Informant July-Dec 08

Higher price = greater incentive
Since 1998, the average state excise tax on a pack of cigarettes has nearly tripled. Today state cigarette excise tax rates range from 7 a pack in South Carolina to $2.75 a pack in New York State. These much higher - and different - taxes create a big incentive for contraband cigarette trafficking. Law enforcement investigations show that groups engaged in the contraband cigarette trade have been associated with counterfeiting, drug trafficking and financial crimes such as money laundering. To learn about this issue and our programs that support law enforcement efforts to address contraband cigarette-related activity, please call PM USA toll-free at 877-224-3487.
PhilipMorrisUSA
an Altria Company
w w w. p h i l i p m o rr i s u s a . c o m
SPONSORED BY THE BRAND INTEGRITY DEPARTMENT OF ALTRIA CLIENT SERVICES ON BEHALF OF PHILIP MORRIS USA
Microsoft applauds the work of The National White Collar Crime Center and the organizations dedication to ghting cyber crime. By supporting the work of investigative bodies across the nation, and providing much needed training to law enforcement, NW3C plays a critical role in helping protect our families, our businesses and our identities online.
Microsoft
N NW3C RemembeRs OuR membeR AgeNCies imaMt%MI >millUn ih HeROes Killed iN tHe liNe Of duty* k l l l l |\ INI MM of HI IV
Posted January 21-June 30, 2008
Officer Todd Bahr Fredericksburg Police Department, VA Trooper Daniel Roy Barrett Indiana State Police, IN Transport Officer Virgil Lee Behrens Marion County Sheriff s Department, IA Trooper James Scott Burns Texas Department of Public Safety, TX Senior Investigator Laura J. Cleaves Santa Barbara County District Attorneys Office, CA Officer Nicola Cotton New Orleans Police Department, LA Sergeant Richard Findley Prince Georges County Police Department, MD Officer Gary Gryder Houston Police Department, TX Officer Nicholas Heine Pueblo Police Department, CO Officer Erik David Hite Tucson Police Department, AZ Sergeant Richard C. LeBow Arkansas State Police, AR Sergeant Stephen Liczbinski Philadelphia Police Department, PA Senior Corporal Victor A. Lozada, Sr. Dallas Police Department, TX Officer Frank Macri New York City Police Department, NY Officer Derek Owens Cleveland Police Department, OH Officer Randal Randy Simmons Los Angeles Police Department, CA Deputy Sheriff Michael Sean Thomas Bibb County Sheriff s Office, GA Deputy Sheriff James Throne Kern County Sheriff s Department, CA
Source *WWW.ODMP.ORG
4
Informant: July 2008 December 2008
Informant
Features:
34 Network and
Computer Intrusions
NW3Cs Computer Crime Specialist introduces readers to the topic of Computer Intrusions .
contents
40 Computer & Network
Intrusions
Computer hackers arent always searching for credit card numbers. Follow this case study from the Lee County Sheriffs Office and read how two employees used illegal intrusion methods to steal information from their employer.
Nick Newman
40
36 Cyber-Riots in the
Eastern Block
Ever consider just how much we depend on the Internet in our daily lives? And what would happen if it malfunctioned? It happened to the small country of Estonia. Read about how the country was brought to its knees by a gang of cyber-rioters and how.
Sgt. Jonathan Washer
42 Securing Network
Data
The T.J. Maxx scandal confirmed that network security continues to be a major issue for businesses and individuals. This article provides some network protection and prevention tips to keep your data safe from intrusion.
Robert Holtfreter, Ph.D.
Nick Newman
42
44 Combating Adaptive
Today most people rely on computers to collect and analyze large amounts of data. However, cyber research experts say that the human brain is still the best system for recognizing patterns in data. This article will introduce new analysis tools to allow users to easily extract and dissect unusual patterns in cyber data.
38 Stealing the Internet:

Broadband Theft
Think free WIFI is the greatest thing next to sliced bread? Maybe not for the companies and business responsible for the Internet bill. Follow an international case summary where the stolen item is broadband Internet connections.
Adversaries
T.R. Sreekanth
44
Carl Cohen
http://informant.nw3c.org
Informant
In This Issue:
14 15 16 17 18 22 27 29 30 32 33
6
contents
46
CY-FI: The Future of Cyber Forensics
Dr. Marcus K. Rogers
Mobile Forensic World Conference

Tim Wedge
27
With less than 80 employees and a territory of 764 square miles, the Bedford County Sheriffs Office has earned a big reputation throughout the country. Catch up on the latest projects of the Bedford County Sheriffs Office and learn how they get it all done.
47 47 48
What is SWGDE?
Beth Whitney
Fraud Gold Diggers

Mark Mathosian
Classifying Child Porn Images in Law Enforcement Cases

Kate Seigfried
Health Care Fraud

Charles Starr
IC3 Trends
Aaron Naternicola
CY-FI:
The Future of Cyber Forensics
From Street Corners to Computers: Investigation Tips for Cyberbanging

Donald F. Cesaretti
Criminal Information System Liability

Christian Desilets
50
Case Highlights Bedford County Sheriffs Office

Craig Butterworth
46
Purdue Universitys Dr. Marc Rogers leads the discussion on Macintosh forensics in his second column.
After the Bust: Recovering Known Videos in Unallocated Space

Sgt. Glenn Lang
52 55 56
The Business of Drivers License Fraud

Dean Reynolds
Using Grants to Your Advantage Technical Terms for Not-So-Savvy Computer Enthusiasts!
Instructor Spotlight Behind the Scenes
Justin Wykes
July 2008 December
Convicted Swindler Sheds Light on Investment Scams!

Mark Mathosian
Straw Ownerships: Please Operate Responsibly

Antonio Ribera
56
Those quick runs to the corner liquor store are convenient, but where does your money actually go? Read about liquor store straw ownerships, and how they can connect to larger organized criminal organizations.
2008
58 63
Member Success Stories NW3C Cartoons
Informant:
Informant
Editorial Staff
contributors
On the Cover: Jeremy Cannon, NW3C Network Administrator
Dr. Marcia Williams, Loreal Bond, Craig Butterworth, Cam Brandon
Graphic Design Team Special Contributors
Jaycen Saab, Lindsey Bousfield

Marc Rogers, Ph.D., Purdue University Marc Rogers, Ph.D., CISSP, CCCI is the Chair of the Cyber Forensics Program in the Dept. of Computer & Information Technology at Purdue. He is an Associate Professor and a research faculty member at the Center for Education and Research in Information Assurance and Security (CERIAS). Dr. Rogers is a member of the quality assurance board for (ISC) 2s SCCP designation, and is the International Chair of the Law, Compliance and Investigation Domain of the Common Body of Knowledge (CBK) committee. He is a former police detective who worked in the area of fraud and computer crime investigations. Dr. Rogers is the co-editor of the Journal of Digital Forensic Practice and the Journal of Digital Forensics Security and Law, and sits on the editorial board for several other professional journals. Nick Newman, Computer Crimes Specialist, NW3C Nick Newman joined NW3C in 2006 as a Computer Crimes Specialist. Mr. Newman has been recognized numerous times for his excellence in researching computer forensics/ security topics, writing computer forensics software for use in the LE community, and solving technical dilemmas. He is also a regular attendee at DEFCON and Black Hat, the two largest hacker conventions in the world. Jeremy Cannon, Network Administrator, NW3C Jeremy Cannon holds a Bachelor of Science in Computer Science with an emphasis in Computer Security, Forensics and Law from Longwood University. He currently works as a network administrator for NW3C and has been a part of the team for over a year.
NW3C Board of Directors Glen Gainer, III Denise Voigt Crawford Paul Cordia Michael Brown Kathleen Kempley Sean M. Rooney Christopher Cotta
NATIONAL WHITE COLLAR CRIME CENTER I

N T E G R I T Y
NW3P
Q
U A L I T Y
E R V I C E
This project was supported by Grant No. 2007-WC-CX-K001 awarded by the Bureau of Justice Assistance. The Bureau of Justice Assistance is a component of the Office of Justice Programs, which also includes the Bureau of Justice Statistics, the National Institute of Justice, the Office of Juvenile Justice and Delinquency Prevention, and the Office for Victims of Crime. Points of view or opinions in this document are those of the author and do not represent the official position or policies of the United States Department of Justice.
New Nw3C MeMbers

3
rA-
NW3C welcomes its new members. The following agencies became members between February and June 2008!
WA MT ND MN OR SD ID WY NE NV CA NM OK TN AR MS TX LA AL GA SC UT CO IA IL KS MO KY IN OH WV VA NC PA MD NJ DE D.C. WI MI NY VT NH MA CT RI ME
AZ
FL
A T IT A\ "X "B<S GREAT LAKES
New York
District of Columbia
District of Columbia Office of the Attorney General U.S. DHS - Customs & Border Protection - Office of Internal Affairs - Special Investigations Unit
Delaware Indiana
Cheswold Police Department Bremen Police Department Frankfort Police Department Hamilton County Prosecutors Office
Beacon Police Department Briarcliff Manor Police Department Cayuga County Sheriff s Office New York City Department of Finance Enforcement Division New York State Office of the Medicaid Inspector General - Bureau of Investigations & Enforcement U.S. Probation Office - Southern District of New York
Hinsdale Police Department Moline Police Department
Kansas
Burrton Police Department Sedgwick County Sheriff s Office
Missouri
Buchanan County Sheriff s Department Wellsville Police Department
Nebraska
Ohio
Maryland
Munster Police Department New Albany Police Department Frederick County Sheriff s Office U.S. District Court - Probation & Pretrial Services - District of Maryland
Evendale Police Department Greene County Adult Probation Department Union County Sheriff s Office University of Akron Police Department
Dawson County Sheriff s Office Kearney Police Department U.S. District Court - Probation Office District of Nebraska York Police Department
Wisconsin
Pennsylvania
Michigan
Antrim County Sheriff s Office Bloomfield Township Police Department Clio Police Department Muskegon County Sheriff s Department Ottawa County Sheriff s Office U.S. Department of Veterans Affairs Police Service - Battle Creek Wixom Police Department
Delaware County Sheriff s Office Lansdowne Police Department Pennsylvania Gaming Control Board Bureau of Investigations & Enforcement Spring Garden Township Police Troy Borough Police Department U.S. Department of Justice - National Drug Intelligence Center
Jefferson County Sheriff s Office Merrill Police Department
MOUNTAIN
Arizona
Arizona Department of Transportation Office of Inspector General
Colorado Indiana
Simla Police Department Rigby Police Department
New Jersey
MIDWEST
Iowa
Fort Dodge Police Department Winnebago County Sheriff s Office
Montana
Bogota Police Department Essex County Prosecutors Office Medford Township Police Department U.S. District Courts - Pretrial Services Agency - District of New Jersey Woolwich Township Police Department
8
Cascade County Sheriff - Coroners Office
New Mexico Utah
Illinois
Roswell Police Department Logan City Police Department
Danville Police Department Fairview Heights Police Department
Total Member Agencies as of June 30, 2008: 2,849

2008 December 2008
Informant:
July
Wyoming
Platte County Sheriff s Office
Kentucky
NORTHEAST
Connecticut
Eastern Connecticut State University Police Department Norwalk Police Department Stonington Police Department Wilton Police Department
Bell County Sheriff s Department Corbin Police Department Jessamine County Sheriff s Office Morehead State University Police
Oregon
North Carolina
Surry Community College Police Department U.S. District Court - Probation & Pretrial Services - Western District of North Carolina
Ashland Police Department Multnomah County Department of Community Justice U.S. District Court - Pretrial Services District of Oregon Washington County Sheriff s Office Woodburn Police Department
Massachusetts Maine
Tennessee Virginia
Washington
Carlisle Police Department Plymouth Police Department North Berwick Police Department Oxford County Sheriff s Office Presque Isle Police Department
Shelby County District Attorneys Office Brunswick County Sheriff s Office New Kent County Sheriff s Office U.S. Department of Justice - Drug Enforcement Administration - Digital Evidence Laboratory
Bonney Lake Police Department
INTERNATIONAL
Canada
British Columbia Ministry of Public Safety & Solicitor General - Gaming Policy & Enforcement Branch - Registration & Certification
New Hampshire
f, j
WEST
California
Compton College Police Department Compton Unified School District Police Department Emeryville Police Department Truckee Police Department Yolo County District Attorneys Office
Finland Palau
Dover Police Department

".y ::. -T]j; '. :; :v. ' ;; : p->:- r.. SOUTH CENTRAL
Finland National Bureau of Investigation Money Laundering Clearing House Republic of Palau Office of the Independent Counsel
Alabama
Chilton County Sheriff s Office Springville Police Department U.S. District Courts - Probation Office Northern District of Alabama U.S. Secret Service Birmingham Field Office
Nevada
Arkansas
Las Vegas Paiute Tribal Police Department
University of Central Arkansas Police Department
Oklahoma
Carl Albert State College Campus Police Department Cimarron County Sheriff s Department Oklahoma State Auditor & Inspectors Office
Texas
ASK
Amarillo Police Department Austin County Sheriff s Office Bell County District Attorneys Office Brown County Sheriff s Office Jefferson County Sheriff s Office Seabrook Police Department Texas Department of Housing & Community Affairs - Manufactured Housing Division Consumer Protection U.S. DHS - Immigration & Customs Enforcement - Office of Investigations Houston
Barbara
Have questions about membership with NW3C? Contact Barbara Shanes, Membership Services Supervisor at 800-221-4424 ext. 3336, or by e-mail at bshanes@nw3c.org.
Thank you to the following Member Agencies for referring new members!
Buffalo County Sheriff s Office Columbus Division of Police Dupage County Sheriff s Office Elmhurst Police Department Gwinnett County Police Department Harris County District Attorneys Office New York State Police Newton Police Department Social Security Administration - Office of the Inspector General Grand Rapids Field Office U.S. Postal Inspector - Atlanta Division
SOUTHEAST
Florida
Madison County Sheriff s Office Pensacola Police Department Saint Petersburg Police Department Santa Rosa County Sheriff s Office
Georgia
Braselton Police Department Douglas County Sheriff s Office Duluth Police Department East Point Police Department Fulton County Police Department Lawrenceville Police Department
Member Agency Spotlight
edford County is located in the foothills of southwest Virginia just outside the city of Lynchburg. Founded in 1764, the Bedford County Sheriff s Office (BCSO) is a nationally-accredited law enforcement agency with nearly 80 employees. The Bedford County Sheriff s Office has been a voting member of NW3C since May 1998. Bedford County Sheriff s Office is home to the Southern Virginia Internet Crimes Against Children (SOVAICAC) task force. Formerly known as Operation Blue Ridge Thunder, the unit is just one of 59 such task forces in the country. The Bedford County Sherriff s Office is also the birthplace of the Safe Surfin Foundation- a non-profit organization that educates the public about Internet crimes involving children. The Safe Surfin Foundation has enlisted the help of a number of Hollywood and
professional sports celebrities to help get the organizations message out to the masses. Sheriff Mike Brown heads up Bedfords Sherriff s Office. Brown- a retired Senior Special Agent with the Bureau of Alcohol, Tobacco and Firearms and former Staff Support Specialist with the CIA- was elected Sheriff in 1996. In addition to his role as Southeast Regional Board Member for NW3C, Brown also serves as a member of the Board of Directors for the National Sheriffs Association; as well as the Board of Advisors for the Law Enforcement Innovation Center, University of Tennessee. In March 2008, Sherriff Mike Brown was honored by Los Angeles Councilmember Richard Alarcon for promoting age-appropriate Internet safety for children. Friend of Sherriff Brown and avid supporter of law enforcement, Actor Erik Estrada was also honored for his commitment to protecting children. The Bedford County Sherriff s Office and its programs are also popular among well-known celebrities. including Lauren Nelson, Miss America 2007, who often travels with Brown to promote these children safety programs. q
Ive always had a desire to help other people and I think that plays a big part in anybody that gets into law enforcement. - Sherriff Brown
Earlier this year Sheriff Brown traveled to the west coast where the Los Angeles City Council passed a resolution honoring the achievements of one of his favorite causes- the Safe Surfin Foundation. Also on hand for the ceremony was actor Erik Estrada, one of Browns many celebrity friends and an ardent supporter of law enforcement everywhere.
10
M embers
(Member since February 2003)
Representatives from NW3C Member Agencies share their stories, experiences and comments about NW3C services.
Hennepin County Human Services & Public Health Department Fraud Investigative Unit, Minneapolis, MN
s the largest county in Minnesota, Hennepin employs about 8,000 staff with over 10,000 computers making computer forensics an important part of fraud investigations both client and employee.
In 2001, a partnership was formed with digital and fraud investigators within Hennepin County to provide computer forensics within one county department called the Digital Forensic Investigation Team. Over time, the team grew and today it provides countywide digital forensic investigations including cases involving employee misconduct as well as administrative, civil and criminal activity. Investigations are typically conducted within the local government of Hennepin County. However, the team also provides forensics in conjunction with local, state and federal authorities. Although the team has the combined experience of over 50 years in forensics investigation and 140 years in information technology, they still need specialized training and support. NW3C plays an essential role in maintaining these necessary skills for competent and complete investigations. Some of the ways the Digital Forensic Investigation Team is using NW3C include: skills learned in Cyber Cop and Financial Records courses for data recovery and forensics, Internet analysis, and financial crime investigations; networking opportunities at the NW3C Economic & High-Tech Crime Summits; and assistance from extremely knowledgeable NW3C trainers and staff. The team is looking forward to attending the upcoming Analysts Notebook session in Minneapolis as it will provide a much needed tool for organizing their increasingly complex investigations. q
The Hennepin County Digital Forensic Investigation Team members: Judy Regenscheid, Digital Forensic Investigation Team Manager; Jason Bergum; Christopher Droege; Mike Holt; Barbara Madden; Marque Nelson, Member Agency Representative; Anthony Pollock; John Quimby; Craig Troska. Not pictured, Mik Holt.
Want to share how your agency benefits from NW3C Membership? Send your story and comments to bshanes@nw3c.org.
plat for M
www.nw3c.org
11
he field of computer forensics is a dynamically evolving, constantly changing discipline. Nowhere are the rapid changes in technology, tools and practices more apparent than in the area of mobile device forensics. To date, there are over 600 known models of cell phones and PDAs, with no universal standards regarding software & hardware interfaces. As the complexity and variety of these devices has quickly spiraled upward, so has the need for rapid recovery of admissible data from them. These devices can contain or lead to all sorts of information; contraband images, geophysical location, incoming and outgoing calls, and much more. This information has been critical in many kinds of investigations ranging from identity theft cases to child exploitation and even homicide and other violent crimes. Almost any crime that can be committed is likely to involve one or more of these devices. Investigative agencies worldwide face a daunting challenge in obtaining the tools and training for all of their investigators who need them. Enter the Mobile Forensics World conference.
The conference benefited from a variety of highly-qualified speakers from both the public and private sector. Attendees were able to pick up valuable information and insight at any of the 32 different informative presentations and breakout sessions, as well as review the products, tools, and services offered by more than 50 different non-profit and for-profit exhibitors. It (I think) featured some of the best speakers out there in the world of mobile forensics. The feds that showed up and presented case studies involving the use of CDR and GSP logs really showed how much of a role mobile device forensics plays in modern criminal investigations, says Nick Newman, NW3C computer crime specialist, and member of NW3Cs mobile device forensics training team. It was a great conference. q The 2009 conference promises to be even better, and will be held June 1-6, 2009. Anyone interested in finding out more about the conference can visit the MFW Web site at: http://www.mobileforensicsworld.com/PreparingMFW2009.aspx
The brainchild of Purdue Universitys Professor Rick Mislan, the Mobile Forensics World Conference is intended to bring investigators from all over the world and provide them with greater access to tools and training. More importantly, it is meant to provide a forum to share ideas, practical lessons learned, and raise awareness of the many issues that affect mobile device forensics. Nearly 300 people, from 144 different agencies and 14 different countries participated in the conference, including attendees and exhibitors. The conference was held in Chicago, IL, USA, and ran from May 8 to May 10.
NW3C Computer Crimes Specialist, Justin Wykes and Mobile Forensics Conference attendee.
About the Author Tim Wedge has been a Computer Crime Specialist with the National White Collar Crime Center (NW3C) since 2001. In 2004 he was selected to manage NW3Cs Program Support Center located on the campus of Purdue University in West Lafayette, Indiana. A partnership between the Indiana State Police, Purdue University and NW3C, the Program Support Center is one of five centers located throughout the United States. Hubs of interaction and collaboration, these Centers assist in the creation, support and maintenance of regional alliances between law enforcement, academia and the private sector. At Purdue, Tim is also a visiting faculty member where he provides training and technical assistance to both students and law enforcement in various aspects of computer crime.
Mobile Forensics World is hosted by Purdue Universitys College of Technology.

