five Stages of Cyber Criminal Profiling • Evidence gathering – Collection of forensic evidence • Behavioral analysis – Derive a meaningful set of characteristic behaviors from facts of the crime • Victimology – Victim profile tell a lot about type of perpetrator – Well-known signatures associated with different types of crimes Five Stages of Cyber Criminal Profiling cont. • Crime pattern analysis – “what and how” – Working hypothesis about the execution of the crime • Profile development – Deductive reasoning from facts of crime – Generalized inductive typologies Twelve Cyber Criminal Profiles • Kiddies • • • • • Technologically inept Intent to trespass Motivation - ego Maybe any age, but are outsiders New to crime • Cyberpunk hackers • • • • • • Counterculture member Ego-driven, motivated by exposure Crimes: trespass, invasion Theft & sabotage against legitimate targets Responsible for viruses & DOS attacks Young, technologically proficient, outsider Twelve Cyber Criminal Profiles cont. • Old-time hackers • • • • Most technologically proficient Improve art by trespassing Web site defacement Middle aged or older, long history • Code warriors • • • • • Driven by monetary gain Theft or sabotage Crime built around code exploits Technologically superior, long hacking history 30 - 50 age range, degree in technology, unemployed • Socially inept, show signs of social deviance Twelve Cyber Criminal Profiles cont. • Cyberthieves • • • • • • Motivated by monetary gain Surreptitious network attacks, sniffing, spoofing Use simple tools rather than targeted code Social engineers, running classic con games Younger than code warriors Organizational insiders, maybe outsiders • Cyberhucksters • • • • Spammers, malware purveyors Motivation monetary gain Social engineers, older business types Known to local law enforcement Twelve Cyber Criminal Profiles cont. • Unhappy Insiders • • • • • • Most dangerous profile Motivated by revenge, monetary gain Uses extortion, exposure of secrets, theft, sabotage Logic bombs, malicious acts Any age or employment level Unhappy with organization • Ex-Insiders • Motivation extortion, revenge, sabotage, disinformation • Make use of insider information to harm company from the outside • Any age or employment level Twelve Cyber Criminal Profiles cont. • Cyberstalker • Motivation - ego & deviance • Invasion of privacy to learn something to satisfy personal need • Use key loggers & sniffers • Invasion driven by psychological needs • Identification of need like a fingerprint • Con Man • • • • Motivation - monetary gain Theft, illicit commercialization Con games, phishing, Nigerian 419’s Attacks untargeted & anonymous Twelve Cyber Criminal Profiles cont. • Mafia soldier • • • • • Organized crime member Purposeful, highly organized Motivation - monetary gain Theft, extortion, blackmail Always work in highly organized group • Warfighter • • • • • Not a criminal when on your side Motivated by Infowar Help friends, harm enemy Technologically superior, dangerous Any age, highly organized, best & brightest Search & Seizure Legal procedure whereby police or other authorities and their agents, who suspect that a crime has been committed, do a search of a person's property and confiscate any relevant evidence to the crime. The Fourth Amendment The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized Parts of the Fourth Amendment • Three protections/limitations – Substantial justification to search – Search cannot extend beyond justification – No blanket warrants • First clause - “reasonableness clause” – Unreasonable searches and seizures are forbidden • Second clause - “warrant clause” – Limits on search & arrest warrants • Probable cause • Define location of search • Define who or what is to be seized Reasonable Expectation of Privacy • No violation to the Fourth Amendment if: – Government’s conduct does not violate a person’s “reasonable expectation of privacy” – Established exception to the warrant requirement Warrant Exceptions Search that violates reasonable privacy may be conducted if they fall within established exceptions 1. 2. 3. 4. 5. 6. 7. Consent Exigent circumstances Plain view Incident to a lawful arrest Inventory searches Border searches Workplace searches No Reasonable Expectation of Privacy • Items that appear on the screen/obtained through shoulder surfing • Contents has been made openly available – P2P – E-mail • Stolen computer • Control of computer relinquished to a 3rd party • Electronic storage - statutory coverage Probable Cause • Must reasonably establish: 1. A crime has been committed 2. Evidence of the crime exists 3. Evidence presently exists in place to be searched • Location to be searched must be described • Evidence of specific crime must be named Evidence Issues & Internet Crime • Right to search a computer • Proving venue • Criminal intent Rules of Evidence • Purpose – To secure a defendant’s constitutional right to a fair trial • Evolved from decisional law • Decisions codified • Federal Rules of Evidence – Most influential codification – Criminal & civil Search Warrant Problems • Computers - file cabinet / repository – Innocent, personal materials – Evidence of crime – Must protect privacy while seeking evidence – Must describe that which is sought – Scope should not be overly broad Exceeding Scope • Can only search for evidence of crime described in warrant • If evidence of another crime is discovered, another warrant is needed – Child pornography found during a search for credit card fraud crime Plain View • Lawful position to view object • Objects incriminating character is immediately apparent • Lawful right