12
Beware of Investment Scams in the Gold Market
by Mark Mathosian, Financial Administrator, Bureau of Investigations, Florida Office of Financial Regulation Take possession of your
precious metals or be certain they are stored by a reputable bank, in your name. bank draft. Instruct your bank not to release the funds until the bullion is in your hands or in your safe deposit box. established good reputations and a history of honest dealings.
ave you checked the price of gold lately? It is trading much higher than it has for years. With many investors buying gold for the first time, the market is ripe for investment fraud scams. In the past, crooks used fraudulent methods to take advantage of investors of the precious metals market. There are lessons to be learned from the past about how we can protect ourselves today. The gold scheme occurred in the late 1970s during an economic recession. Two brothers from Ft. Lauderdale, FL operated a precious metals brokerage business named International Gold Bullion Exchange (IGBE). IGBE published colorful sales brochures, hired telemarketers and sold precious metals investments to the public. The concept was simple. Buy gold or silver today at attractive prices and sell your metals later, after the stock market starts moving up. This idea made so much sense that thousands of investors purchased precious metals through IGBE. IGBE made it easy for you to buy the metals and easy to protect your investment. At least thats what they said. Lets assume an investor wanted to buy $10,000 worth of gold bullion. They would contact IGBE and inform them of their intentions. IGBE would promise to buy the metals for them in the open market and ship the metals to them in exchange for your money. But IGBE had other ideas. Instead of taking possession of the gold, why not leave it with IGBE for safekeeping? IGBE would store the investors gold under lock and key in the company vault in Ft. Lauderdale. That way, when they were ready to sell, all they had to do was telephone IGBE, requesting them to broker the transaction and send a check to the investor. To prove you actually owned precious metals, IGBE would send you a certificate of ownership. You could then deposit this paper certificate in your safe deposit box until you were ready to sell. A few years passed and the stock market started rising. It was time to sell gold and reinvest in the stock market. The telephones on the desks in the IGBE offices in Ft. Lauderdale began ringing. and ringing. and ringing. Then, the telephones at the State Comptrollers Office began ringing. Nervous investors wanted to know what happed to IGBE and their gold. Under the suspicions of investors, an investigation commenced, finding IGBE to be a fraudulent enterprise with its investors losing $140 million. There was only a small amount of gold in the companys vault and most investors lost all of their money. One of the brothers, who operated the business, was sentenced to a long prison term and the other was stabbed to death before his trial. The moral of this story? With the price of gold and investor interest soaring, there could easily be another IGBE opening its doors around the corner. Therefore, it is a good time to review these precautionary tips before investing in precious metals. Tips To Avoid Precious Metals Fraud
Use a safe method of payment for precious metals such as a
Deal only with properly licensed, regulated firms that have Be leery of high-pressure sales tactics.
Before buying precious metals through the mail or over the phone, contact the U.S. Commodity Futures Trading Commission(CFTC) (www.cftc.gov), the Florida Department of Financial Services (www.fldfs.com) and the National Futures Association (www.nfa. futures.org). These agencies can tell you if the business principals are properly licensed and if they have been disciplined. Be extremely careful when dealing with businesses and brokers located outside of the country. If you are defrauded, it will be extremely difficult to get your money back or prosecute the criminals. q
About the Author Mark Mathosian is a Financial Administrator for the Bureau of Investigations, Florida Office of Financial Regulation (OFR). OFR regulates the banking, finance and securities industries in Florida. Mark is headquartered in Tallahassee and can be reached at 850-410-9859, mark.mathosian@flofr.com.
Just a few of the courses available online from American Military University. To learn more visit amuonline.com or stop by our table at the NW3C summit in Memphis.
American Military University is part of the American Public University System and is open to everyone regardless of military afliation or background.
Be leery of promises that you can buy precious metals

below the current market price.
Learn more at www.amuonline.com or 877.777.9081
American Military University

13
ne of the difficulties in measuring insurance fraud is that much of it goes undetected. Those frauds that are detected often go unreported. Most states provide for mandatory reporting requirements by the insurance industry. However, professional organizations often find only a small percentage of fraud discovered is actually reported to authorities. The costs associated with health care fraud are astronomical. The National Healthcare Association has estimated insurance fraud in the health care industry alone can exceed $60 billion a year, over $162 million a day. These costs are passed on directly to the consumer through the premiums we all pay towards our healthcare policies. Consumers need to continually let their voices be heard in addressing this issue. The Nebraska Department of Insurance, Insurance Fraud Prevention Division (IFPD), recently received information from a medical provider. The medical provider suspected an employee of diverting cash from client accounts in the form of insurance copays as well as self-pays. Shortly before their termination, the employee reimbursed the medical provider for the dollar amount of cash they felt had been diverted from the office. The provider was surprised when the employee paid back the estimated loss of $8,500. The medical provider had expected a loss of only a few hundred dollars at most. The provider then became aware of additional concerns when the office received an Explanation of Benefits form along with a check from an insurer listing one of the employees children as a patient. The doctor had seen family members before; however, his care was considered a fringe benefit of employment. To the providers knowledge, the insurer of his employee had never been billed by his office. The doctor contacted the insurer and reimbursed the monies received. The medical provider then contacted the IFPD regarding the matter, wanting to insure his office was in compliance with mandatory reporting statutes. Similar cases have gone unreported to authorities. The IFPD opened an investigation based upon the information received. The insurer was contacted regarding the loss and a request was made for additional billing information that may be present on this employees policy through the provider. The findings were of no great surprise. However, the lack of recognition of the fraud indicators was, considering the number of fraud indicators present. The investigation revealed nearly $100,000 was diverted from the insurer over a 26-month period. The alleged family of seven had
14
incurred 1,942 office visits with the Doctor of Chiropractic Medicine averaging three to four office visits each a week. This investigation has been forwarded to the county attorney for prosecution. Insurance premiums will continue to be impacted by the rising costs associated with healthcare fraud. Mandatory reporting requirements, educational campaigns and aggressive investigations are the keys to having an impact on insurance fraud. Medical professionals and insurers can use the following hardto-catch fraud indicators, entitled Insurance Fraud Detection Hints by the Nebraska Department of Insurance, IFPD, to determine if health care fraud is being commited:
Similarities of reports or evaluations for several patients. Vague medical reports and/or records, missing
information and inconsistent information.
Change in or unusual billing pattern. Indications of altered or manufactured document. Similarities in doctors notes regarding office visits or
treatments.
Signs of excess treatment.

Other indicators were readily recognized:
Seven patients from the same family treating three to four

times a week. months old).
Unusual treatment by a provider (one patient was six All family members were being billed for the same current
procedural terminology (CPT) codes.
No noticeable pre-existing conditions or injuries. Back billing for nearly 10 months. Handwritten notes from the providers office to
About the Author
reimburse patient directly due to the fact the patient had been self-paying. q
Charles Starr is the Division Chief for the Nebraska Department of Insurance, IFPD. The division commenced operations in September 1995 to confront the problem of insurance fraud in Nebraska. Prior to joining the IFPD, Division Chief Starr was an investigator with the Technical Investigations Unit of the Lincoln Police Department.
New Trends
C
omputer intrusions continue to be a focal point at the Internet Crime Complaint Center (IC3) in Fairmont, WV. A new version of the Storm Worm Virus is being spread through spam e-mails in conjunction with specific holidays. Recipients are directed to click on a link to retrieve an electronic greeting card (e-card) contained within the e-mail. Once the user clicks on the link, malicious software (malware) is downloaded to the Internet-connected device or computer and causes it to become an infected part of a botnet. Infected computers can be used to commit identity theft, launch denial of service attacks, and install malware which logs the users keystrokes. The Storm Worm virus has capitalized on various Holidays in the last year by sending millions of e-mails advertising an e-card link within the text of the spam e-mail. In another recent wave of e-mail intrusions, the IC3 received information from a victim who had her e-mail account hijacked and password changed so that she could no longer access her account. Once compromised, the hijacker then sent an e-mail from her account to her entire address book claiming that she (the victim) needed to make a purchase at a specified Web site, but stated that her credit card had been suspended and she was unable to proceed with the purchase. The e-mail asked the recipients if they would make the purchase for her, indicating she was in a hurry and would repay in cash as soon as the recipient replied to her. The rush for this purchase was due to a special promotion on pre-designed templates for Web sites being offered for one week only for $2.99. After the purchase, a user name and password would be sent to access the download page. The e-mail requested user name and password be forwarded, indicating the purchase had been made.
by Aaron Naternicola, Internet Fraud Analyst, NW3C

Although the payment amount requested was very low, the opportunity for the individuals credit card information to be compromised and later used for other fraudulent purposes was great. Among the more recent trends include Fake Pop-Up Ads for AntiVirus Software. Upon visiting certain Web sites, victims receive a pop-up notification advising them of possible viruses on their computers. The pop-up then requests a fee (usually $49.95) to upgrade/update their anti-virus software. Once accepted, the antivirus software either did not function properly or was malicious in nature. Download ramifications could have resulted in viruses, Trojans, and keylogger installations on the victims computer. The recipients credit card could also have been charged above the amount quoted for the software. Recipients advised attempts to contact the company to resolve the issue were unsuccessful. E-mails went unanswered and calls to the telephone numbers provided were directed to a voice-mail box. These latest trends signify the ever-evolving landscape of computer intrusions, as would-be hijackers continue to invent clever scenarios in order to gain access to victims machines, accounts and credit information. Victims are asked to visit www.ic3.gov to file complaints if they have fallen for these or any other intrusion-related scams. q
About the Author Aaron Naternicola is an Internet Fraud Analyst with 8 years experience at the Internet Crime Complaint Center.
INTERNET C R I M E C O M P L A I N T C ENTER
ALERTS
Security needs to be multi-layered so that numerous obstacles will be in the way of the intruder. Ensure security is installed at every possible entry point. Identify all machines connected to the Internet and assess the defense thats engaged. Determine if your servers are utilizing any ports that are not secure. Ensure you are utilizing the most up-to-date patches for your software.
Follow these tips to ensure your Internet security.
Report online crimes to www.ic3.gov

15
ey CHRisTmn
Can you be held liable for violating The Constitution/42 U.S.C. 1983? Yes. However, youre unlikely to be held liable except in extreme cases. This line of argument is generally advanced only after something tragic has happened (for instance, after someone has accessed private information and used it to track down a victim, as in a 2008 case where a disgruntled ex-boyfriend gained unauthorized access to 911 information and used it to track down and murder his girlfriends new boyfriend). At that point, it can be argued that the governments actions (in releasing the data) deprived the victim of life, violating the Due Process Clause (Which reads: No State shall deprive any person of life, liberty, or property, without due process of law ...). Of course, since the Due Process Clause includes deprivation of property as well as life, theres no reason why it couldnt be invoked in cases of identity theft just as easily. (Its just that the caselaw so far is heavily skewed towards instances of loss of life.) The Due Process Clause, generally, doesnt create an affirmative duty for the state to protect its citizens from the acts of private individuals. However, there are two standard exceptions to that rule. One is when the state has taken custody of someone (in which case, the fact that the state is denying them the freedom to act as they see fit to protect themselves creates a duty for the state to offer them reasonable protection). The other is when the state created (or enhanced) the danger in the first place. While the Supreme Court has yet to officially adopt a theory of state-created danger, its been used in the 2nd, 3rd, 6th, 7th, 8th, 9th, 10th, and 11th circuits, and D.C. Each circuit enumerates its test for state-created danger a little differently, but the 3rd circuits is both a good representation and fairly recent (2006). To prevail on a state-created danger claim in the Third Circuit, a plaintiff must prove the following four elements:
DESILETS , RESEARCH RTTOR nEa,
PART I
nuu3C
ystems that gather, organize, and disseminate crime-related information are vital to law enforcement as we know it today; but these systems also give rise to new forms of liability. Can you be sued if a hacker gets into your network and accesses sensitive files? Can you be sued for making private information available to defense attorneys? Can you be sued if the information in the system is out-of-date, unreliable, or includes intentional falsehoods? First, the obvious and useless answer: of course you can. One of the hallmarks of American society is that you can pretty much be sued by anyone for anything. Even if the case gets thrown out of court early on, its still likely to take up a good deal of your time and generate a great deal of needless anxiety. That means that all this article can really address is whether youre likely to be held accountable for the various problems that sometimes occur when hosting, using, maintaining, or relying on criminal information systems. So lets look at the less-obvious case first. Is there any potential liability associated with having a complete, accurate, truthful, well-functioning database, containing nothing but information that its allowed to have? Yes, unfortunately, there is. Even if you put together the best database in the world, youll still have to deal with privacy issues. Various laws may apply to situations in which someone obtains access to information that they are not supposed to have. There are a number of ways that privacy is protected:
Three of those prongs are not very good news in the case of unauthorized access or a security breach. Depending on just what sort of information is obtained, the harm may or may not be foreseeable and fairly direct. In todays age of identity theft, however, it doesnt take much imagination to form a foreseeable and fairly direct link between the release of sensitive data and an ID theft or a violent stalking incident. Similarly, the person whose information was compromised is certainly a foreseeable victim of the act (or, in the case of a larger data breach, a member of a discrete class of persons subjected to potential harm). For that matter, through creating the criminal information system in the first place (and, in the second place, by policing the data in whatever manner that it was policed), a state actor used their authority to create the danger (or, at least, to make the citizen more vulnerable than if they had not done so). Help comes from the second prong. But what is culpability that shocks the conscience? Thats a little harder to pin down. Its a standard with a good pedigree, at least. The U.S. Supreme Court, in County of Sacramento v. Lewis, 523 U.S. 833, 846 (U.S. 1998), has stated that for half a century now we have spoken of the cognizable level of executive abuse of power as that which shocks the conscience. But what, exactly, have they meant by that for the past 50 years? Thats harder to say. The courts have generally acknowledged that the shocks the conscience test is situational. Behavior thats understandable in a high-pressure situation is less understandable when the person has time to deliberate and come to an unhurried judgment. In an extremely tense environment, an actual intent to cause harm is usually required. On the other end of the spectrum, deliberate indifference has been acknowledged to be enough when the state actor has ample time to think things through. Some courts have even suggested that actual knowledge of a risk of harm is unnecessary when the risk is so obvious that it should be known. So, where does that leave us? Thats a good question, and one that cant be answered outside of court, Im afraid. All we can do at this point is look at other cases and get a general sense from them. Consider the case involving the release of 911 information (Phillips v. County of Allegheny, 515 F.3d 224 (3rd Cir. 2008))- a situation where the murderer was aided by his coworkers in the 911 call center who knew of his emotional state and pulled up the relevant records for him anyway. The coworkers behavior was considered to be potentially so indifferent to the victims safety that it could shock the conscience. (The issue on appeal was whether the victims family could state a claim based on a state-created danger theory at all, not whether they were right). On the other hand, in a case (Hart v. City of Little Rock, 432 F.3d 801 (8th Cir. 2005)) where the names, addresses, social security numbers, and phone numbers of two arresting officers and their immediate families were given to a defendant in a drug trial (or rather, his lawyer, who provided him with copies), the citys human resources department and the employee who released the information were
considered, as a matter of law, to be guilty of negligence at most. (And mere negligence is not enough to shock the conscience.) The main difference between the cases, for our purposes, is that, in Phillips, the government employee knew that something was wrong with the general situation and supplied the information anyway (as they knew that their coworker was emotionally distraught and wasnt supposed to be accessing the files of his ex-girlfriend and her new boyfriend), while in Hart, the idea of the files ending up in the wrong hands hadnt occurred to the employee, who had assumed that everything was routine. Theres certainly a difference there, but theres no clear line. And, unfortunately, theres no real guidance yet that directly addresses computer security breaches as state-created dangers. However, it looks like it would take an extremely damning fact pattern for a computer security problem to be more than negligence, at least the first time any such problem emerges. After the departments aware of the problem, though, a finding of deliberate indifference becomes increasingly likely. Can you be held liable for violating 5 USC 552a (the Privacy Act- Records maintained on individuals)? Yes. However, only intentional disclosures are likely to get you into trouble here (and then, only for fines and a misdemeanor). Furthermore, this regulation is not likely to apply to you (unless you are an employee of a federal agency). 5 USC 552a only applies to agencies of the federal government. For its purposes, that includes any executive department, military department, Government corporation, Government controlled corporation, or other establishment in the executive branch of the Government (including the Executive Office of the President), or any independent regulatory agency. So, odds are, this isnt you and you may skip ahead. In general, a person would have to willfully disclose information to violate this law. There is, however, civil liability for fail[ing] to maintain any record concerning any individual with such accuracy, relevance, timeliness, and completeness as is necessary to assure fairness in any determination relating to the qualifications, character, rights, or opportunities of, or benefits to the individual that may be made on the basis of such record, and consequently a determination is made which is adverse to the individual. However, 5 USC 552a includes a few remarkable exceptions. For example, it allows the heads of agencies to promulgate rules exempting certain systems of records from many of the requirements of the statute if the records are maintained by an agency which performs, as its principle function, any activity pertaining to the enforcement of criminal laws. Unfortunately, some of the requirements that they cant grant exemption from are subsections (b) and (i). Subsection (b) includes the disclosure rules and subsection (i) includes the criminal penalties. On the
Constitutionally, the 14th Amendments Due Process

Clause has often been invoked to protect privacy.
By statute, 42 U.S.C. 1983 (Civil action for deprivation of
rights) creates civil liability for violations of Constitutional rights (e.g., the Due Process Clause). Also, 5 USC 552a (the Privacy Act - Records maintained on individuals) sets limits on what government agencies can disclose. (In the interest of making a resource of general application, this article isnt looking at anything state-specific. Everything in here should apply to everyone equally, but you should check with your local prosecutor to see if there are additional state laws that might also apply to you.) Systems Operating Policies) sets limits on what operators of criminal intelligence systems can disclose.
1. the harm ultimately caused was foreseeable and fairly direct; 2. a state actor acted with a degree of culpability that shocks
the conscience;
3. a relationship between the state and the plaintiff existed such
By regulation, 28 C.F.R. Part 23 (Criminal Intelligence Finally, at common law, one of the four varieties of the tort
that the plaintiff was a foreseeable victim of the defendants acts, or a member of a discrete class of persons subjected to the potential harm brought about by the states actions, as opposed to a member of the public in general; and way that created a danger to the citizen or that rendered the citizen more vulnerable to danger than had the state not acted at all. Bright v. Westmoreland County, 443 F.3d 276, 281 (3d Cir. 2006) (internal quotation marks and footnotes omitted)
of Invasion of Privacy is Public Disclosure of Private Facts. Theres also plain old-fashioned negligence. Of course, sovereign immunity may provide some protection there.
4. a state actor affirmatively used his or her authority in a
16
Informant:
July
2008
December
2008
17
other hand, they can grant exemption from subsection (g), which governs civil penalties, including the one spelled out in the preceding paragraph. Of course, those are merely the exemptions that the agency heads are allowed to grant. If this topic is relevant to you, you might want to check and see if your agency head has in fact granted those exemptions. For those who are curious, the disclosure rules read as follows: (b) Conditions of disclosure. No agency shall disclose any record which is contained in a system of records by any means of communication to any person, or to another agency, except pursuant to a written request by, or with the prior written consent of, the individual to whom the record pertains, unless disclosure of the record would be--
Can you be held liable for violating 28 C.F.R. Part 23? (Criminal Intelligence Systems Operating Policies apply, by regulation, to criminal intelligence systems operating under the Omnibus Crime Control and Safe Streets Act of 1968. However, a large number of systems that are not required to adhere to the regulation have voluntarily decided to adopt some version of it.) No- or at least not directly. 28 C.F.R. Part 23 does not, by itself, create either civil or criminal liability. Its primarily a funding regulation, telling agencies that operate criminal intelligence systems what they have to comply with to get Federal funding. However 28 C.F.R. Part 23.20(m) reads A project shall adopt sanctions for unauthorized access, utilization, or disclosure of information contained in the system. What those sanctions are will vary, but they may include some sort of civil liability. For that matter, if youre trying to defend yourself in a civil claim under some other theory of liability, the fact that you violated established policy is unlikely to help your case. On the administrative side, 28 C.F.R. Part 23.20(n) reads A participating agency of an interjurisdictional intelligence system must maintain in its agency files information which documents each submission to the system and supports compliance with project entry criteria. Participating agency files supporting system submissions must be made available for reasonable audit and inspection by project representatives. Project representatives will conduct participating agency inspection and audit in such a manner so as to protect the confidentiality and sensitivity of participating agency intelligence records. So theres some chance that an agency that doesnt conduct inspections and audits in such a way as to protect the confidentiality of its records may find the Federal funding (or equivalent, since this particular regulation has been adapted for a number of other contexts) for its criminal intelligence system in danger. Can you be held liable for committing the tort of Public Disclosure of Private Facts? It depends, but not usually. The tort of Public Disclosure of Private Facts occurs when someone publishes non-newsworthy, private facts that are so intimate that their publication would be offensive to a reasonable person. So, to start with, its hard to see maintaining an information system as publishing the information. Even if the information is given to a select list of people- say, members of the law enforcement community - its not considered publishing unless the information is disseminated to the public at large (such as in a periodical). Distributing information to a closed list of individuals, rather than the general public, does not constitute publication. However, in cases of mass distribution of information, one way to defeat the requirement of non-newsworthiness is to prove that the information is of legitimate public concern. There might be a little wiggle room as to whether a particular piece of information is of legitimate public concern (e.g., a sexual predators address); but the Supreme Court has held that a state may not punish the publication of lawfully obtained truthful information unless necessary to further a state interest of the highest order (a compelling interest). (Florida Star v. B.J.F., 491 U.S. 524, 1989) This isnt a guarantee that the court will take a certain side, but it does tend to make it easier to justify the publication of information when that publication performs a service for society. (Though itll be a rare case where the facts contained in a criminal information system could be seen to be published.)
1. to those officers and employees of the agency which 2. required under section 552 of this title [5 USCS 552]; 3. for a routine use as defined in subsection (a)(7) of this section
and described under subsection (e)(4)(D) of this section;
maintains the record who have a need for the record in the performance of their duties;
4. to the Bureau of the Census for purposes of planning

or carrying out a census or survey or related activity pursuant to the provisions of title 13;
5. to a recipient who has provided the agency with advance
adequate written assurance that the record will be used solely as a statistical research or reporting record, and the record is to be transferred in a form that is not individually identifiable; a record which has sufficient historical or other value to warrant its continued preservation by the United States Government, or for evaluation by the Archivist of the United States or the designee of the Archivist to determine whether the record has such value;
6. to the National Archives and Records Administration as
7. to another agency or to an instrumentality of any

governmental jurisdiction within or under the control of the United States for a civil or criminal law enforcement activity if the activity is authorized by law, and if the head of the agency or instrumentality has made a written request to the agency which maintains the record specifying the particular portion desired and the law enforcement activity for which the record is sought; circumstances affecting the health or safety of an individual if upon such disclosure notification is transmitted to the last known address of such individual; within its jurisdiction, any committee or subcommittee thereof, any joint committee of Congress or subcommittee of any such joint committee;
8. to a person pursuant to a showing of compelling
9. to either House of Congress, or, to the extent of matter
10. to the Comptroller General, or any of his authorized

representatives, in the course of the performance of the duties of the General Accounting Office [Government Accountability Office];
11. pursuant to the order of a court of competent jurisdiction; or 12. to a consumer reporting agency in accordance with
section 3711(e) of title 31.
July 2008 -
18
Informant:
December
2008
Can you be held liable for negligence? Certainly. (Unless your states laws protect you) Being sued for negligence is always a possibility in situations where people experience loss. Theres just no way around it. To be liable for negligence, first your state has to allow you to be held liable (more on that later). Secondly, it must be shown that you had a duty (generally, a duty of care), you breached the duty (generally, by not exercising reasonable care), and the breach of duty resulted in the damage in question. Of course, much of that will depend on your exact situation. A database administrator, for example, might have a duty to take reasonable care to protect the privacy of the data in his or her care - a duty that a beat cop would not likely have. This, however, doesnt mean that officers are immediately liable if hackers gain access to databases under their care. Only if a reasonable professional in the same field would have done more to prevent it, may an officer be held liable for negligence. You dont need to actually succeed in preventing all access to the data. Reasonable protections may include adopting the same standards used by an esteemed body of professionals in the field. After all, a respected industry group can generally be assumed to consist of reasonable professionals. Following their recommendations, then, is something that it is relatively easy to demonstrate that a reasonable professional in that field would do. (Though, of course, things change when you acquire new information, e.g., knowledge of previous successful unauthorized access attempts using particular methods. Then you have to ask yourself how a hypothetical, reasonable professional would have responded to the new information.) With regard to the individual liability of police officers States fall into three broad categories: The first group holds police officers personally liable for their negligent acts, but extends immunity for acts that fall within certain enumerated discretionary functions.
Will Sovereign Immunity shield you? Maybe, if youre an employee of a Federal or State agency and not acting contrary to the Constitution. Sovereign Immunity is, historically, the sovereigns privilege not to be subject to suit in his own courts unless he wishes to be. In Hans v. Louisiana, 134 U.S. 1 (1890), the Supreme Court held that the Eleventh Amendment re-affirms that states also possess sovereign immunity and are therefore immune from being sued in federal court without their consent. In later cases, the Supreme Court has strengthened state sovereign immunity considerably. However, a consequence of [the] Courts recognition of preratification sovereignty as the source of immunity from suit is that only States and arms of the State possess immunity from suits authorized by federal law. (Northern Insurance Company of New York v. Chatham County, 547 U.S. 189 (2006)). Thus, cities and municipalities lack sovereign immunity, (Jinks v. Richland County, 538 U.S. 456, 466 (2003)), and counties are not generally considered to have sovereign immunity, even when they exercise a slice of state power. Lake Country Estates, Inc. v. Tahoe Regional Planning Agency, 440 U.S. 391, 401 (1979). Further, immunity does not extend to a person who acts for the state, but [who] acts unconstitutionally, because the state is powerless to authorize the person to act in violation of the Constitution. Althouse, Tapping the State Court Resource, 44 Vand. L. Rev. 953, 973 (1991). And, of course, the basis of Sovereign Immunity (as applied to states) is that they cant be sued without their consent. Where they have given their consent (by statute, for example), Sovereign Immunity offers no protection. It seems that in most cases, maintaining an accurate, reliable criminal information system stocked with legal, complete information (which might not always be possible) carries no greater exposure to civil or criminal liability than other police activities. Absent a handful of (presumably) uncommon fact patterns, the only real danger to the law enforcement professional is negligence, which is hardly a new danger for law enforcement. In a later installment, well deal with the dangers implicit in incorrect or missing data, as well as the questions of unauthorized data collection and invasions of privacy through data collection (as opposed to publication). q
About the Author Christian Desilets is a research attorney for the NW3C. A member of the West Virginia State Bar, Christian graduated from the Georgetown Law Center in 2001. He did his undergraduate work at Mississippi State University (MSU), studying sociology, computer science and criminal justice. At MSU, Christian was awarded Alpha Kappa Deltas Sociology Undergraduate of the Year award (1997). Christians areas of expertise include investigating the nexus between white collar crimes and the advances of technology. Prior experience with software and Web-based utility patents, the Internet and intellectual property issues provide invaluable insights to our members requesting assistance with the investigation and prosecution of high-tech and white collar crimes. Christian is a Contributing Editor for the Informant Magazine.
States in this category are Alabama, Alaska, Hawaii, Idaho,

Indiana, Iowa, Kansas, Kentucky, Maine, Minnesota, Missouri, Montana, Nevada, New Jersey, New Mexico, North Carolina, Tennessee, Virginia, Washington, West Virginia, Wisconsin, and Wyoming.
A second group of states holds police officers personally liable only if their conduct was grossly negligent, malicious, fraudulent, or wanton and willful.
States in this group are Arizona, Arkansas, Colorado,