to access the object Third Person Consent • Agree to a search without a warrant • Two criteria for third party consent to be effective – Third party must have authority to consent – Third party’s consent must be voluntary Evidence Establishing Venue • Crime must be committed in venue of the court • How to determine where a network crime was committed • Venue may be where agent connected to Internet & viewed defendant’s behavior • Multidistrict offenses “may be ... prosecuted in any district in which such offense was begun, continued, or completed.” • http://www.cybercrime.gov/ccmanual/ccmanu al.pdf Proving Criminal Intent • Must prove defendant had criminal intent - mens rea • Four categories of mens rea – Intentionally – Knowingly – Recklessness / willful blindness – Criminal negligence Federal Statutes Assist law enforcement in obtaining & seizing evidence of a digital crime Federal Statutes • Do not necessarily deal just with digital crime – Pen/Trap Statute 18 U.S.C. §3121-27 – Wiretap Statute (Title III) 18 U.S.C. §2510-22 – Electronic Communications Privacy Act (ECPA) 18 U.S.C. §2701-11 – USA Patriot Act Pen/Trap Statute 18 U.S.C. §3121-27 • Regulates collection of address information from wire communications • Pen Register – Records outgoing phone numbers • Trap & Trace – Records incoming phone numbers • Includes computer network communications (IP numbers) Pen/Trap Statute 18 U.S.C. §3121-27 • To obtain a court order – Identify self – Identify agency conducting the investigation – Certify belief information to be obtained is relevant to investigation • Authorization for 60 days • May request extension for additional 60 day period Wiretap Statute (Title III) 18 U.S.C. §2510-22 • Regulates collection of communication content • Real-time electronic communications • Third party cannot intercept private communications unless statutory exception applies Wiretap Statute (Title III) 18 U.S.C. §2510-22 • Interception pursuant to a Title II court order – May intercept communication with a court order – Interception for up to 30 days – More stringent requirement than for search warrant Wiretap Statute (Title III) 18 U.S.C. §2510-22 • The consent exception – Law enforcement obtains prior consent from one party – Some states require both parties’ consent Wiretap Statute (Title III) 18 U.S.C. §2510-22 • The provider exception – Employees/agents of communication provider may intercept communication to protect providers’ rights/property – Network administrator can monitor hacker’s activity – Privilege to provider alone Wiretap Statute (Title III) 18 U.S.C. §2510-22 • Computer trespasser exception – Victim of attack may authorize law enforcement to intercept communications of trespasser – Interceptor must be investigated trespass – Must believe the intercepted communication will aid investigation – Applies only to trespasser’s communications Wiretap Statute (Title III) 18 U.S.C. §2510-22 • The extension telephone exception – Monitoring of call from an extension phone – Originally, monitoring employee-customer call – Includes calls to and from police stations Wiretap Statute (Title III) 18 U.S.C. §2510-22 • The inadvertently obtained criminal evidence exception – Provider unintentionally overhears something related to a crime – Information can be released to law enforcement Wiretap Statute (Title III) 18 U.S.C. §2510-22 • The accessible to the public exception – Interception of unscrambled/encrypted information broadcast over public frequency – Public computer forums/chat rooms – Not a violation of wiretap statute Electronic Communications Privacy Act • Regulates how government can obtained stored electronic communications from a service provider • Creates statutory privacy rights for customers for stored communications • Affirms higher level of protection for communications in transit Electronic Communications Privacy Act • Protects wire, oral, and electronic communications while in transit • Sets down requirements for search warrants • Protects communication held in electronic storage • Prohibits the use of pen register and/or trap and trace in the process of transmitting wire or electronic communications without a search warrant Electronic Communications Privacy Act • Three categories of information - each requires greater showing of cause • Basic subscriber information – – – – – Name Address Local & long distance phone billing records Telephone/other ID numbers Length & type of service Electronic Communications Privacy Act • Records or logs pertaining to subscriber – – – – – Contents of relative log files All basic subscriber info Cell site data for call made Destination of outgoing e-mails Any other non-content records • Contents of communications Electronic Communications Privacy Act • Five instruments may be required to obtain information • Subpoena • Basic subscriber information • Subpoena with notice • Opened e-mail stored over 180 days • Court order • Log files • All other relevant records of communications, but not the contents Electronic Communications Privacy Act • Court Order with notice • All unopened e-mail or voicemail stored for 180 days or less • Search Warrant • All information in an account • No required notice to customer • Nonpublic providers not bound by ECPA US Patriot Act • Seize of voicemail messages over 180 days old with order • Seize voicemail messages less than 180 days old with search warrant • Expands basic subscriber information • Emergency disclosure of providers to protect life & limb or regarding terrorism • Delay of required notice of search warrant if notice may have adverse results • Makes warrants & pen/trace orders national