Delaware, Florida, Illinois, Louisiana, Maryland, North Dakota, Ohio, Oklahoma, Pennsylvania, South Carolina, Utah, and Vermont.
A third group of states relieves police officers from all personal liability, and instead holds the government employer liable under [the principle of] respondeat superior [(Latin for let the master respond)].
States in this group are Connecticut, Massachusetts,
Mississippi, Nebraska, New Hampshire, Oregon, South Dakota and Texas.
(Lists of states from Police Officer Liability In High-Speed Pursuits: A Study Report to The Michigan Law Revision Commission, from Michigan Law Revision Commission Thirty-first Annual Report, 1996 http://council.legislature.mi.gov/files/mlrc/1996/police.htm, retrieved August 12, 2008.)
19
ies summar l case cessfu 3C Members Suc W from N
Detective William Peeker of the Identity Theft Unit, started his investigation at the obvious point of compromise, Baron Honda. He interviewed management and employees. The loan application process was examined as well as the transit procedure of loan documents by courier to the financial institution. Dealer Track Inc. was contacted. They are a provider of on-demand software for the automotive retail industry that utilizes the Internet to link automotive dealers with financial institutions and the major credit reporting agencies. A search of their log files for user information within the dealers organization or a possible data breach did not reveal any suspected compromise. Peeker was having little success at the dealership, but that avenue of investigation was going to have to wait. The case was starting to heat up and events at other dealerships would require the immediate attention of investigators. Land Rover dealers on Long Island had been alerted to the scheme by the Identity Theft Unit on the first day of the investigation. The advisory paid off almost immediately. Within several days a Land Rover dealer in Smithtown, Suffolk County, NY, contacted Det. Peeker. A subject had attempted to purchase a Range Rover model by telephone and a voucher was received by fax. Earlier that day, the representative for the buyer sent to pick up the car fled when the salesman became suspicious of misspellings on the paperwork for insurance. Two checks left at the dealership by the subject to pay for registration and dealer fees were recovered by Peeker as documentary evidence. Further investigation revealed the checks were part of a starter check set provided on a new checking account opened in another identity theft case that originated in New York City. Two subjects arrested in that case by the New York City Police Department were incarcerated in New York City at the time of the attempted purchase. The checks were submitted to the Suffolk Police Departments Identification Section to be processed for latent fingerprints and eventual comparison through the Automated Fingerprint Identification Service (A.F.I.S.). Peekers plans to interview the subjects in jail were put on hold as another event required his attention. A few days later, another dealer in Massapequa, Nassau County, NY, contacted the ID Theft Unit to report someone attempting to purchase a Range Rover, utilizing a similar scheme. Peeker was able to verify that a Brooklyn residents personal information was used to obtain the loan and that the victim had reported the identity theft. Detectives had to seize the opportunity in the hope of exposing the identities of the auto fraudsters. A surveillance plan was developed and a detective was placed in the dealership to work undercover as a salesman. Although acts of fraud perpetrated by the suspects took place in various parts of the state, the location of the Baron Honda dealership was located within 500 miles of the Suffolk County border, allowing the investigation to remain within the jurisdiction of the Suffolk County Police Department, under New York State Law. Over the course of the next three days, the undercover officer engaged in negotiations for the delivery of a Range Rover with the buyer posing as the victim from Brooklyn. A Chinese wall had been created by the criminals to avoid detection. The buyer could only be contacted by leaving a message on a telephone voice mail. Then detectives waited for the buyer to return the call. Over the three days of the stake-out, detectives observed what appeared to be a counter-surveillance operation being staged in the area of the dealership just before the buyer returned calls to the car dealer. The teams recorded license plate numbers and
Case Name: The Dealership Fraud Ring Author: Stephen Jenson, Commanding Officer, ID Theft Unit Agency: Suffolk County Police Department, NY
he introduction of the personal computer and the Internet as instrumentalities in identity crimes affords thieves a layer of anonymity, and gives investigators cause for concern when it comes to the implications of high technology in their investigation. But, identity thieves still rely on traditional, low tech crimes as the primary method for compromising victims, identities1 .. While an investigator assigned to an identity theft case may not be a techie or skilled in computer forensics, he or she is still the point man in the investigation. This concept was never more evident than in an investigation conducted by the Suffolk County Police Departments Identity Theft Unit, NY. Lamor Whitehead was arrested after an investigation that started in October 2004, resulted in his conviction on April 2, 2008, after a seven week trial. He was convicted on fourteen counts of Identity Theft, two counts of Grand Larceny and one count of Scheme to Defraud and was sentenced to a prison term of 10 to 30 years. The case was solved by an investigation that exemplified good traditional investigative skills and the persistence of the detectives involved. On October 6, 2004, The Identity Theft Unit received complaints of identity theft from five Suffolk County residents who had purchased automobiles in September of that year from the Baron Honda dealership in Patchogue, NY. All the victims had arranged for auto financing through the dealership. Within weeks, their personal data was used in attempts to purchase Land Rover vehicles from dealers across Long Island. The identity thieves applied for auto financing by telephone through Chase Auto Finance. According to Chase investigators, once the loan was approved the suspects directed the financial institution to fax or mail a loan voucher to the Land Rover dealer where a purchase had been arranged. The sales staff at the dealership never physically met with the buyer and the purchaser would send a representative to pick up the vehicle.
20
vehicle descriptions operated by the counter surveillance. The criminal operation also included male and female teams posing as shoppers in the showroom. They entered the business just before the buyer called and departed immediately after the call was terminated. The counter surveillance never detected the police stake-out. Investigators were now convinced they were dealing with an organized criminal enterprise. On the third day of the surveillance the detectives concluded the subjects involved would not take delivery of the vehicle and expose themselves. Negotiations between the undercover officer and buyer were stalled as it became a game of cat and mouse. As a last effort, it was decided that a notarized release would be requested from the purchaser allowing someone other than the buyer to take delivery of the car. Minutes before business closing, a subject slipped into the dealership and dropped the requested release on a desk and then fled before anyone could observe him. The document was recovered and submitted to the departments Identification Unit for processing and examination for latent fingerprints. The notary stamp on the document was discovered to be fraudulent and the registration number did not exist. An evaluation of the effort to that point led the Identity Theft Unit to terminate the surveillance. The suspect at the Smithtown dealer, who possessed the bad checks, was identified from the latent fingerprints discovered on the two checks recovered from the dealership. The salesman at the dealer picked the suspect from a photo array to confirm the identification. On December 8, 2004, Kiley Copeland of 31 Fleetwalk Brooklyn, NY, was arrested by Det. Peeker with the assistance of the U.S. Marshalls Task Force in Brooklyn. Copeland was charged with Criminal Possession of a Forged Instrument 2nd degree and agreed to a plea bargain to serve one and a third to three years instead of cooperating in the investigation. Copeland had a history of serious felony arrests including state incarceration for felony murder and had plenty of street cred. His acquiescence in taking the plea concerned detectives as to the extent of control the criminal organization held over its members. Copeland eventually served two and a third years before his release. In May 2005, Det. Thomas Gabrielle of the Identity Theft Unit was investigating an apparently unrelated complaint of identity theft from a Suffolk County resident. She reported someone had used her personal information to purchase a $15,000.00 motorcycle in Brooklyn by applying for a loan online through E-Loan. Upon interviewing the victim, it was discovered several other loans and services were obtained online through Capitol One Financing, Internet Bank and GIECO insurance. Gabriele obtained the personal data filed online for all the loans and services taken out in the name of the victim. Capitol One investigators had linked this incident with so many others that they dubbed the enterprise, the New York Fraud Ring. On June 8, 2005 Det. Gabriele was notified by New York City Police that Lamor Whitehead had been arrested in possession of the motorcycle registered to the victim. During his arrest, Whitehead provided the address logged by E-Loan in the internet application. The detective was no longer dealing with shadows now; he had a real name and a face to work with. Det. Gabriele located and interviewed anyone who knew or dealt with Whitehead, who apparently was attempting to break into the rap music scene. The detective began assembling the paper trail involving over $750,000.00 in loan applications conducted over the Internet with several financial institutions. A list of
victims was developed through Capitol One and E-Loan that included over fifty-four victims from the New York area and several southeastern states. The loans were for high-end vehicles such as Porches and Land Rovers, and were also for home equity lines of credit (HELOC). Some of the equity line applications resulted in checks for tens of thousands of dollars mailed to drops at addresses in various parts of Brooklyn. A lengthy subpoena process began to obtain application details, IP logs and phone numbers recorded in the process. Phone numbers and addresses revealed in data from the financial institutions, was in turn, the subject of more subpoenas issued to the service providers. As the data was collected it was indexed and charted for link analysis. It included thousands of phone calls, IP addresses, physical addresses and e-mail addresses. A background investigation of Whitehead revealed additional information that was also charted with data from the financial institutions. Analysis of the collected data started to reveal connections placing Whitehead at the center of an elaborate criminal enterprise involved in a series of identity crimes. Many of the addresses provided on the Internet loan applications were on the same streets where Whitehead had either resided or provided as residences on public and criminal records. Some addresses belonged to family members or former girlfriends. Phone numbers listed on the applications and records were tracked down. About twenty of those numbers were registered to Aerobeep Voicemail Services of Manhattan, New York. A subsequent investigation revealed Whitehead rented the voice mail boxes under the name Jon Wilson while using another girlfriends address in Uniondale, Nassau County, New York. The charts also revealed a consistency in the creation of Yahoo e-mail addresses set up by the suspect for the online applications. He used the victims full name in the address i.e.; johnjones@yahoo. com. While this format helped the suspect keep track of his illegal endeavors, it also helped the Identity Theft Unit do the same. It allowed for ease in subpoenaing and tracking the applications made with the victims information. The IP logs also revealed many of the applications originated from one location on Cleveland Ave. and another on Park Place in Brooklyn. It was discovered the initial IP address was reset on the applicants computer as a cookie by the financial institutions. According to the chart analysis, approximately a week after the initial applications were made, the log-in IP address had changed, but the detected cookie remained the same. It was theorized that either the computer had physically been disconnected for a period, requiring the acquisition of a new IP address, or the computer itself was actually moved. Detectives were inclined to believe that war driving, was a more likely scenario. Wardriving is the act of searching for Wi-Fi wireless networks by a person in a moving vehicle using such items as a laptop or a PDA. It is similar to using a radio scanner, or to the amateur radio practice of DXing2. The idea that the suspect(s) may be involved in war driving produced another obstacle as to proving who actually used the victims information to obtain the loans. Whitehead provided the Cleveland Ave. address as his residence in a previous arrest. On August 5, 2005, search warrants were obtained for the Cleveland Ave. and Park Place residences which were executed by members of the Identity Theft Unit with the assistance of the Suffolk Police Departments Computer Crimes Unit. Both locations had unsecured wireless routers installed.
21
While interviewing the residents on Cleveland Ave., Gabriele discovered that they had been acquaintances of Whitehead until there was a falling out, and that he never resided there. One resident listened to recordings of the Aerobeep Voice mail announcements and identified Whiteheads voice on eight of the eleven recordings. They had also witnessed Whitehead in a car parked in front of their residence while operating a laptop computer but had not realized that he could use their internet connection. The residents computers were seized and an analysis by the Computer Crimes Unit determined there was no evidence linking the computers to the scam. The data analysis also revealed a very important link that helped turn the case for Gabriele. That link connected his case to the victims of the investigation in October 2004. The lists of victims developed by the financial institutions contained the names of the Suffolk county victims in the earlier case. Gabriele reviewed the earlier investigation and re-examined the case materials with Det. Peeker. The Aerobeep phone numbers were given as contact numbers on the loan applications in the earlier cases. The newest piece of evidence Peeker had received was the results of the examination of latent prints on the notarized release obtained at the Massapequa dealer. An A.F.I.S. search finally revealed the fingerprints were those of Lamor Whitehead. Whiteheads phone records were obtained and examined closely and it was found numerous phone calls were made to and received from Baron Honda in Patchogue. Armed with this new information, detectives went back to the Patchogue dealer where the first cases began in October 2004. After intensive interviews it was revealed a financing group they called the B-team had been brought in to finance cars for those who could not qualify for the dealer financing during a car sale. The members of the group were given access to the area where customer information was kept. They were also authorized to access the dealerships Dealer Track account and log-in. Detectives received the names of the four members of the B-Team. Whiteheads phone records were compared to a list of phone numbers belonging to the finance team. It revealed one member, a female, had numerous phone contacts with Whitehead. In December 2005 she was interrogated by Gabriele and confessed she had been dating Whitehead and stole the personal information of the original victims while she worked at the Patchogue dealership. She provided the victims personal information to Whitehead, along with the password to access the dealers Track account. Whitehead then had the ability to access the credit bureaus data bases as well as other customer information. During the course of the investigation, Whitehead had purchased a home at 92 Howland Ave. in Teaneck, New Jersey. A surveillance of the residence revealed a daily routine for Whitehead. A take-down plan was established with the Port Authority Police to arrest Whitehead on his daily trip into New York City via the George Washington Bridge. On January 25, 2006, detectives from the Identity Theft Unit with the assistance of Port Authority Police Officers arrested Whitehead after he crossed the bridge from New Jersey into New York City. Whitehead was taken to Suffolk County to face charges for incidents involving Suffolks victims. A search warrant was obtained by the Teaneck, New Jersey Police Department, for the Howland Ave. residence which resulted in the recovery of a laptop computer as well as a stolen nine millimeter handgun, bullet proof vest and ski mask. The laptop was forensically examined by the Suffolk County Police Departments Computer Crimes Unit which recovered evidence including data that evidenced Whiteheads access to Baron Hondas Dealer Track
22
account. A search warrant was executed on the Land Rover Whitehead was operating when he was arrested, revealing documents bearing the personal information for a number of persons on the victim list supplied by Capitol One as well as other evidence of mortgage frauds in New Jersey. The Land Rover was the subject of further investigation by Det. Gabriele who quickly recognized the name that was used to finance the car. It was on the Capitol One list of victims who resided in Tennessee. The information was turned over to a detective in the New York City Police Departments Vehicle Theft Unit who arrested Whitehead for the possession of a stolen vehicle. Whitehead was convicted on that charge in a trial in December 2007 and was sentenced to less than a year in jail. While knowledge of the Internet and computer forensics were involved in this investigation it is important to note the role of the detectives. The investigators assigned to the Suffolk County Police Departments Identity Theft Unit, as in most agencies, possess the investigative skills, honed by years of training and experience working traditional, low-tech criminal cases. They approached the case as they would any criminal investigation and exposed the lowtech vulnerabilities of Whiteheads scheme. They recognized the significance of seemingly benign evidentiary value of documents, employed interview and interrogation techniques, surveillance methods and case organization as demanded by the investigation. Yet, despite their years of experience, they know everyday requires them to possess an open mind, to learn how financial institutions and other industries do business, and how identity thieves exploit them. These attributes are evident in the manner in which this case was investigated. Computer forensics and Internet undercover work is new and exciting and it often gets the attention of the media. But the gumshoe will always be there to solve the case. q
References 1. 2006 Identity Fraud Survey Report, January 2006 (Consumer Version) Page 2. Federal trade Commission. http://www.ftc.gov/ os/2007/11/SynovateFinalReportIDTheft2006.pdf Wikipedia.
2.
About the Author Detective Sergeant Stephen Jensen is a 29 year veteran of the Suffolk County Police Department and has been Commanding Officer of the Identity Theft Unit since its inception in 2004. He has 21 years of investigative experience from assignments in the Precinct Detectives Bureau, Computer Crimes Unit and Internal Affairs Bureau. He has attended numerous investigative training programs including NW3Cs BDRA, ADRA and WCAT courses.
Case Name: The Wig Lady Author: Detective Brandon Megedoht Agency: Montgomery Police Department, MD
etween December 2005 and November 2007, the Montgomery County Police, Fraud Section, the U.S. Secret Service and the Metro Area Fraud Task Force (MAFTF -Washington, DC) conducted an investigation concerning Theft, Identity Theft and Bank Fraud involving 30 financial institutions and over $300,000 in loss. The investigation began in December 2005, when the Montgomery County Police Criminal Investigation Division - Fraud Section began to receive complaints from different Financial Institutions (banks and credit card companies) and private citizens. Those complaints
reported the theft of funds from Financial Institution accounts due to an Account Takeover scheme by a female suspect posing as a true account holder. Over the next few months, no leads were developed to identify the suspects and the cases were suspended. During February and March 2005, the office received a number of additional cases involving the same method of operation. The similarities were noted during an office round-robin brief of investigations. The old reports were pulled and the female suspect was confirmed as the same in all reports. An investigator was assigned to follow-up on known events and to determine if there were additional victims not identified. The initial, and then later follow-up review of records revealed similar events dating back to September 2005. The investigation determined that the true bank account holder initially reported the theft of a wallet or purse. The theft was conducted by different means to include distraction theft or Pickpocket while in supermarkets or stores, a Purse snatch in restaurant or on the street, and theft from vehicle. Those thefts occurred in multiple jurisdictions to include Maryland, District of Columbia (DC), Virginia, and Massachusetts. It was determined that immediately after the theft, the victims credit card(s) would be used to purchase items ranging from gas, gift cards, stored value cards, and personal goods to large screen TVs. At a later time, a suspect would then enter the victims bank and pose as the victim. The suspect would utilize the victims true bank / ATM card and the victims true photo identification, or a fraudulent identification containing the victims personal information but with the suspects photograph. The female suspect would utilize wigs, scarf s and hats in order to match the appearance of the true account holder and avoid identification. The female suspect would then display those proof of identity documents to bank personnel and gain access to the bank account. Often, the suspect would cash a check belonging to another unrelated victim of theft in order to perpetrate the crime. The investigation identified that the same suspect was photographed by Virginia branches of Wachovia Bank in July 2005. The investigation also determined that between September and December 2005, 13 Bank of America and Mercantile Bank branches were targeted for a combined loss of approximately $50,000. At the time, the banks had not identified the loss. An additional investigation revealed that between January and March 2006, other unknown suspects were conducting the same scheme. The overall investigation stalled while bank alerts and police requests for information circulated. In March 2006, the original female suspect is again noted in SunTrust Bank surveillance photographs. By April, Bank of America, SunTrust Bank, Sandy Spring Bank, Mercantile Bank and Wachovia Bank report that the suspect was identified at 14 different branches during the months of November and December, 2005 for a combined loss of approximately $39,000. The total identified loss attributed to all noted unknown suspects conducting the scheme was just under $100,000. In May 2006, the investigations were presented to the U. S. Secret Service Fraud Task Force. An agent was assigned to conduct a joint investigation with the Montgomery County Department of Police.
The investigators attached bank photos, bank and police reports and copies of checks to a conference room wall in an attempt to determine any links and patterns between the victims and in an attempt to identify points of identity compromise. By utilizing bank surveillance photographs obtained on numerous dates from eight different banks with branches located in Montgomery County, Prince Georges County, Anne Arundel County, Howard County, Baltimore County, Maryland, the District of Columbia and Alexandria County, Virginia, the investigators came to believe that the same individual(s) were conducting the bank account take-over scheme. The method of operation appeared to be that a female would enter a bank or multiple banks on the same date, approach the teller station, identify herself as the account owner and complete one or more transactions, obtaining funds. It was noted from the photographs that the female suspect often wore the same wig, scarf or hat while posing as the true account holder at different bank branches. In a number of surveillance photographs, a male was observed in the lobby of the bank. During the events, the male did not conduct any bank transactions. Also during the different events, both the female and male were noted as talking on cellular telephones at the same time and it was reasonable to assume that the suspects may have been coordinating their actions by the use of the cellular telephones. Spreadsheets were developed which revealed that 14 separate victims were affected involving eight different banks in multiple jurisdictions with $139,800 in losses. Bank surveillance photographs were the only clear links identified between the victims. Simple hand-drawn diagram charts were created to provide a visual representation of the investigation while new complaints of loss were reported by the banks and victims. The spreadsheets were expanded to include different variables such as specific banks, jurisdictions, days of the week, victims and other factors all in an attempt to track and predict future events. By July 2006, the loss approached $219,500 with two additional banks targeted. During the course of the investigation, a time lag of months was identified between the time the victim reported the initial theft to the time the investigators were made aware of the event. The victims identity and or checks may not have been compromised for days, weeks or even months after the theft. When the victim became aware of the identity theft, use of credit cards or stolen checks, the victim would report the matter to their financial institution which would then conduct its own internal investigation before reporting the loss to the police. As a result, the investigators obtained financial institutional loss reports one or more months after the suspects obtain property or funds utilizing the stolen identity, credit cards and checks of the account holders. The diagrams were expanded and placed into a computer program which resulted in the linking of previously unrelated victims to various suspects utilizing stolen checks and stolen identities to perform the theft scheme in multiple jurisdictions. This also provided further confirmation of activity between multiple unknown suspects acting in concert, and ensured the collection and documentation of evidence material. The investigation again stalled with no new investigative leads. On July 23rd, 2006, the investigation was released to the media resulting in a main headline in the Washington Post and then further news interest in local and national news outlets resulting in over two dozen tips from around the country along with additional victims reporting
23
their loss. Two of the tips were later determined credible and of value to the investigation. Three of the new victims also became central to the investigation. On July 25th, 2006, a Detective with the Metropolitan Police Department (Washington, D.C.) contacted the investigators and provided the names of Carol Silva and Charles Belim. Both had been stopped at a bank in D.C. while engaged in an account takeover scheme in March 2006. Carol Silva was arrested at that time while Charles Belim was released. The investigators obtained the arrest report and photographs of both Silva and Belim and were able to positively link the stolen Compass Bank checks negotiated in Washington, D.C. with the same checks negotiated earlier on the same date in Montgomery County, Maryland. The unknown female suspect depicted in the bank security photographs was positively identified as Carol Silva. A male was also involved who resembled Charles Belim. Investigators began to investigate the history of both suspects, including requests for information from other police agencies on driver license and criminal history and the acquisition of FBI Finger Print Cards, arrest photos and related information. Complaints from banks continued to mount and were added to the investigation with losses over $300,000. Approximately 30 Financial Institutions were identified involving approximately 80 victims. On July 27th, 2006, the investigators received an arrest report and photograph from the Town of Shrewsbury Police Department, Shrewsbury, MA, which showed that on April 31st, 2006 Charles Belim was found to be the operator of a 2001 Cadillac Deville bearing MA registration plate 43LV51. On that date, Belim was arrested and charged with possession of controlled dangerous substances, those being cocaine and heroin. He was also arrested on an open arrest warrant from South Boston for being a common and notorious thief. On July 28th, 2006, the investigators received a copy of an open Bench Warrant (2001) and an arrest photograph from the Charles County, MD, Office of the Sheriff, which showed that Charles Belim was listed as a wanted suspect for failure to appear for charges of Theft Under $300 and Conspiracy to Commit Theft Under $300. On or about July 31st, 2006, the investigators received and reviewed investigative report documentation from the U.S. Secret Service (USSS), Providence, Rhode Island office, concerning a prior arrest and subsequent investigation of Belim for bank fraud. On April 3rd, 1998, East Providence Police and the USSS responded to Fleet Bank on a report of a female attempting to obtain funds with a fraudulent identification card and a stolen credit card. The female fled the bank and got into a vehicle driven by a male later identified as Charles Belim. Belim failed to stop for the police officers which lead to a vehicle pursuit. They were subsequently found, arrested and charged. During the investigation, it was determined that the female utilized a fraudulent Oklahoma drivers license and a valid credit card of a Fleet Bank customer. That customer had reported the theft of her wallet on April 3rd, 1998. Investigators received records and a drivers license photograph for Charles Belim from the Commonwealth of Massachusetts Registry of Motor Vehicles. The records listed the drivers license address as 13 Mars Street, #3, Worcester, Massachusetts. Other documentation showed that Belim was the owner of a 2001 Cadillac Deville bearing MA registration plate 43LV51 registered to that address. The victims Sun Trust Bank (MBNA) Credit/Debit Card was changed to the address of 13 Mars Street, Worcester, Massachusetts.
24
The investigation further revealed that an unidentified female entered two different Maryland Branches of SunTrust Bank and identified herself as SB. During the ensuing transactions, the individual cashed two different checks against SBs account. It was later determined that the account holders of those two checks were also victims of theft. Based on the account take-over, SunTrust Bank suffered a loss of $5,100. Other theft victims included MV, who reported a stolen wallet in Montgomery County, MD. Only a few days later, an individual posing as MV accessed her Bank of America account at two separate branches withdrawing over $12,000. While conducting the background checks, it was determined that both Carol Silva and Charles Belim were from the Boston, Massachusetts area. Further background investigation on Belim revealed another accomplice, Belims wife, Jacqueline Jones-Belim, who used aliases and stolen personal information, including those of SB and MV, to obtain funds. In July 2006, USSS provided information that Jones-Belim changed her address to a location in Capitol Heights, Prince Georges County, Maryland, in order to receive Social Security benefits. The USSSA delivered benefit checks to that address in August and September 2006. Using Belims license plate, investigators were able to track him down at his wifes home. In October 2006, the investigators executed a Federal Search Warrant for the identified location in Prince Georges County, Maryland. In the house were numerous credit cards and stolen personal information. Jones-Belim, still claiming the identity of victim MV, was placed into custody, and an arrest warrant was obtained for violations of ID Theft, Theft and Forgery. Investigators subsequently obtained Federal Charges of Identity Theft and Bank Fraud. In August 2007, Jacqueline Jones-Belim pled guilty in Federal Court Greenbelt to various charges and received a sentence of 61 months. In November 2006, Carol Silvas residence was placed under surveillance by Boston Police Department Detectives. She was subsequently located and placed under arrest on the previous Montgomery County Charges and Federal Charges of Identity Theft and Bank Fraud. She was subsequently transported to Maryland. In August 2007, Carol Silva pled guilty in Federal Court Greenbelt to various charges and received 34 months. Investigators continued their search for Charles Belim. In November 2007, a male was arrested by the New York City Police Department (NYCPD), while engaged in a bank account take-over scheme, using stolen personal information. FBI fingerprints later identified the man as Charles Belim. Charles Belim is currently in the custody of NYCPD pending charges in that jurisdiction prior to prosecution in Montgomery County, Maryland and other jurisdictions. Other suspects connected to the bank account take-over scheme, have been discovered and their cases are currently ongoing. As a result of the specific Wig Lady investigations, 34 Montgomery County reports were closed with a monetary loss of (to the financial institutions involved), over $300,000. This loss is in U.S. Currency obtained by the suspect(s) from financial institutions and does not take into account the use or negotiation of stolen credit cards obtained from each citizen victim nor of the personal property or currency obtained at the time of the actual theft. q
Submit your Case Highlights to be published in the Informant. Send your case summaries to Loreal Bond at lbond@nw3c.org.
ith its population recently topping 67,000, Bedford County is not a sprawling metropolis. The Bedford County Sheriff s Office (BCSO) is a relatively small agency with just under 80 employees, but it still functions as if it were a big city police department. It boasts an impressive uniformed patrol division, a formidable narcotics suppression unit and a distinguished Internet Crimes Against Children (ICAC) Task Force, that brings Bedford County into the big leagues of law enforcement. Meet Sheriff Mike Brown, the man at the center of the whole operation. His smile is infectious and his country boy charm is undeniable. When asked how he got started in law enforcement, Brown leaned back in his chair and glanced at the ceiling, as if reaching back for that precise moment when inspiration and destiny collided. I guess it was all the Roy Rogers and Gene Autry movies I saw growing up in the 40s and 50s. After a lifetime in law enforcement, including 20 years at Bureau of Alcohol, Tobacco and Firearms, Brown decided it was time to retire, but it wasnt long before timing and opportunity combined to push him in an entirely new direction. Encouraged by local civic leaders, Brown decided to give politics a try and in 1996, he ran for and was elected Sheriff.
In the years that have followed, the Bedford County Sheriff s Office has emerged as a model of effective crime-fighting that sheriff s offices around the country strive to emulate. Sheriff Browns perspective on crime-fighting hasnt been fueled by experience alone. While his concept of good guy vs. bad guy may be anchored in the black and white TV images that entertained him as a child, Brown has evolved into a modern-day Renaissance man. He carries a blackberry and laptop wherever he goes. If decades of experience have taught him anything, its that the winds of change are always blowing and only fools put down roots in the path of hurricanes. When it comes to fighting crime today, Brown insists the emphasis has to be in the technology arena. The predator, we have found, is always on the cutting edge of technology. Law enforcement, in general, is playing catch-up! You just gotta stay ahead of the curve, or youre going to be left behind! Brown has a reputation for being progressive. His commandand-control center is a state-of-the-art facility and his deputies all have the latest in high-tech equipment - the type of things most departments need but cant afford. So, how does Sheriff Brown do it? In 2006, the BCSO received over $300,000 in state and federal grants. Another $50,000 was awarded through a 3-year Child Sex Offender Registration and Tracking (C-SORT) grant, and just last year, the BCSO was awarded another $750,000 in grant money to help coordinate the Southern Virginia Internet Crimes Against Children task force ( SOVA ICAC ). BCSOs aggressive attempts to secure grant money has paid off, allowing this small agency to do big things.
To Catch a Predator
When you first meet them, the three members of the SOVA-ICAC task force seem like regular guys, the kind you might meet in church on Sunday or even at the local pub the night before. Ask them what they do for a living and all preconceptions go out the window. Lt. Mike Harmony, Sgt. Rodney Thompson and investigator Terry Wright spend their days trolling the dark recesses of the Internet in search of predators. Be it in a chat room, a social networking site or an online gaming venue, they know just where to look. Embroidered on their shirts is a
Bedford Countys Sheriff Mike Brown
25
patch that reads a childs innocence can never be replaced. Even the most versatile of wordsmiths would be hard-pressed to conjure up a more appropriate statement of purpose. Last year, the SOVA-ICAC unit made 52 arrests. In fact, their reputation for toughness is almost legendary on the Internet. During an online encounter in which he was pretending to be a 13-year old girl, Investigator Wright says a suspected predator came right out and asked if he was with the Bedford County Sheriff s office. Wright tried to feign ignorance, but the suspect
agrees. Kids are doing stuff they wouldnt have done before and theyre victimizing themselves in the process. We have young girls who are sending nude pictures of themselves with their cameras to their boyfriends and then the boyfriends are sending those pictures to other guys. This is production, possession and distribution of child pornography! And theres been an increase in the number of children committing crimes against each other. Investigator Wright admits that theyre working more complaints of cyber-bullying now than in the past. I feel this is due to the ever-increasing popularity and number of social networking sites. Some of these (sites) even promote cyber-bullying by encouraging tagging comments of the owner of the site. While the unit spends a lot of time investigating and apprehending individuals who exploit children, its also charged with educating children and parents about the dangers of the Internet and how to safeguard themselves from Internet crimes. I think every group whether a PTA, PTF, PTO, civic group, school group, homeowners association, whatever...should take the time to be involved in what children are doing on the Internet, says Lt. Harmony. What does it take to raise a good kid nowadays? Open communication, says investigator Wright. More parents allow the computer and the Internet to babysit their children as they struggle to make ends meet. The Internet has become the TV and game stations of the past. As for protective software thatll keep your children safe and the bad guys at bay, Harmony says forget about it. No software exists today that is totally kid safe.
Child predation is the sex-fueled addiction of the 21st century.

- Sgt. Rodney Thompson, ICAC
apparently smelled a trap and subsequently disappeared into the vast emptiness of cyberspace. Most suspects targeted by the unit arent so fortunate. The overwhelming majority are flushed from their virtual lairs and into the light where theyre ultimately handcuffed, mirandized and stripped of their anonymity. As you might imagine, the ICAC units caseload is nothing short of staggering. Lt. Harmony estimates the total at over 500 investigations a year for the SOVA-ICAC and its affiliated agencies. With such a large caseload, theres no such thing as a typical day on the job. Sometimes, it can take hours to obtain and execute a search warrant and even longer obtaining arrest warrants. At some point, letters of preservation have to be sent out, subpoenas have to be issued and witnesses interviewed. Sometimes when the story hits the media, says Harmony, there are victims that come forward that we never knew of and that starts a whole new case. While chat rooms are still a big draw for predators, Sgt. Thompson says theres been a shift toward Social Networking sites because unlike chats, these sites have instant messaging built-in. They also make it easier for predators to locate would-be victims geographically and identify them through pictures and photo albums. Compared to the chats, he says, you would have to wait for e-mails... for pictures to be exchanged. Now you have the pictures instantaneously. It may be surprising to learn, but ICAC task forces do not lure or pursue online predators. Instead, Sgt. Thompson says, investigators work proactive cases that are initiated in an undercover capacity. They also investigate what he called reactive cases- complaints of child exploitation that come from third parties. Thompson adds their search for predators isnt limited by geographic boundaries though he admits they like to clean up their own backyard first. Knowing youve helped make society safer by taking one more bad guy out of circulation can be incredibly satisfying, but this job can also be emotionally taxing. Lt. Harmony struggled to fight back tears while reflecting on some of the things hes seen during his 15 years with the force. The images of children whove been sexually brutalized, in some cases by their own parents, were apparently too difficult to convey.
The Birthplace of the Safe Surfin Foundation

In a town where the accent is decidedly southern, Robin Sundquist is a novelty. Even though shes lived in Virginia for years, the founder and executive director of the Safe Surfin Foundation sounds as if she just stepped off the express train from Boston. Shes proud of her New England roots, but she knows her accent makes her a bit of an oddity to many Virginians. In the seven years since its inception, Sundquist says the Safe Surfin Foundation has enjoyed tremendous success and her outlook for the future is equally encouraging. Its going to be even more successful because were confident every public school system in the country is going to make Internet Safety classes mandatory. To date, Virginia is the only state where such classes are part of the public school curriculum. It took us a while to get it mandatory in Virginia but now we have an idea of the steps that need to be taken, Sundquist said. Were using Virginia as a modelthis is how we did it in Virginia, this is how you can do it in your state. Sundquist feels Internet Safety classes have to be mandatory because the problem, just isnt getting any better. No matter how many silly TV shows you see about these people getting popped for doing this kind of thing, the numbers just arent coming down. In a nutshell, the Safe Surfin Foundation educates the public about Internet crimes involving children through its interactive Web site, special events, materials and other educational opportunities. The Foundation- a non-profit organization- has recruited some top-shelf celebrities to help get its message out. Actor Erik Estrada; former model and actress Cathy Ireland and professional football player Jake Grove are just some whose names and faces routinely appear on posters and public service announcements in support of the Foundation.
Perception is Virtuality
According to Sgt. Thompson, a major problem today is kids can text one another without really ever talking to one another. Communication is virtualits all shorthand! Lt. Harmony
26
Sundquists goal is to have the Safe Surfin Internet Safety Program implemented by every school system in the country. But, in these times of high prices and shifting resources, Sundquist knows shes facing an uphill battle. The task of getting every state to embrace the idea of Internet safety classes in school is difficult, but Sundquist refuses to quit and doesnt hesitate to play the devils advocate to gain leverage. For instance, In Virginia, they have the standards of learning or SOLs. They would say they dont have time (to consider Internet safety classes) because they have to teach their SOLs. I would counter by saying we dont want to take away from your SOLs but you dont want your kids to be swooped up by Internet predators, do you?
as your agency been held back because funds are low? Well do something about it. Funding opportunities are available to support law enforcement agencies. Use these tips to research and apply for various grants to support your agencys mission. When searching and applying for grants:
Find out which organizations give grants in your area. Collect samples of successful grant applications to use as
a reference.
Get to know the individuals who work with the

organization to which youre applying for grant funds.
Subscribe to reputable grant newsletters and other

resources of information on grant money. This is a great way to learn about grant opportunities.
Keep an organized list of applicable grants, application
requirements and deadlines. Stay organized and save all your previous grant applications. companies and organizations offer grant assistance and partnerships. to include detailed information about your agency and the proposed usage of grant funds.
Dont just focus on government grants. Many private
Robin Sundquist, Executive Director, Safe Surfin Foundation

Its that kind of logic Sundquist finds especially useful when pitching her foundation to legislators for funding, asking them Dont you want to keep Virginias kids safe? How can they possibly say no? q
About the Author Craig joined the NW3C family in October 2007. A seasoned news veteran with over 25 years broadcasting experience, he has covered over 500 criminal and civil court cases and reported on hundreds more major events throughout his career, receiving three individual awards from the Associated Press for outstanding news coverage. Craig is a native of Central Virginia.
When submitting applications for grant awards, be sure

After youve received grant funds:
Dont forget to read all documentation that comes with When spending your grant money, be sure to account
for every penny. Be very strict in how you spend the money and what you spend it on. This will also come in handy, as most grant awards require a grant report to be submitted to the grantor. These must detail how your grant funds were allocated.
it. Follow the grantors rules to the T, as breaking these rules may result in the loss of your grant.
Visit these sites to learn more about grant writing and funding sources:
http://www.grants.gov http://lone-eagles.com/mira2.htm http://www.policeone.com/grants http://www.chiefsupply.com/grants/opengrants.asp q

References 1. http://lone-eagles.com/granthelp.htm 2. www.njlawman.com/Grants.htm
27
o you ever feel cyberchallenged? Everyone can do their part to fight cybercrimes, but sometimes its hard to understand what youre up against when cyber jargon seems like a foreign language. The following terms are commonly used in the discussion of cyber forensics. Use these terms to impress your cyber buddies.
9. IP address - An identifier for a computer or device on a 10. ISP Server - Short for Internet Service Provider, a company
that provides access to the Internet
TCP/IP network. Networks using the TCP/IP protocol route messages based on the IP address of the destination.
Broadcast storms can usually be prevented by carefully configuring a network to block illegal broadcast messages.
18. Data Mirroring - The act of copying data from one
phone calls, send and read SMS, read and write phonebook contacts, eavesdrop on phone conversations, and connect to the Internet.
11. Distro - Short for distribution, distro is a term used
1. Trojan - A destructive program that masquerades as a
benign application. Unlike viruses, Trojan horses do not replicate themselves but they can be just as destructive. One of the most insidious types of Trojan horse is a program that claims to rid your computer of viruses but instead introduces viruses onto your computer. network that has been created with a trojan
to describe a specific distribution of Linux that is built from the common Linux operating system and includes additional applications. Red Hat, Debian and SuSe are all examples of a distro.
location to a storage device in real time. Because the data is copied in real time, the information stored from the original location is always an exact copy of the data from the production device. Data mirroring is useful in the speedy recovery of critical data after a disaster. Data mirroring can be implemented locally or offsite at a completely different location. to a secured network or computer within a network that does not have an open port. A remote device sends a series of series of connection attempts, in the form of packets, to the computers closed ports, and the attempts are silently ignored but logged by the firewall. When the remote device has established the predetermined sequence of port connection attempts, a daemon triggers a port to open, and the network connection is established. to load balance the devices connected to the network. Zoning allows the network administrator to separate the SAN into units and allocate storage to those units based on need. Zoning protects the SAN system from such threats as viruses, data corruption and malicious hackers as the devices in their respective zones are not able to communicate outside the zone through their ports unless given permission. type of spyware that tricks users into purchasing fake antispyware and antivirus programs.
25. EFS - Short for Encrypting File System, part of the
Microsoft NTFS file system. EFS is a transparent public key encryption technology that works in conjunction with NTFS permissions to grant and deny users access to files and folders in Windows NT (excluding NT4), 2000 and XP (excluding XP Home Edition) operating systems. technologically sophisticated, who randomly seeks out a specific weakness over the Internet in order to gain root access to a system without really understanding what it is s/he is exploiting because the weakness was discovered by someone else. hijacking an engaged Web session with a remote service by intercepting and using the credentials that identified the user/victim to that specific server.
12. Virtual Honeypot - A software program that is designed
19. Port Knocking - A method of establishing a connection
26. Script Kiddie - A person, normally someone who is not
2. Botnet - A botnet refers to a type of bot running on an IRC 3. Keylogger- A keylogger is a type of surveillance software
to appear to be a real functioning network but is actually a decoy built specifically to be probed and attacked by malicious users. In contrast to a honeypot, which is typically a hardware device that lures users into its trap, a virtual honeypot uses software to emulate a network. create a virtual version of a device or resource, such as a server, storage device, network or even an operating system where the framework divides the resource into one or more execution environments.
27. SideJacking - Term used to describe the malicious act of
13. Virtualization - In computing, virtualization means to
(considered to be either software or spyware) that has the capability to record every keystroke you make to a log file, usually encrypted. specifically to damage or disrupt a system, such as a virus or a Trojan horse chips. Although it has been challenged in recent years by newcomers AMD and Cyrix, Intel still dominates the market for PC microprocessors. Nearly all PCs are based on Intels x86 architecture. for the Windows NT operating system (Windows NT also supports the FAT file system). NTFS has features to improve reliability, such as transaction logs to help recover from disk failures. a hardware address that uniquely identifies each node of a network. communications. Handshaking begins when one device sends a message to another device indicating that it wants to establish a communications channel.
July 2008 December 2008
20. Zoning - The process of allocating resources in a SAN
28. Wardriving - The act of driving around in a vehicle with a
4. Malware - Short for malicious software, software designed
14. Routing - In Internetworking, the process of moving a
laptop computer, an antenna, and an 802.11 wireless LAN adapter to exploit existing wireless networks. activism, hacktivism is the act of hacking into a Web site or computer system in order to communicate a politically or socially motivated message. Unlike a malicious hacker, who may disrupt a system for financial gain or out of a desire to cause harm, the hacktivist performs the same kinds of disruptive actions (such as a DoS attack) in order to draw attention to a cause. (SMS phishing) is a type of phishing attack where mobile phone users receive text messages containing a Web site hyperlink, which, if clicked would download a Trojan horse to the mobile phone. q
5. Intel - The worlds largest manufacturer of computer
packet of data from source to destination. Routing is usually performed by a dedicated device called a router. Routing is a key feature of the Internet because it enables messages to pass from one computer to another and eventually reach the target machine. the chance of a routing scheme creating routing loops, effectively making routing more efficient.
29. Hacktivism - Formed by combining hack with
15. Split Horizon - A routing technique that eliminates 16. Next-Generation Network (NGN) - The term given to
21. SmitFraud - The term SmitFraud is used to describe a
6. NTFS - Short for NT File System, one of the file system
22. Active Reconnaissance - The process of collecting

information about an intended target of a malicious hack by probing the target system.
30. SMiShing - A compound of phishing and SMS. SMiShing
7. MAC address - Short for Media Access Control address,
describe a telecommunications packet-based network that handles multiple types of traffic (such as voice, data, and multimedia). It is the convergence of service provider networks that includes the public switched telephone network (PSTN), the data network (the Internet), and, in some instances, the wireless network as well. been broadcast across a network results in even more responses, and each response results in still more responses in a snowball effect. A severe broadcast storm can block all other network traffic, resulting in a network meltdown.
23. SMDS - Short for Switched Multimegabit Data Services,
8. Handshaking - The process by which two devices initiate
17. Broadcast Storm - A state in which a message that has
a high-speed switched data communications service offered by telephone companies that enable organizations to connect geographically separate local-area networks (LANs) into a single wide-area network (WAN). to access the mobile phone commands using Bluetooth wireless technology without notifying or alerting the phones user. This vulnerability allows the hacker to initiate
Reference 1. www.webopedia.com
24. Bluebugging - Bluebugging allows skilled individuals
28
Informant:
29
Instructor Spotlight
Phillip Parrott
Cheyenne Capital Fund, LP
Profile
Specialty Economic Crime Class Taught Financial Investigation Practical Skills (FIPS)
I teach the FIPS class I inevitably get the question arent you the wacko guy on video in the ID theft course? I deny it, of course - No use destroying their confidence right away! I started teaching the FIPS course about 18 months ago. It is a week-long exercise in developing an economic crime case from intake to trial. I have been very impressed by the intensity the attendees bring to the course. I also enjoy their creativity. I have seen criminal investigation rookies develop solid economic crime investigation techniques, and grizzled veterans (including me) gain a clearer perspective on what works and what doesnt. I have been working with Rick Boyd, an NW3C Training Instructor, and others to refine the final part of the course a moot court experience and, so far, I like the results. So, as the nogoodniks get bolder and better in their fraudulent pursuits, I am honored to work with NW3C in developing an army of smart, capable and well trained investigators and prosecutors to thwart them. Career Outside of NW3C I came to economic crime prosecution somewhat late in my career. For 12 years I was a lawyer in private practice with a large, then a boutique, then back to a large law firm. I practiced general business law -- a lot of real estate, banking, finance and bankruptcy work, mostly for lenders and private equity firms. In 1994 I joined the Denver District Attorney (now Governor) Bill Ritters Office as the Chief of what would become the Economic Crime Unit. My job was to implement Bill Ritters vision to develop a top-flight economic crime prosecution unit. Fortunately, I inherited a group of smart investigators up to the challenge. I was also able to recruit exceptional trial lawyers to work in the Unit, four of whom are now judges. By working with other state and federal agencies, we increased filed cases over 350% and took on many large and complex cases. We developed investigative and trial techniques (the hard way) that continue in use today. My management technique? Identify good people and let them do their jobs. In 2004, I left the office to work for a private equity firm, but continued to consult parttime until February 2007. I now have a small private law practice (no, I dont do criminal defense) and continue to consult with law enforcement agencies. q
oy, has it been 12 years? Wow, how time flies. I began my association with the NW3C by presenting at one of the first Economic Crime Summits, that was in May 1996 in Providence, RI. I still have the PowerPoint presentation somewhere. I performed at two or three more Summits over the years, the last one in 2003. In 1997, I participated with a group developing the first White Collar Crime survey. The group consisted of highly-qualified people in the industry, professors like Jay Albanese, NW3C gurus and me. I never confessed to anyone that I was the director of polls and surveys for my college government. It all ended in a scandal. I went to school and saw my full size picture on the front page of the school newspaper with an unflattering headline. People were looking at me, looking at the paper, looking at me. I turned around and went home for the day. The next day, I went to school and dang same thing. It seems some of my colleagues stole a bunch of papers from the bins in reprisal for the story. The junior newspapers beagles decided to punish me by running the whole thing again. People were looking at me, looking at the paper . . . Anyway, NW3C failed to do a full background on me, so I got on the survey panel. It was a terrific experience. Being an in the trenches prosecutor, I rarely got a chance to reflect on the who, what, when and why of economic crime. It was a great experience. And no scandal! The Center is a lot of good things. But, to me, it is about training and assistance good, hands on, practical training and assistance. The Center was the first in my State to offer hands-on, practical training for seizing computers and understanding computer searches and evidence. I was a guest prosecutor lecturer/assistant for some of those early classes. I encouraged all my investigators and deputies to attend. The Center classes taught us not to be afraid of computer forensics, and we never looked back. I was on the panel that helped develop the Identity Theft class. I was impressed by the Centers desire to create a very practical course. Having filed and prosecuted about 600 identity theft cases, I knew investigators and prosecutors coming out of that course could effectively handle an ID theft case. I also appear on the training video in that course as an ID thief. When
30
ts payday! Youve just received the first paycheck from your new job, and you cant wait to get the check deposited; after all, youve moved all the way across the country and are in desperate need of some new furniture. You jump in your car, plug the banks address into your GPS (to make sure you can actually get to the bankyou have only been there once after all), and start to drive. The drive seems pretty simple. Your cell phone rings. Its an old friend from back home, so you answer. This red light seems to be taking forever. Finally, you arrive at the bank, say goodbye to your friend, and head in to deposit your check. NW3Cs Computer Crime Section has been exploring the impact of Small Scale Digital Devices (SSDD) on our everyday lives. Look back to the scenario above. Your GPS device recorded the address that you typed in, and kept track of the points along the way; tracking the path you took to the bank. Even if you hadnt typed in the address, the GPS would still track the movement of your car. While on your trip, you talked to your friend on your cell phone. There is plenty of information that can be gathered from this. By simply checking the cell phones call history, we can determine who you were in contact with. Further investigation with the cellular provider can tell us how long you talked on the phone down to the second. Providers can even tell us your location based on the cell towers you were using when you started and ended the call. We, as investigators, can easily use these tower locations to estimate and track where you were when you received the call, and if you moved during the call. We can then use this to back up the GPS information. On top of these standard SSDD devices, there is even more potentially useful information from areas that are rarely examined. The car is equipped with a black box that tracks vehicle information; such as speed, breaking and driving habits. The traffic light you were stopped at is equipped with a video system to detect red light violations or traffic patterns. The OnStar system that may be installed in your car could also track the vehicles movements, tire pressure and speed. Now, imagine that instead of going to the bank to deposit a check, you were going there to rob it. All of this information is available to law enforcement; however, due to a lack of available training and resources this information is largely unchecked. Basic Cell Phone Investigation (BCPI) course is NW3Cs first course developed to address the potential evidence available from SSDD. BCPI is a two-day course designed to appeal not only to the forensic investigator, but also analysts, detectives and patrol officers. The course addresses the data available from sources external to the cell phone itself, including what data is available, how to obtain the data, and how to analyze the data received. The course also covers the appropriate actions for a first responder when the physical cell phone is involved. No special hardware or software is required, just a new knowledge base to apply to your existing investigative/analytical skill sets.
Why did we start with BCPI? Well, first lets take into consideration the proliferation of cell phones use in this country today. In 2005, there were 219.4 million cellular telephone subscribers in the U.S.1; this is an increase of almost 650% since 1995. This means that with a current estimated U.S. population of 304.8 million people2, approximately 72% use cell phones. Second, in a world where a Motorola RAZR that works on the AT&T network is different than the Motorola RAZR that works on the Sprint network, the cost of cell phone forensics (more accurately referred to as cell phone interrogation) is often prohibitive to many smaller agencies. In this ever changing world, law enforcement is always chasing the technology. By conventional wisdom, this means that we are constantly chasing the device. But why? In the digital age, almost everything we do is recorded somewhere. This is why we decided to focus on the data available to law enforcement beyond that which is kept on the phone. The wealth of information available from cell phones is surprising. The Call Detail Records available from the service providers afford far more detailed information on the phone calls made to and from the suspect than are available even from the phone. This includes the first and last tower used during the call which allows the investigator to estimate the suspects location when the call was made. It is even possible to retrieve the content of a suspects text messages from the service provider (though this data is stored for only a limited time). With the combination of all of this data it is possible to know who the suspect talked to and when; establish suspects calling patterns to look for irregularities; it is even often possible to determine the location of a suspect at a specific time. All of this information can be obtained without even having access to the phone itself. Cell phones are extensively integrated in our way of life and the necessity to use them as a potential source of evidence is becoming more and more vital. BCPI is the next step by NW3C to provide law enforcement with the knowledge and skill set necessary to gather evidence in the ever-increasingly high-tech world. BCPI classes are scheduled to begin next year. Visit www.nw3c.org for all available courses offered by NW3C. q
References 1. 2. Infoplease. CIA World Fact Book 2007. 2007. Retrieved 7 August 2008 from http://www.infoplease.com/ipa/A0933605.html U.S. Census Bureau. 2008. Retrieved 7 August 2008 from http://www.census.gov/main/www/popclock.html.
About the Author Justin Wykes is a Computer Crimes Specialist for NW3C and has worked with the organization since 2006. He recently became a Certified Forensic Computer Examiner through The International Association of Computer Investigative Specialists. His previous experience includes serving as a Counterintelligence Agent in the U.S. Army.
www.nw3c.org
31
The articles featured in this issue focus on network and computer intrusions , and how theses intrusions are enabling^a^growing /scope of cybejz&rifne. MW3C's (t omp irtpp^fTmes Specialist Nick Newman kicks off the Feature Section with this introduction.
32
Informant:
July
2008
December
2008
Computer intrusions were once simply regarded as mischief for (mostly) harmless hackers earning their spurs in the underground hacker community. However, organized crime and terrorist groups have quickly followed suit due to the lucrative rewards of ID theft-enabling computer intrusions. Earlier this year, five Eastern Europeans (with likely ties to the Russian mafia) were charged in connection with the largest credit card number heist in history. The data theft was perpetrated through wireless network intrusions from the parking lots of nine major retail stores, including the well-publicized TJ Maxx identity theft case. The five managed to gain access to hundreds of cash registers nationwide and gathered over 94 million Visa and Mastercard numbers, resulting in TJ Maxx paying $40.9 million USD to affected financial institutions. In another case, three criminals with ties to Al Qaeda used stolen credit card numbers to fund Web sites promoting Jihad and proliferating terrorist propaganda (not to mention enhance recruitment opportunities). Computer intrusions are not just about defaced Web sites anymorecomputer intrusions are about serious criminals committing serious crimes. In addition to being a quick, easy, and difficult-to-track money-making venue for cyber criminals and terrorist organizations, the Internet itself has been recognized as a viable threat to national security. In what was cited as the first cyber war, Russians targeted Estonias electronic infrastructure in 2007 with massive network-based attacks and brought Estonias government, media, and banking networks to a screeching halt. In August of 2008, when Russia began a conventional tanks-and-missiles conflict with its southern neighbor Georgia, similar cyber attacks against Georgian media and parliamentary Web sites were observed. Whether the attacks were state-sponsored or just a rowdy populations cyber riot is difficult to prove. However, these incidents did prove that the Internet does have the capability of being something more nefarious than just a mechanism for sharing information. On the following pages youll learn more about how network and computer intrusions enable the perpetration of numerous other crimes such as identity theft, espionage, fraud and money laundering just to name a few. q
33
by Newman, Computer Crimes Specialist, NW3C by Nicholas R. Nicholas R.Newman, Computer Crimes Specialist, NW3C
34
How a gang of Cyber-Rioters brought a country to its knees.
efore April of 2007, the threat and even possibility of cyberwarfare had been almost completely dismissed throughout computer security and national defense circles, but a storm was brewing in the small Baltic country of Estoniaa storm that would silence any disputes as to whether the Internet had the capability of supporting massive digital armies across a world-wide battlefield. Estonia is slightly smaller than New Hampshire and Vermont (United States) combined and has roughly 1.3 million citizens1. After the fall of the Soviet Union, Estonia used what little resources it had left to build an almost all-inclusive electronic national infrastructure from scratch. Today, Estonia is considered one of the most wired countries in the world2. Using ID cards, Estonians do everything from filing tax returns to voting to checking their bank status, and they do it all electronically. Estonians rarely carry cash or visit actual banks; nearly all monetary transactions are done through bank cards (much like the debit card system used in the U.S. and many other countries). In Estonia, Internet access is literally a basic human right. For a country striving for an Internetbased economy and lifestyle, an infrastructure such as Estonias is a phenomenal achievement. However, the inherent single point of failure should be very apparent: if the nearly all-encompassing electronic infrastructure goes down, the country would come to an abrupt and grinding halt. Tallinn, the capital of Estonia, was trampled by street riots between ethnic Estonians and Baltic Russians from March to May of 2007. Tension climaxed in April when the Estonian government relocated the Bronze Soldier, pictured to the left, and then exhumed and relocated the remains below the statue (a WWII-era Soviet War memorial) from downtown Tallinn to a war cemetery. To ethnic Estonians, the Bronze Soldier represented decades of brutal Soviet occupation; to Baltic Russian locals, the Bronze Soldier was a memorial to the Soviet Red Army soldiers who died fighting the Nazis. The movement of the war monument sparked riots, both on the streets and online. On April 27th, some Estonian government Web sites began noticing an unusual increase in traffic, consisting of traffic floods3, SYN floods4, and ICMP ECHO floods5. By April 28th, attacks had spread to numerous additional servers. At this point, the Estonian Computer Emergency Response Team (CERT) determined that the attacks were at least somewhat concerted6. The Russianspeaking blogosphere was littered with digital call-to-arms messages, providing simple instructions on how to participate in the attack on Estonian servers. Several examples are still viewable on the Internet7 (Figure 1).
The text, in Figure 1, between @echo off and GOTO PING is a simple batch file that will ping10 each target server fifty times, wait one-thousand milliseconds for a response, and then move on to the next target. The pinging sequence loops infinitely. One machine running this small and simple program alone could not cause much damage, but when thousands and tens of thousands of computer systems run the script simultaneously, the disruptive consequences can be devastating. The short message11 following the program script instructs comrades to copy the above text into a .txt (text) file and rename the file to .bat (executable script). The second line threatens that after the script is executed, the targeted Estonian servers will hang. The third paragraph is an attempt at organization, calling all cyber-rioters to collectively attack at 23:00 (11:00PM) in Moscow, Russia and 22:00 (10:00PM) in Kiev, Ukraine, and requests comrades to gather as many cyber-militants as possible: the more that participate in the coordinated attack, the more effective the attack will be. One or several spikes in the Internet attack could have just been a fluke, but during one period of the cyber attack, Evrons analysis12of inbound traffic found evidence alluding to the fact that botnets13 were also involved in the Internet assault. Initially, all distributed denialof-service attacks were originating from outside Estonian networks, resulting in the incident response team blocking all offending IP addresses. Later on, a similar attack was launched from inside the Estonian infrastructure, creating an entirely new dilemma. The attacks were very successful. Though the volume of data packets was relatively small for a denial-of-service attack, the attack was just the right size for an effective attack against a country of the size and infrastructure of Estonia. Initially, the electronic attacks targeted Estonian government Web sites, but cascaded into other services as well. In addition to the Web sites of the Estonian Presidency and its parliament, almost all governmental offices in Estonia and political parties, the cyberrioters also attacked three of Estonias biggest news organizations, as well as communication firms and two of the countrys biggest banks14. Estonian Banks have not been real banks since the Internet became as pervasive as it is in Estonia. This electronic attack affected a large portion of Estonias national network, hindering most online transactions from being completedin other words, Estonians could not purchase essentials such as groceries or gasoline. For a period of two weeks15, international (mostly Russian and Russia-sympathizing) cyber-rioters, for periods of time, effectively shut down the internal and economic infrastructure of Estonia using no method other than simple denial-of-service attacks via the Internet. Being the first of its kind, the Estonia incident introduces several questions. At least part of these attacks, almost beyond-a-doubt, seemed to be concerted; if these attacks were organized, who was the organizer? Estonian officials automatically pointed the finger at the Kremlin16; the Russian government, offended by the accusations, responded defensively and claimed to have nothing to do with the attacks. A member of the Nashi17 () claimed to have organized one of the attacks18, but the very nature of massdistributed denial-of-service attacks makes finding the true source of the attack next to impossible.
Figure 1: Blog entry containing a script for automatically attacking Estonian servers.
The next question to ask is: If a ragtag gang of cyber-rioters and

Continued on page 60
35
by T.R. Sreekanth, Cyber Forensic Analyst, Resource Center for Cyber Forensics
36
nternet Piggy-Backing may be a new term for cyber forensic investigators; however, the crime is not so new. The crime we are referring to is Broadband Theft or Internet Time Theft. This cybercrime can vary from stealing Internet connection passwords to massive theft of Internet connections. We are in an era of global networkhood, be it wired or wireless. The Internet and data networks have become an integral part of our society and there has been an exponential increase in the theft of Internet connections. It is an alarming scenario when somebody gets penalized for others who make illegal use of normal broadband or leased-line Internet connections. A common example may be someone who owns a cyber caf facing a huge bill for their Internet connection, even for the period during which the caf is closed. Let us look into a real scenario concerning a 15 year-old male from of Kerala The Gods Own Country, India. He was a regular visitor of Rainbow Caf, a local cyber caf. The boy was very technically astute and was familiar with the Internet. The caf had a broadband connection to a reputed Internet Service Provider (ISP), which owns TV Channels in Asia and all over the world. In one instance, the young boy was having problems accessing the Internet at home and began to use the broadband connection available to search the Internet for a solution to his broadband modem problems. In his Internet-searching endeavors, he started exploring various kinds of modems, modem drivers, modem internals and so on. Through his online research, he found out about the SIGMA Modem (a premier product for business lines that require broadband communications, featuring rich voice services and data networking). The SIGMA modem is a certain kind of device that allows one to use it for programming the modem, and one can easily change the MAC address. With this, the teenager began to hack into the Cafs modems MAC address. In the middle of 2007 this modem game came to the attention of the Cyber Police in Kerala, India. The Cyber Police registered a case on the complaint of the ISP, which reported that one of its customers was generating huge bills, even though the Internet connection was not in use. The young boy, mentioned earlier, became interested in modem hacking beyond just simple techniques to gain fraudulent access to the Internet. The boy started using the SIGMA modem as a hackers tool. Like all hackers, before hacking a cable modem, he started learning about the security of cable modems and their vulnerabilities. He made use of the firmware modification function in the modem. This hackable attribute of the modem gives control of the cable modem to the hacker. A cable modem is usually identified by the cable company by its MAC address, which can usually be found underneath modems on stickers with bar codes. This MAC address is known as the HFC (Hybrid Fiber Coax) address. The ADSL modem works by using a method known as handshaking: When the modem is switched on, the modem will perform some tasks. First the modem will send out a signal saying, Hey, I have the MAC address XX.xx.XX.xx. XX.xx. The service provider (Modem providers) then checks the MAC address against their database. If the MAC address is not valid, the modem will not be able to communicate with the cable companys network. If the MAC address is valid, the modem will be assigned a configuration file. This file defines the attributes of the connection, such as the speed of the connection. So basically the modem says Hello, Im this MAC address, the ISP then says Yes, we know who you are, and we want you to run at this speed. Once all this has been done, you get assigned an IP address and the handshake process is complete.
Before stealing a MAC address, a hacker will sniff the MAC addresses from any PC that is connected to a cable modem with a valid IP address. But the MAC address alone will be of no use. There is an important element the hacker needs to consider - no two modems should have the same MAC address. If such a situation occurs the modems will go into a reboot loop, disallowing Internet access. Every cable modem logs into the cable network with its unique MAC address. Think of the service area of an ISP address in your city as the segmented sections of an orange. We all live in a certain segment of the orange and no two MAC addresses of that segment will be the same. Whenever a cloned modem comes online, as long as it is in a different segment of the network from the original, it will simply work because the ISP primarily checks the cable modems MAC address within one segment and does not allow two identical MAC addresses to be online [registered on the network] within the same segment. The segmented separation of the Internet cable network is done by broadband hubs. The challenge faced by the Resource Center for Cyber Forensics was to identify whether any changes or spoofing had been done to the MAC address. Our forensic experts assisted the cyber police in solving the issue. We analyzed the ISP connections and identified that even when the caf was not using the registered MAC address, someone was using the same registration to connect to the Internet. That brings up the question: how did the hacker get the username and password to login? We determined that he was able to install keyloggers into the cafs computers to extract Internet passwords. How did the young teenager carry out this operation? First, he purchased a modem to access the broadband accounts. During our investigation, we found that the ISP server had a vulnerability that would disclose the MAC addresses and their attributes from the cafs database. As cyber forensic investigators know there are several easily available software programs on the Internet which can be used even by a 7th grader to do unlawful online activities. There is software like DHCP Force, MAC Reaper, and many others that perform sniffing or detection of MAC addresses. Extensive technical knowledge is not needed to use such software. There are easy methods available to change the hardcoded MAC address using certain hacking modems like Motorola SB4200, SIGMA-X and so on. With a handful of tools for firmware programming and a little knowledge of Algebraic and Logic Programming (ALP) the raw addresses can be easily modified. It is always a challenge for investigators to catch the criminal with proper evidence, although it is clear that the crime has been committed. In the Court of Law, proper evidence linked to the crime scenario is a must in order to secure a conviction. This case was no different. It was the burden of investigators, with the help of the Center to produce evidence of the crime. The High Tech Crime Inquiry cell, Kerala, and our Resource Center for Cyber Forensics, had lengthy discussions to formulate plans to catch the criminal red-handed. With the help of the ISP, we let the accused use the Internet account unauthorized and uninterrupted. The legal owner of the Internet connection was also present at the ISP center, and he was not using his registered connection. The police prepared a list of local suspects who were regular visitors to the caf. Our investigations took us to a building near to the Rainbow Caf. From the suspect list, police traced a young boy, 15 yearsof-age in that building who was proficient in computer usage and who had been given a prestigious Techno Excellence award by his school. The police raided the house when the boy was online. Police got the current MAC address, current IP and login
37
38
Informant:
July
2008
December
2008
The names of people and business(s) in this article have been changed as the investigation has been concluded; however, the case is not closed.
o you feel your information is safe and secure on your personal computer or business computer network? Do you trust the employees working over you, with you or under you? Does the business or agency you work for feel the same about you? Do you have the necessary security protocols in place to protect your information, data, designs or software? I dont think any of us can answer yes to any of these questions without having some doubt. In October 2006, the Lee County Sheriff s Office Economic Crimes Unit in Cape Coral, Florida received a complaint from a business owner regarding a grand theft and theft against intellectual property. The suspects, brothers Tim and Mike, who migrated from Poland, were employed in 2003 by the victim, Chuck, who owned 812.081 Investments, a software design company. Tim and Mike were originally hired by Chuck through an employee leasing company and had specific expertise in Web based software designs. In October 2006, Chuck came into the office and discovered the computer Tim and Mike were using would not boot up and run any programs. Chuck, soon discovered the hard drive was removed from the computer. A search of the office also discovered employee records of Tim and Mike including signed non-disclosure agreements were gone. Chuck ruled out a burglary as there was no forced entry and the only people at the time having access to the computer hard drive and motive to remove their own employee records were Tim and Mike At first, Chuck was not overly concerned about the missing hard drive as they had all proprietary rights over the Web based software, which were designed by the brothers. Chuck was also aware that they were storing the programs on a secured, off site server which was maintained by an independent company. Chuck made contact with the company who was hired to store the data the brothers were designing and discovered all of the data and software for the Web based program was gone. Chuck later learned the brothers never utilized the off site server and stole all the design software they developed since 2003. Chucks Web based software was near completion at the time of theft and nearly ready to be launched. The value of the hard drive was only $350. However, Chuck estimated the out of pocket expense the company had invested in the design of this Web based software on the stolen hard drive, so far was $2.5 million dollars. Chucks marketing research for this Web based software estimated the potential value 812.081 Investments to be in excess of $10 million dollars, or more. Sergeant Jonathan Washer with the Lee County Sheriff s Office Economic Crimes Unit was assigned this case for investigation. The investigation was relatively straight forward. The company suffered a simple grand theft over $350 due to the hard drive being stolen from the computer. Investigation confirmed the computer in which the hard drive was removed was used solely by Tim and Mike to design this Web based software and they both knew the passwords and access codes to obtain the information off the hard drive. It was also confirmed, Tim and Mike never stored any data from the software design, as required, on the off site secured server. 812.081 Investments suffered huge financial losses, along with the potential loss of future earnings due to this theft. Chuck did begin the patent process for this software and maintained hardcopies of the information in an effort to protect their investment.
Sergeant Washer made numerous attempts to locate and contact the suspects, Tim and Mike, which yielded negative results. Tim and Mike subsequently fled Southwest Florida leaving little evidence behind to locate them. Financial records and transactions were reviewed and Sergeant Washer soon learned the suspects fled the United States to Europe. The theft of this patent pending software from the victim, 812.081 Investments, negatively impacted their business. 812.081 Investments were forced to redesign the Web based software to meet deadlines and protect their investors interests. 812.081 Investments incurred additional financial losses and expenses as a result of the theft by Tim and Mike At this time, Tim and Mike have not been located and the Lee County Sheriff s Office has active arrest warrants for both suspects for theft of trade secrets and crimes against computers. The name of 812.081 Investments was made for this article to protect the actual victims business name. 812.081 is the Florida State Statute for embezzlement/theft of trade secrets. The information shared in this article is at the very least, a reminder, to have the necessary checks and balances within your organization to assist in the protection of your firms data, software or any other digital media or intellectual property specifically used to conduct your business. Without the enforcement and constant examination of your firms policies and procedures, you are leaving your company vulnerable to hackers and illicit computer intrusion and theft. q
About the Author Sergeant Washer has been with the Lee County Sheriff 's Office for 13 years. Sergeant Washer has been an investigator since 2002 and has investigated hundreds of property and violent crimes. Due to the ever changing world of fraud and technology used to commit fraud, Sergeant Washer developed a passion to investigate financial crimes. The Lee County Sheriff 's Office identified a need for a unit dedicated to investigate financial crimes in 2005 and Sergeant Washer was one of the first investigators assigned to this unit, which currently investigates various acts of fraud throughout the county to include; schemes to defraud, crimes against computers and intellectual property, racketeering, check and credit card fraud, elderly fraud, etc. Sergeant Washer has attended numerous seminars and training sessions related to fraud; several of them through NW3C, and is currently studying to obtain his certified fraud examiner designation. Sergeant Washer is a member of the International Association of Financial Crimes Investigators, NW3C and ACFE.
39
n 2006 the Privacy Rights Clearinghouse reported 327 data breach incidents, 100,453,730 potentially compromised records and five identity thieves who were sentenced after defrauding 238 victims. The data breaches were classified as coming from outside hackers, insider malfeasance, human/software incompetence, non-laptop theft and laptop theft. 1 One of the biggest data breachs occurred at TJ Maxx, a major retail store, where hackers intruded their network at two stores and stole over 46 million debit and credit card numbers from more than 100 files over several years.
40
The purpose of this article is to present the major issues regarding threats to the security of network data, define internal/external intrusion and provide a list of the common methods of detection and significant established intrusion preventive practices for maximizing Internet network data security. Threats to the Security of Internet Network Data According to DataRecovery.com,2 there are five major common threats to the security of network data. They are:
1. Denial of service. Knowing that all servers have limited
capacity to handle all server requests, hackers intrude a network by flooding it with more requests than it can handle, which crashes the server. This threat is relatively easy to do but hard to deal with.
Established Practices for Maximizing Internet Network Data Security Over the years, a number of established practices for maximizing network security have emerged. They are:5
1. Plan for an optimum Internet network data security. To
2. IP masquerading simply means being an IP imposter!
Because of poor authentication in the IP Protocol, the server that is attacking your Internet network server pretends to be someone else (with a different IP) and, as a result, is able to gain unlawful access to the server being attacked. dangerous network data security threat where the hacker takes control of a users session, resulting in a very serious security breach in which the hacker could compromise sensitive user data such as passwords or even credit card information. For example, a user may be accessing some mission critical data or making an Internet purchase. At that time, a session hijacker takes control of the user session, thereby getting access to the sensitive session data. The user is led to believe that he has been logged out and he logs back in. and dangerous Internet network data security threat. Through either missing security patches in software or access to passwords, the attacker is able to pierce the authentication and authorization checks to get access to corporate databases and mission critical files. This Internet network data security threat can be resolved only through prevention rather than cure by safeguarding passwords, tougher password rules etc.
accomplish this, a balance between access to servers and restricted access through network data security should be put in place. security practice is to outsource the hosting of corporate servers to a data center that can focus on providing great Internet network data security, data center disaster recovery, and tough physical data security. This will help to prevent direct access to servers by unauthorized personnel. is needed for an Internet network data security policy to work is proper buy-in from employees, dissemination of Internet network data security information handouts to all employees and contractors and proper Internet network data security audits. software with latest patches. Updating database and operating software will help to reduce the intrusions by hackers as they attempt to exploit the vulnerabilities of packaged software such as the operating system, the database or even specialized packages such as CRM or ERP packages. standard network data security firewall and safeguard your network from unwarranted intrusions. Also, do period audits of your network data security firewall rules so that your Internet network data security is not compromised. those backups. Use new network backup strategies such as remote data backups and data replication to take backups regularly, even when your systems are live. Also, safeguard your backups, as careless backup handling could be your biggest network internet data security threat.
3. Session hijacking. Session hijacking is an incredibly
2. Data center physical security. A typical good Internet data
3. Have a well thought out Internet data security policy. What
4. Illegal security break-ins. This is by far the most obvious
4. A key to Internet network data security. Update all
5. Physical access to servers in data centers. Physical
5. Internet network data security firewalls. Get an industry
unauthorized access to our data center corporate servers is still the largest threat to Internet network data security. Good data centers have network data security protection in the form of fingerprint based authentication and verification of credentials of all operations personnel visiting the data center.
6. Internet network data security backups and safeguard
Intrusion Detection What do you do if you suspect your network has been intruded? The answer is intrusion detection, which is the science of detection of malicious activity on a computer network and the basic driver for networking security. DataRecovery.com classifies intrusion detection for networking security into two parts:3
1. Internal intrusion detection this is an incident where
Protecting personal data on networks is a major security problem. Use this article to gain useful basic information for the investigation of Internet network data security-related crimes. q References
1 Chronology of Data Breaches 2006, Privacy Rights Clearinghouse, February 1, 2007. 2 Internet Network Data Security Basics and Reviews The Threats, the Cures and the Strategies for Internet Data Security, www.data-recoveryreviews.com/intrusion-detection-reviews.htm. 3 Intrusion Detection Reviews for Networking Security, www.datarecovery-reviews.com/intrusion-detection-reviews.htm 4 Ibid. 5 Op.cit. www.data-recovery-reviews.com/intrusion-detection-reviews.htm. About the Author Robert E. Holtfreter, Ph.D., is the distinguished professor of Accounting and Research at Central Washington University. He has published numerous articles on identity theft, debit/credit fraud, security breaches and data mining models. He is a member of the editorial boards for the Journal of Forensic Accounting and Fraud Magazine. He also writes a column on identity theft for the Fraud Magazine. He can be reached at holtfret@cwu.edu.
a misuse or malicious activity exists that compromises network security from within the computer network (typically internal organizational fraud). hacker or cracker who attacks the computer network from the outside.
2. External intrusion detection this incident involves a
There are two general intrusion detection methods.4

1. Out of the ordinary exceptional or anomalous intrusion
detection. This intrusion detection method relies on checking for any new or strange access in the computer network.
2. Detection based on past patterns of intrusions. There
are some standard patterns of intrusion into computer networks and pattern based intrusion detection relies on checking if some of these intrusion patterns are repeated on computer networks.
41
42
Informant:
July
2008
December
2008
Disclaimer: although the data has been anonymized, the problem set captured in the following article is representative of an actual analytic effort using next generation cyber-intrusion analysis software.
he human brain is the best system ever created for recognizing previously unidentified patterns of behavior. Until computers are able to match the analytic acuity of the human mind, automated detection of cyber intrusion will fail, especially given the highly adaptive nature of the threat. Consequently, existing signature and behavior based detection systems need to be augmented by human driven analysis if they are to succeed. O. Sami Saydjari, CEO of Cyber Defense Agency LLC, notes that Determining the right strategic decisions is best performed by creative well-informed humans. This makes cyber defense a matter of art, supported by science, not a matter for total automation.1 The next generation of cyber intrusion analysis tools provide a platform for humans to rapidly extract relevant information and create actionable knowledge.
The Impact of Adaptive Behavior on Cyber Defense

Earlier this year, researchers discovered that one of the largest botnets ever compiled, Kraken, had compromised over 400,000 hosts. Remarkably, fewer than 20 percent of computers running Anti Virus software were able to identify the dynamically morphing signature of the malware. Such intrusions were not limited to those with unsophisticated defenses. Kraken reportedly evaded the intrusion defense systems of some 50 Fortune 500 companies.2 This type of emergent, adaptive behavior has become a hallmark of contemporary cyber intrusions and has revealed a systemic weakness in existing defenses: the adversary is able to evolve the vector of attack faster than automated defenses can be updated. Although this reality seems inevitably biased towards the aggressor, there have been several recent technological and methodological advances that take the first steps towards leveling the playing field.
The analysis begins with an automated alert concerning a set of IP addresses connected by security events. A histogram of the graph selection is displayed giving the analyst a helpful characterization of the data. In this graph, it appears that there is a central group of IP addresses that are involved in a common network of cyber attacks.
TONE BOX: The PayPal Experience

The booming growth of e-Commerce presented companies like PayPal the seemingly intractable problem of combating fraud in the online payments space. Many companies in the market attempted to use Artificial Intelligence, statistical techniques, machine learning, and probabilistic scoring algorithms to profile attacker behavior. Unfortunately, the attackers knew that they only needed to try new techniques until they found one that slipped by the automated defenses to endlessly exploit this system. PayPal was first to realize that automated systems alone could never stay ahead of the attacker. Instead, they developed a new approach: allow humans to interact with the data to identify patterns of behavior not yet recognized by automated systems. The success of this methodology is apparent in the reality that PayPal continues to thrive while its competitors have fled the business. New cyber defense and intrusion analysis systems are augmenting existing automated solutions with capabilities designed to help humans rapidly aggregate, decipher, and share network defense information. The next generation of cyber intrusion analysis tools provides a platform for humans to rapidly extract relevant information and create actionable knowledge. Such knowledge can be fed back into automated defense mechanisms thus allowing computers to focus on proper classification and humans to focus on identifying emergent patterns of behavior.
Moving deeper into the analysis, the user has identified e-mail traffic originating from a mail server controlled by an IP address related to the attacking network. At the bottom, an integrated timeline displays the temporality of the events.
Next Generation Tools in the Wild

The following depicts screen shots of cyber intrusion analysis utilizing a next-generation platform.
Continuing the previous line of inquiry, the analyst has gone further into the Nelsoft Communications organization, by viewing all of the properties associated with this node, including its available geographical information.
43
The Future of Cyber Forensics

Topic This Issue: MaCInTosh ForensICs
There WIll Be Dragons
by Dr. Marcus K. Rogers CISSP, CCCI, Cyber Forensics Program Department of Computer & Information Technology, Purdue University
CY-FI:
s I mentioned in my previous column, this edition will be focused on Macintosh forensics. It is probably a good idea to explain the rather mysterious second-half of the title to this column. In ancient times, it was not uncommon for cartographers to indicate unknown areas by placing drawings of dragons on their maps. Some investigators I have talked to indicate that dealing with Macintosh computers or Apple devices is definitely unknown territory. Hopefully, we can begin to erase many of these dragons and start to chart the unknown. As I sit here writing this column, we at Purdue University have just finished teaching a three-day introduction to a Macintosh forensics training class for law enforcement. Preparing the materials for the class reinforced my belief that Macintosh computers make an excellent platform for investigating digital evidence, and yet at the same time, present unique challenges to investigators tasked with examining these systems or devices. It is quite easy to get lulled into a false sense that this is strictly a Microsoft/Windows world. But in fact, with the introduction of the Intel chipset in Macintosh computers, Apple is increasing its market share dramatically year-to-year. If we move our focus away from strictly computers and look at devices in general, Apple in fact has the market share in several sectors digital music devices (iPod), and even smart phones (iPhone). A very recent survey concluded that Macintosh laptops were the biggest sellers on university campuses in the United States, even surpassing Dell. It should come as no surprise that Macintosh computers are being used in a myriad of different criminal activities. Criminals in general and cyber criminals specifically are gravitating towards the nonWindows based computing platforms. Some have indicated that this might be due to the built-in counter forensics of law enforcement not being familiar with anything but Windows-based machines. Criminals assume that law enforcement is incapable of dealing
44
with non-Windows-based operating systems such as Mac OS X. Criminals tend to also believe that the current crop of forensics tools are focused exclusively on Windows/NTFS, and therefore do not work well on other filesystems such as EXT2 or Mac OS X. Given this criminal cultural belief, and the reality that Apple computers are gaining a significant market share, it behooves investigators to become familiar with Macintosh computers and Mac OS X. Over the last year, we have seen a dramatic increase in the number of investigations we have assisted in that included Macintosh computers, iPods, and iPhones. Once one gets over the initial shock of not being in an NTFS world, the Mac OS X file system is not really that different. In fact, the much maligned Windows Vista shares a lot in common with Mac OS X. While there are several notable books (see reference section) that can assist the investigator in becoming familiar with the structure of Mac OS X, there is no substitute for hands-on experience. The relatively low price of the entry level Mac books, or iMacs, should allow investigators to be able to purchase at least one system to use in their labs. Unfortunately, the belief that the current stock of forensics tools is lacking in its ability to deal properly with Mac OS X is a reality. This has prompted several companies to begin development of forensics tools that not only handle Mac OS X properly, but also run natively on Macintosh systems (see the reference section at the end of this article). However, to date, these tools are not as graphically mature as their Windows counterparts, which may increase the learning curve for some investigators. Even Apple itself has recognized that law enforcement and investigators need assistance in dealing with Macintosh computers and devices. In order to address this demand, Apple has sponsored several seminars, Webcasts, and support pages devoted to digital investigations.
he Scientific Working Group on Digital Evidence (SWGDE) brings together forensic science practitioners in the field of digital and multimedia evidence. Our disciplines include computer forensics, forensic audio analysis, forensic video analysis, and forensic image analysis. Our mission is three-fold:
SWGDE is sponsored by the Federal Bureau of Investigation Computer Analysis Response Team (CART) Unit. However, SWGDEs strength lies in its membership diversity. Each member agency, no matter how big or small, has the same opportunity to help shape SWGDEs publications, focus and direction. It is this partnership between varied forensic practitioners, researchers and managers that produces relevant and timely support for our community. SWGDE regular (voting) members include federal, state, and local law enforcement personnel. Associate (non-voting) members include our colleagues from academia, private industry, non-law enforcement federal agencies and international law enforcement agencies. As of January 2008, SWGDE members included twenty (20) state and local agencies, nine (9) federal agencies and nine (9) associate agencies. For more information on SWGDE, please visit www.swgde.org. A membership application is available at http://swgde.org/membership.html. We encourage interested forensic practitioners to apply. For more information about SWGDE e-mail membership@swgde.us. q
To bring together organizations actively engaged in the field

of digital and multimedia evidence
To foster communication and cooperation To ensure quality and consistency within the forensic
community SWGDE meetings provide a forum for practitioners to meet and exchange ideas, techniques, and best practices. We routinely publish resource documents for the entire digital and multimedia evidence community and offer training in cutting edge digital evidence topics. Our efforts are aimed at the forensic examiner in both the laboratory and the field.
hildren have been treated and viewed as sexual objects and included in erotic literature and drawings long before the invention of the Internet. However, the Internet has dramatically changed the underground world of child pornography by increasing the amount of child pornography produced, its availability, and the efficiency of distribution to other child pornography users. Research suggests that the child pornography industry generates approximately $3 billion annually, and that there are roughly 100,000 Web sites worldwide offering child pornography. In addition, it is assumed that the pornographic content of the images is increasing in diversity. Due to the increased variety in content, there needs to be a system in place that categorizes the images in order to provide an overall understanding of the offenders illicit collections. In order to categorize the images content, the COPINE (Combating Paedophile Information Networks in Europe) project at the University College Cork, Ireland, developed a classification model. For the past decade, this European project has conducted research on Internet child pornography and its use by adults sexually interested in children. However, there has been little if any similar research in the United States. In order
to address this gap in knowledge, Purdue Universitys Cyber Forensics Laboratory is recruiting United States law enforcement officers to participate in a short, anonymous survey. Using COPINEs classification model, participants will be asked to classify the Internet child pornography images they have seized as evidence from 2005 to the present, using an anonymous, stepby-step online questionnaire. Agencies wishing to participate in this study, or for further information, please contact Dr. Marcus Rogers at Purdue Universitys Cyber Forensics Laboratory via e-mail rogersmk@purdue.edu or phone 765-494-2561. q
45
Cyberbanging
ike the rest of the world, the use and abuse of technology has not been lost on street gangs. One such time-recognized form of gang communication is the use of graffiti or tagging. Most urban settings have grown used to seeing spray-painted icons from local gangs. Now ,graffiti can be found almost anywhere: mid-sized to small towns and farmlands to even photos from war zones that American armed forces occupy are showing signs of gang markings. Tagging serves two purposes for gangs: one is a visible marker of a location under their control and two, it provides rival gangs a warning that if their territory is violated, retaliation is almost certain. But physically creating graffiti runs the risk of getting arrested since it is usually a crime. So, todays gangs are turning to a safer and sometimes even legal form of tagging: cyberbanging. Cyberbanging refers to the way gang members use Web sites to promote their gang-related activities. Most juvenile gang members begin by creating Web profiles through popular social networking Web sites like MySpace (www.myspace.com), Facebook (www.facebook.com) and others. The purpose is to create an interactive form of tagging that shows off their abilities, voices their bravado and even helps with gang recruitment. Most Web sites will display alleged gang members holding various weapons, large stacks of money and almost all of them will be displaying gang signs and flying colors. The people displayed in photographs almost always have their faces covered to protect their identities. In addition to continually bashing their rivals, the Web sites typically boasts either past or recent criminal accomplishments. Despite being a new form of gang-promotion, they are also a major source of intelligence for Gang Management Units (GMUs). In todays modern Internet world, it is not difficult to find information on cyberbanging or even find out who is doing it. Go to any of the popular video upload Web sites such as YouTube (www.youtube.com), Google video (www.video.google.com), MySpaceTV (www.myspace.com) and type in cyberbanging in the search field and you will see how many people voluntarily display homemade movies popularizing gang activity. The same can be done with search engines such as Google, Dogpile, or any other host of search engines. Add to your search string constraints such as your state, city or common gang references and it may narrow the selection down more closely to your geographic location. Because of the increased use of cyber-surveillance by GMUs, gangs have moved many of their cyberbanging off major Web domains and have started to use Web boards to post their declarations and threats. Young gangsters are very technology savvy and even recruit teen geeks to help promote and even secure the gangs technology operations. This subsulture of techno-teens are fertile material for gang recruitment and usually do not hesitate to use their tech skills to help the gangs mission.
46
C
A L L
The Brown Underground (www.brownunderground.com) is a Web site that was created to promote Hispanic culture and heritage; once its chat boards were opened to the public as a global form of community communication, Latino gangs started using it to cyberbang their rivals. Soon, it created havoc for the Web sites administrators and brought unwanted negative attention as a gang cyber hot spot. Photos and videos play a big part of many of these sites and usually if the video is not part of the site, a link leading to a video Web site like YouTube is provided. The gang culture is heavily embedded with music and most gangs video sites play amateur gangsta raps that admonish or mock their rivals. Law enforcement agents should view and copy these videos carefully; although faces may be obscured, look for tattoos on other exposed parts of the body like hands, necks or arms. Look at the background of the video; is it being filmed in a room like a bedroom? Take notice of items in a room or location shots to determine where it was filmed. Voiceprints may also be matched and should be considered for investigative and evidentiary potential. Cell phones are routinely used as a method of cyberbanging since gang members will text message disrespectful or threatening harassments to rival gang members, their families or friends, sometimes at all hours of the night, sparking retaliatory encounters. Searches of mobile technology during an investigation should consist of identifying stored text messages (sent and received) and the phone numbers that were sent or received from that device. A suggested operational plan for law enforcement is to identify which gangs operate or proliferate in your region. Once identified, begin standard Internet research via search engines, social networking sites and look for videos on YouTube, Google video, MySpaceTV, etc. Search for postings by using common or slang terms for city names, city streets, known gangs, neighborhoods or gang names of known members. Check the chat boards, Web boards and guest books of Web sites like MySpace, Facebook, and others social network sites that sport or lean towards gang activity, making note of postings whose text color is particular to a gangs known colors (example blue or red, etc). Popular music group Web sites that are representative of the gang culture usually have a social networking chat section and this should be examined. One of the best resources for cyberbanging intelligence gathering (and gang intelligence overall) is through the local School Resource Officer (SRO). This is usually a law enforcement officer assigned to the local school district. They will probably know who most of the major juvenile gang players are, who is targeted for recruitment, which gang members frequent the schools computer labs and possibly which Web sites the gang members frequent. Its also a good idea to ask school computer network administrators if they are aware of anyone trying to access gang-related Web sites, may reveal which uniform resource locator (URL) or Web address to keep under surveillance. Communication and vigilance are the keys to success when it comes to gang intervention and investigation. Sharing resources of information between law enforcement disciplines and using the same information technology abilities the criminals use and abuse to defeat their illegal activities are skills worth obtaining. q
References 1. Gang Members Utilize The Internet: Cyberbanging, Netbanging, Phone Banging, Text Flaming, MySpace, Rap Dissing, Message Post Bashing Cyberbanging, its called, but gang threats are real - Web pages give police new look at violent lives
2. http://www.operationnogangs.org/083007KFOXInternet.html 3.
4. http://www.4rowproductions.com/4row/Random_Reason/ Entries/2008/2/9_cyberbanging.html 5. Gangs use Internet to bang out messages of pride, hate 6. http://www.knowgangs.com/gangs_news/extra/March/ march_2005_016.htm 7. Gangs in Md. Throw Rivals a Cyberpunch 8. ht t p : / / w w w. w a s hi ng t o np o s t . c o m / w p - dy n / c o nt e nt / article/2006/04/13/AR2006041301911.html About the Author Donald F. Cesaretti, MSIA works for the New Jersey Juvenile Justice Commission as a technical instructor. He is a certified police training instructor and former law enforcement officer who has provided training about gangs and cyber-crime to federal and state law enforcement agencies. In addition to his graduate degree in Information Assurance (computer security), he is a graduate of many law enforcement cyber crime and computer forensic training programs.
F O R A R T I C L E S
Help others in the fight against cyber and economic crimes.

Contribute your articles and ideas to the InFormant magazine
TM
TM
The leader in Telephonic Intercept and Analysis for over 20 years now delivers Real Time IP Interception!
Pen-Link Featured PenLink Products
net
TM
Pen-Link Xnet is an IP Intercept Collection and Analysis system targeting Intenet communications for interception.
Share your expertise, experience and knowledge with Informant readers. We are looking for articles on any topic related to cyber or economic crime. The next Informant will feature articles on the topic of Investigating Small Scale Digital Devices, such as cell phones, PDAs and blackberries. If you have experience and expertise in this area, we welcome your article submission to be featured in the Informant. Send your articles and article ideas to lbond@nw3c.org. Deadline to submit articles for the March 2009 issue is January 15, 2009.
Email Instant Messaging Web Chat P2P VoIP 3G/EV-DO
Pen-Link 8.1 is the industry standard telecommunication intelligence and analysis software.
Pen-Link, Ltd. 5936 VanDervoort Drive Lincoln, NE 68516 402.421.8857 penlink.com
47
R L C O V E . R I N G. IQsT UNALLOCATED
allows us to search for a section of the actual video data. Once that data is located, we export and view it using a video player such as VideoLan (VLC). This procedure can likely be done with any of the commercial forensic tools.
O W N V I D E O S IN 5PACL
M A N D L R , MAINE. 3T A T L POLICE. ^ Future Plans
I am hoping to have an extraction tool created to mine the search terms from suspect video files to automate the collection process. I believe this can be done with scripts. If the terms can be harvested from the large libraries at National Center for Missing and Exploited Children or Innocent Images, the terms could be used much like hash analysis. The key difference would be that hits could be obtained from partial or deleted files which would be missed by hash analysis. q
About the Author Sergeant Glenn Lang has been employed by the Maine State Police for 19 years and has been the supervisor of the Computer Crimes Unit since 2001. He is currently the ICAC Commander for the State of Maine and is certified as a forensic examiner though Guidance Software (EnCE).
EMMHUMMm
WE INVESTIGATE LAPTOP THEFTS THAT LEAD TO SERIOUS CRIMINALS. LAPTOP OWNERS WANT THEIR COMPUTER BACK... YOU WANT A SLAM DUNK CASE.
www.lojackforlaptops.com
Collecting data from known video

Each of videos we have on file are examined in hexadecimal format so that the raw data is exposed in hexadecimal as well as in its text translation. The raw data is then copied from a section of the data that appears just after the video header. I generally use about ten hexadecimal characters for example: 3a 24 2d 36 ff 1a 4c 2b 2a 1b. I have found that you need to manually copy these characters as opposed to a copy and paste. The shorter the section of data you use the greater the likelihood of false-positive hits. Once this information is collected you can now build a database using Word or Excel so that you have a key word for each of the videos you may be looking for on the suspects computer.
he Maine State Police Computer Crimes Unit like many other Internet Crimes Against Children (ICAC) Units has been working more often to investigate Peer-to-Peer cases. Many of these cases are a result of national proactive operations targeting this network. Our mission is to investigate online crimes against children; in the issue of Peer-to-Peer cases, we are investigating the computers of known suspects to recover child pornography videos from unallocated space. These video files are exchanged between others through the Internet. We had a rash of these cases in our system; however, an alarming issue arose caused by the local Recording Industrys efforts to stop the distribution of copywrited material. We discovered that our Peer-to-Peer case targets had recently received letters explaining that they may have been involved in the dissemination of copywrited material (music files) based on complaints they had received from the Recording Industry. The students reactions were to delete the music files from their computers. In the process they also deleted the contraband video files that we were looking for. We use stock forensic tools (Encase and FTK) at our labs to examine computers that we have seized. Recovering video files in unallocated space has historically presented us with some difficulty as they tend to be large and span many clusters. Unallocated clusters are areas of the computers hard drive that may have been used at some point, but are not currently assigned to any files. When a file is deleted it may still exist in its entirety in unallocated clusters if that area of the hard drive has not been overwritten by other data. Our investigations target suspects sharing videos we have downloaded and viewed ourselves so we can testify that the files are contraband. Since we have these videos on file we also use them as source material for the searches. For years we have relied on a system of searching for video file headers to locate and parse videos in unallocated space. The problem with this technique is that it tends to generate hundreds of false positives that can flood the storage drive and take many hours to review. Weve recently began implementing a new technique to investigate our peer-to-peer case, using Encase Software. In cases where we are aware of the suspects file sharing content, this new technique
48
Jennifer Bramlett Regional Recovery Manager Law Enforcement Liaison 770 877 1717 jbramlett@absolute.com
Searching the suspects computer

To do the actual searches create a new search term. In this example the search term would be: \x3a\x24\x2d\x36\xff\x1a\ x4c\x2b\x2a\x1b and you would need to check Ansi Latin -1 and Grep. The \x indicates you wish to search for the hexadecimal character directly after it.
AbsoluteSoftware
Recovering the videos

Once you have some hits for the search terms you need to recover the data. We use Encase for this process, but other agencies procedures may be different. We examine the search hits in text view. If you examine the area just prior to your hit you may see what appears to be the files header. The next step is to click on a character in this area and export the data in a custom range starting at the location of the cursor and select extract as exact binary. The size of the file you are going to export depends on the data range you enter. Ten million will generate a file that is about 10 megabytes in size; 100 million will create a 100 megabyte file. Give the file a name and use an extension of .mpg for the exported file.
My AMU education gives me the edge

to meet the evolving homeland security challenges I face every day. From psychology of disaster to Arabic language courses, my AMU education builds on my experience in the Marine Corps to help me better fulll my mission of protecting our community and this countrys freedom and ideals.
Dwayne L.
Technician, Federal Government Graduate. American Military University
Viewing the recovered videos

Our team uses VideoLan to view the recovered video. Its a free viewer and seems to deal with corrupted data better than most viewers. Either associate VideoLan with the .mpg extension or open VideoLan and direct it to the file you exported. You may need to experiment with the starting point and size of the file to get it to play, but we have had remarkable success locating these videos with a very low percentage of false positives.
Push your mind. Advance your career.

Respected online intelligence degree programs focused on Criminal Intelligence, Homeland Security, Intelligence Analysis, Intelligence Collection, Intelligence Operations, Terrorism Studies or a variety of other subjects.
amu.apus.edu/intelligence
or 877.777.9081
American Military University

49
The Business of Dri
vers License Fraud

by Dean Reynolds, Chief Investigator, Kansas Department of Revenue
drivers license fraud will be corruption bribing drivers license examiners. Incidents of internal fraud relating to the issuance of drivers licenses have risen dramatically in recent years in DMVs in all parts of the country. Examiners have been paid several hundred dollars and in some cases over $1,000 for each fraudulent transaction. Most of these cases involved the issuance of drivers licenses to illegal immigrants and several have involved schemes designed to issue drivers licenses to people from central and south Asia as well as the Middle East. Despite the fact that they deal with sensitive information and are charged with safeguarding the public against identity-related crime, front-line examiners are often among the lowest paid in state government, leaving the industry ripe for fraud.
Imposter Fraud
Authentic birth certificates are the breeder documents most frequently used by imposters. Unlike drivers licenses or immigration documents, there are no photos on birth certificates. With nothing to tie the document to the presenter, a criminal can claim to be just about anyone who is roughly the same age. A birth certificate is commonly the first building block for a criminal wishing to commit drivers license fraud. Most vital records offices accept requests through the mail or via the Internet, making it difficult to verify that the requesting person is who he or she claims to be. Identification documents that are mailed to vital records offices along with orders are copies. Authenticating copies of ID documents rather than the originals is generally unachievable because of the lack of security features on copies. Moreover, a fraudster can in many cases claim to be a family member of the person whos identity they are attempting to steal. The most frequently used breeder documents used by imposters in Kansas are birth certificates issued in Puerto Rico and in select counties or cities in Texas. While birth certificates in Puerto Rico and Texas both satisfy the requirement in most states that an applicant be a U.S. citizen or be lawfully present in the U.S., a birth certificate from Puerto Rico (falsely) explains why an applicant does not speak English. It is not unusual for a Social Security card to be sold with the birth certificate as part of a set. The Social Security card, like a birth certificate, contains no photo. Criminal vendors secure the authentic documents by:
Using Technology at the DMV Front Counter
or illegal immigrants, professional identity thieves, members of a terror cell and common criminals wishing to operate anonymously, obtaining an officially issued state drivers license is critical. Criminals go about obtaining a legitimate state issued drivers license by using an identity that belongs to someone else or creating a fictitious identity altogether. Because of what can be done with a fraudulently obtained government-issued DL or ID card, criminals will go to extraordinary lengths to get them. Drivers license fraud is becoming more important for people who have entered the U.S. illegally or overstayed their visas in order to work, open bank accounts and get insurance. Drivers license fraud is, in fact, at the heart of many white collar crimes. Obtaining a drivers license in another persons name can be an indispensable step for a criminal or member of a terrorist cell to commit fraud by loan, check or wire fraud. Moreover, it can also prevent law enforcement from discovering the criminals true identity. With limited resources, a detective is more likely to spend investigative time on those cases where a suspects true identity is known or at least suspected.
Investigators often look for hidden security features, such as this, to confirm the validity of drivers licenses.
License (DL) examiners, in many states, did not have access to DL photo images on file to notice the person was an imposter. Once that deficiency was remedied, fraudsters needed to use the identity of someone living out of state. This could often be accomplished by presenting counterfeit breeder documents those documents used to get a DL such as birth certificates, green cards, employment authorization cards, Social Security cards or out-of-state drivers licenses. Because a good number of DL examiners in most states have recently received training on how to spot counterfeit documents, getting counterfeit breeder documents past them is becoming more problematic for criminals. Criminal vendors of fraudulent documents are now, more than ever, becoming dealers of authentic breeder documents (documents used to obtain an ID document). These governmentissued documents are sold on the street so that someone can present them at state DMVs to fraudulently obtain a state DL or ID card. This imposter fraud is on the rise across the country and, with further tightening on the horizon with the coming federal Real ID Act; this scheme will become even more prevalent. The Real ID Act will require DMVs to electronically confirm that the information on a breeder document matches information in the database of the issuing agency. In other words, if an applicant presents a Mississippi birth certificate, the name, birth name and DOB will be sent electronically to the Mississippi office of vital records for confirmation. If the person presenting that Mississippi birth certificate in Wisconsin is an imposter, the authentic documents will still be approved because the information matches what is in the Mississippi office of vital records database. When state DMVs become more proficient at detecting imposters, the only viable course left to criminals who want to commit
Roughly 30 states are now using facial recognition technology in some fashion or are in the planning stage of implementing the fraud detection technology. Facial recognition technology compares the geography of faces in a database. In those states that use a one-to-one match, the current photo of an applicant will be compared electronically against the last photo taken of the applicant in an effort to spot imposters. In those states that use it in a one-to-many comparison fashion, a person who already has a DL in that state for instance, applies for a DL in another name, the DL computer system matches the photographs after business hours on the date the latest photo was taken. Once the match is identified, the application is flagged for suspected fraud. States that employ this technology can run a facial recognition inquiry on the DL image of a suspect so you can check if your suspect is using multiple identities. Some states that use facial recognition are getting the capability to import external photos to run a facial recognition check against. This can be invaluable in identifying a suspect whose identity is unknown.
buying them from other criminals (including

methamphetamine users)
taking advantage of jurisdictions (cities/counties) that

are lax in the issuance of birth certificates official blank certificates.
Evolution of Drivers License Fraud

Since September 11 , most state DMVs across the country have added physical security features to drivers licenses and ID cards that make them more difficult to counterfeit or alter. This has, in large degree, required criminals to get a stateissued card rather than buying a fake off the street since most fakes do a poor job of mimicking the new security features.
th
corrupting officials who have access to genuine and not all authentic documents are birth certificates and
Social Security cards. Some criminal vendors have a virtual library of valid photo ID documents. This library may be accessed to find a permanent resident card or state drivers license with a photo that is similar in appearance to the applicant.
Actions used by a criminal to obtain an officially-issued drivers license or ID card using another persons identity have evolved as identity security has been improved at state DMVs. Not that long ago, someone could, in many states, merely lie about who they were and claim they lost their drivers license. Drivers
Breeder Documents: Sold vs. Rented Security features, such as these, are hard to duplicate on fraudulent drivers licenses.
Criminal vendors of authentic documents will typically do one of two things: 1) Rent the documents. In this scenario, the renter pays say $1,400 for the set of documents and if they
50
Informant:
July
2008
December
2008
51
are returned, the renter may get $600 back. The vendor will often make sure that the same set of documents is not sold to two people within the same state because the second person would not be able to get a DL/ID card. 2) Sell the original authentic documents. In this scenario, the vendor typically scans the original documents into his computer before letting them walk so that counterfeit documents can be produced at will. The counterfeited documents are then sold at a price less than the originals are sold for to people in different states. Buyers of these counterfeit documents may believe they are genuine documents.
chat hate
Most security and authentication features on drivers licenses cant be seen with the naked eye, as shown here.
When conducting imposter investigations, it is not unusual to discover five different people in five different states sharing the same identity. The identity with the longest history with regard to public records and activity is typically the true owner of the identity.
80211
Detecting Imposters
Because imposter fraud is the future of drivers license and identity fraud, it is critical that drivers license examiners, law enforcement officers and investigators receive training on imposter detection. A person who has successfully defrauded the state DMV and presents a state-issued DL to a law enforcement officer or other document reviewer can still be caught if the officer is aware of what to look for and how to proceed in detecting imposters. Detecting imposters is generally a 3-step process consisting of examination of who the person is (physical characteristics including his face, height and weight), the documents in his possession and what he knows. An imposters knowledge of the identity he has stolen is generally shallow and can be exploited with the right interview questions. q
About the Author Dean Reynoldson is the Chief Investigator for the Kansas Department of Revenue. He is a Certified Fraud Examiner and a Certified Forensic Interviewer. Reynoldson teaches criminal justice courses as an adjunct professor at Washburn University.
d
We are seeking qualified applicants for our online Economic Crime Programs
Online Masters Offerings

Online Bachelor Offerings

BS - Cybersecurity BS - Economic Crime Investigation
MBA - Fraud Management MBA - Professional Accountancy MS - Economic Crime Management
Visit us at the
Economic and High-Tech Crime Summit 08

For more information: 866-295-3106 www.onlineuticacollege.com
OLLEGE
ONLINE DEGREE PROGRAMS
52
ver wonder what goes through the mind of a person when they are committing a crime? Investigators from the Florida Office o f Financial Regulation got the chance to see inside the mind of a white collar criminal during a training seminar, where they experienced a unique guest speaker- a convicted investment swindler (whom well refer to as Mr. Swindler). Mr. Swindler was convicted and served time in jail for operating a Ponzi scheme. He shed light on how he was able to defraud investors. First, Mr. Swindler dreamed up a unique business concept, cryogenically freezing blood to be stored for later medical uses by the donor. To appear legitimate, Mr. Swindler purchased a shell company that was incorporated a few years earlier. The shell had a stock trading symbol but no assets. Its name and symbol were its only value. This gave the impression that the company was around longer than it actually was. To raise capital, Mr. Swindler sold nine month promissory notes, taking advantage of loopholes in the state and federal securities laws. He relied upon an exemption from registration to avoid regulatory scrutiny and red tape. To entice investors, he offered higher than average rates of return on the promissory notes. The notes were unsecured and risky. Investors believed they were insured and safe. He assured investors the business would be successful and profitable. In retrospect, he acknowledges the business was designed to fail because it was impossible to make profits in nine months, the period of time in which the promissory notes would come due. He relied on funds from investors to make interest payments to other investors - the tell-tale sign of a classic Ponzi scheme. Mr. Swindler also needed a sales force because he couldnt afford to spend all his time on the phone, marketing his company to potential investors. He hired rogue insurance agents who did no due diligence and were persuaded by large commission checks. The insurance agents raised millions. Most victims were senior citizens convinced to roll over their annuity investments into the venture. In total, less than ten consumers actually signed up to have their blood cryogenically preserved. The business was a bust. The Florida laboratory closed down and the media publicized its demise. Soon, investigations were launched into the business and the promissory note program. Mr. Swindler was exposed and eventually plead guilty to criminal charges. He received over three years in prison, did his time and was released.
Although Mr. Swindler was ordered to pay restitution, the reality is that he will never earn enough money in his lifetime to pay back investors. Here are some lessons learned and a few observations. Today, the Internet is the new sales force, says Mr. Swindler. You receive all kinds of bogus investment opportunities in your e-mail. To combat this, you should buy anti-spamming software and ignore investment come-ons. Investors in his operation were told the investment was risk-free. If they read the offering prospectus (those who received it), they would have learned they could lose all their money if the business wasnt successful. He also said, accurately so, that most investors didnt read the prospectus and took the promises of sales people on face value. Receiving higher than average returns assured the prospectus would not be read. Investors were also told the promissory notes were independently insured. Not so. In reality, Mr. Swindler owned the off-shore insurance company. A little investigating would have revealed the insurance company wasnt licensed to do business in the U.S. Another red flag was that other states issued cease and desist orders (C&Ds) against Mr. Swindler and his business. These public documents were available to anyone who asked for them. The message in this story? Do your research before investing. Remember that there are no risk-free investments, only investments with varying degrees of risk. Finally, if a deal sounds too good to be true, then it probably is! q
About the Author Mark Mathosian is a Financial Administrator for the Bureau of Investigations, Florida Office of Financial Regulation (OFR). OFR regulates the banking, finance and securities industries in Florida. Mark is headquartered in Tallahassee and can be reached at 850-410-9859, mark.mathosian@flofr.com.
53
n a recent ABC News article, Iran made headlines with the following allegation: Iran accuses U.S. and Britain of funding terrorists. One would have to ask themselves is this accusation extremely far-fetched or even remotely possible? Is it a possibility that terrorists are being funded, knowingly with monies made in the United States? This article will explore the possibility of illicit funds made here in the United States and shipped abroad using cash businesses and retail outlets. Straw ownerships are businesses where one person or persons receives all the financial benefits directly from the company, but is not listed on any legal or public documents as the legal business owner. For the past several years, the Arizona Department of Liquor has identified straw ownerships in several licensed alcohol premises. There are a variety of reasons that subjects engage in straw ownerships and are able to go undetected for long periods of time. A few of the reasons that have been discovered are as follows:
Once the license is issued to the front person and the business is in operation, the hidden owner then is able to control the business which includes the cash revenue derived from the establishment. This includes cash alcohol outlets such as: bars, liquor stores, hotels and private clubs. Multiple crimes are typically committed on the licensed premises which include: (Based on actual cases conducted)
Narcotics dealings Money-laundering Repeated acts of violence Multiple liquor law violations After-hours violations
A person is a convicted felon A person does not want to disclose themselves as the owner A person it is not a legal resident of the state he/she resides
and/or does not have legal status in the United States
in order to avoid being detected for financial reasons such as: tax evasion, divorce, & money laundering
Failure to comply with other regulatory agency requirements such as: department of revenue, local taxing authorities, workmens compensation insurance, and industrial commission, are also typical of straw ownerships. Before presenting straw ownership cases for prosecution, it is vital to investigate two key elements: Control and Financial Interest. Control refers to the power to direct or cause the direction of the management and policies of an applicant, licensee or controlling person, whether through the ownership of voting securities or a partnership interest, by agreement or otherwise. Controlling person refers to a person directly or indirectly possessing control of an applicant or licensee. Financial Interest refers to the Controlling person who holds a beneficial interest in ten percent or more of the liabilities of the licensee or controlling person. In examining criteria for licensure for several states, Control and Financial Interest is common. Also consistent amongst licensing agencies is the requirement that persons who intend to control a licensed outlet have to be disclosed and a background
A person is involved in racketeering and/or organized crime Liquor establishments are a cash business Funds are being shipped out of the United States to other
countries These business owners are attracted to Liquor establishments because of its cash business tendencies. Cases have shown that it is relatively easy to have someone placed as a front person on alcohol license applications. A front person is an individual who is legally qualified to own a business and meets qualifications of licensure but allows other person(s) to operate the business for illegal reasons. Initially, front persons can go undetected for long periods of time because the local governing bodies are limited in verifying multiple applications that are filed with licensing agencies.
54
has to be completed so that local government knows who is in control of the business with set standards and disqualification criteria. Once the case shows there is evidence that illegal entities are in control and not disclosed, financial backgrounds should be initiated to show the financial control. This can be accomplished by doing the following during on-site inspections and examination of business documents. In several cases seen in Arizona, the following business documents can reflect the illicit control:
AccessData introduces a new paradigm in forensic investigation Now, one company gives you 360-degree visibility into all data across the enterprise. With AccessData you can build a single solution that allows you to search for, analyze and preserve host-based, structured, RAM and network traffic data. FORENSIC TOOLKIT AD ENTERPRISE AD EDISCOVERY SILENTRUNNER AND MORE Learn what AccessData can do for you at www.accessdata.com
Escrow documents used during the acquisition of the

business
Applications and questionnaires submitted to local

government for licensure
Contracts, notes, promissory agreements, and copies of

cancelled checks or cashiers checks
Bank
account applications, signatory authority documents, deposit and withdrawal statements
Local utility applications and accounts The examination of corporation documents and limited
liability company documents, partnership agreements, and documents relating to Joint Tenancy with Rights of Survivorship UCC filings institutions
The filing of equitable interest documents, also known as Any financial wiring made abroad using various financial Insurance and liability documents
One factor that has been very consistent with front persons used on applications is the fact that they do not have the financial means or background that would allow them to purchase or have such a large financial note to acquire the business or license. Requiring the front to person to produce proof of the financial resource can give investigators a good picture of where the funds originated from. These guidelines can be used to help law enforcement to detect straw ownerships within the liquor-related industry. Once it is established that illegal entities are in control, investigators have to track what monies are coming in, what is actually reported, and where the money is going. Straw ownerships should be taken seriously as they have the potential to be financial fronts to support larger crime organizations. q
References 1. ABC News online, May 13, 2008 2. http://www.abc.net.au/news/stories/2008/05/13/2243684.htm About the Author Antonio Ribera a 13.5 year veteran with the Arizona Department of Liquor Licenses and Control and has in-depth experience in combating white collar crimes surrounding liquor businesses. Antonio has been in law enforcement for a total of 20 years which includes assignments in Organized Crime, Fraudulent Document Crimes, and state regulatory investigations. He earned his Bachelors Degree in Business in 1995 from the University of Phoenix and has taught straw ownership investigations to multiple law enforcement agencies.
Paraben 's
Cell Seizure Investigator

ivirViv.c5f5ffcfr.com
CSI Stick
Version 1.0
Features:
Motorola Support
Samsung Support
Downloads Textual Data (Phonebook,SMS,Call Logs.Etc.) Downloads Multimedia Data (Graphics.Camera images.Videos.Etc.) Downloads a Logical Image File (Active Rleson the Mobile Phone) Downloads a Physical Image FNeiAvaiableonSomeModeli with Long DownloadTimes) You Upgradeable (As Support for New Cell Phones is Added, Can Update Your Stick Easily) Also Available DS Lite! The Perfect Tool for CSI StfcK Analysis! Only $99.00 USD
CSI StlCk starts at

Only $199.00 USD
801.796.0944
ParaDen's Forensic Innovations Conference Find out more by coming to our FREE user conference in November!
www.pfic2008.com
55
STATE AUDITOR STACEY PICKERING ANNOUNCES THREE ARRESTS FOR KATRINA FRAUD
Jackson, MS State Auditor Stacey Pickering announced the arrests of three individuals charged in fraud related to home repair as a result of damage from Hurricane Katrina. James Hodge, 45, of Wiggins was arrested on Monday, June 9 and released on $20,000 bond following charges of felony home repair fraud. Hodge, operating as J & J Construction, entered into a contract and received $10,000 in payments for work on a residence in Bay St. Louis that was never finished. State Auditors Office appreciates the assistance of the Attorney Generals Office, Stone County Sheriff s Office and Hancock County Sheriff s Office in this case. Peter Howard, 47, and partner Robert Smith, 52, both of Mobile, AL., were arrested today on the charge of felony false pretense. Howard and Smith, operating as Pelican Bay Homes, contracted with the victim to provide and construct a modular home in Pascagoula. A down payment was made of $140,000 for the home that was never constructed. Both Howard and Smith await bond at the Jackson County Adult Detention Center. The Jackson County Sheriff s Office and Jackson County District Attorney Tony Lawrence assisted in this case leading to the arrests of Howard and Smith. These arrests make a total of five since the beginning of 2008 involving contractors defrauding residents devastated by the aftermath of Hurricane Katrina along the Mississippi Gulf Coast, said State Auditor Stacey Pickering. The investigators with the Katrina Fraud Prevention and Detection Unit worked very diligently to bring these arrests. The Office of the State Auditor is committed to investigating Katrina fraud cases and bringing those convicted of committing crimes to justice. q
theft scheme. United States District Judge Henry E. Hudson sentenced Bush to 75 months of imprisonment. This sentence includes a consecutive term of twenty-four months mandated by his conviction for Aggravated Identity Theft. Bush was also sentenced to five years of supervised release and ordered, along with his codefendant, to pay a total of $373,892.95 in restitution. The sentence was announced by Chuck Rosenberg, United States Attorney for the Eastern District of Virginia. In January 2008, codefendant Kevin Brown, age 31 of Willingboro, New Jersey, was sentenced, on the same charges, to five years confinement, five years of supervised release and ordered to pay restitution in a total amount of $378,000. Bush has acknowledged participation in the conspiracy from December 2005, until March 2007. The scheme involved the use of counterfeit checks that were presented to area merchants. The checks were created using the routing numbers of legitimate financial institutions. When passing the bad checks, the defendants presented fictitious out-of-state drivers licenses in the names of real individuals. The conspiracy is responsible for negotiating a total of $378,785.28 in counterfeit checks for transactions occurring in Virginia and other states along the East coast. The case is being investigated by law enforcement officers from the Henrico County Division of Police and the United States Postal Inspection Service end members of the MetroRichmond Identity Theft Task Force. In addition, the Task Force received investigative assistance from the National White Collar Crime Center based in Glen Allen, Virginia. Other member agencies of the Task Force include: the United States Secret Service; the Federal Bureau of Investigation; Bureau of Diplomatic Security, U.S. Department of State; the Richmond Police Department; and the Chesterfield County Police Department. Federal prosecutions for the Task Force are handled by the United States Attorneys Office and the Office of the Attorney General for the Commonwealth of Virginia. For more information on the Task Force, including assistance for victims of identity theft, visit: www.richmondIDtheft.com.
Special Assistant U.S. Attorney and Senior Assistant Virginia Attorney General David W. Tooker is prosecuting the case on behalf of the United States. q
CYBERCRIMES UNIT PREVENTS CRIMES ONLINE

Baltimore, MD - The Baltimore Police Departments Cyber and Electronic Crimes Unit arrested 40 year-old David Frazier of Owings Mills, Md., on May 22, for charges of sexual solicitation of a minor.Frazier was taken into custody when he showed up to meet Detective Sergeant Lewis Yamin, who posed as a 13 year-old girl. A search and seizure warrant was executed at Fraziers home where several computers and paraphernalia were seized.Sergeant Yamin, who is dedicated to going after sexual predators, says, If these guys are online chatting with me, they could also be chatting with your kids. q
CFO SINK: TAMPA DUO ARRESTED FOR OVER $40,000 IN PIP-RELATED FRAUD
Tampa, FL Florida Chief Financial Officer Alex Sink today announced the arrest of two Tampa women on charges they allegedly billed insurance companies for over $40,000 in Personal Injury Protection- (PIP) related fraud charges. Emilia Morejon, 34, and Yusdelin Castillo Valdes, 24, of Tampa are alleged to have submitted fraudulent bills totaling over $40,000 to several insurance carriers. Morejon, owner of Personal Injury Clinic, and Valdes, the clinic receptionist, submitted fraudulent bills for treatment not rendered. The two were arrested Monday, booked into a Hillsborough County jail, and charged with Second Degree Insurance Fraud and Patient Brokering. If convicted, they could potentially face up to 15-years in prison. The Department of Financial Services, Division of Insurance Fraud (DIF), was assisted in the investigation by the National Insurance Crime Bureau (NICB) and AIG Insurance. The cost of insurance fraud is estimated at as much as $1,400 a year in premiums for the average Florida family. The DIF investigates
PHILADELPHIA MAN SENTENCED FOR FEDERAL BANK FRAUD CONSPIRACY AND IDENTITY THEFT CHARGES
Richmond, VA -Antar Bush, age 27, of Philadelphia, Pennsylvania, was sentenced today for his role in a bank fraud and identity
56
Informant: July 2008 December
2008
various forms of fraud in insurance, including health, life, auto, property and workers compensation insurance. Depending on the estimated loss amount, the department will pay up to $25,000 for information directly leading to an arrest and conviction. Anyone with information about this or any other suspected insurance fraud is asked to call the departments Fraud Fighters Hotline at 1-800-378-0445 or log on to www. MyFloridaCFO.com/fraud. Complaints can be tracked online. q
Murray said he manages to shake the online conversations out of his head after a while, but they can still make him angry. Therell be times when you just want to reach through the screen and choke them or slap them, he said. To think they could talk that way to a girl. The latest defendant is Allen Kauffman, 63, who resigned as mayor of Collins and pastor of Temple Lot Church after he was arrested Jan. 11 at home in his small town about 110 miles southeast of Kansas City. Kauffman declined Wednesday to discuss the specifics of his case, including how he plans to plea and his lawyer did not return a phone message. Kauffman did not propose an actual meeting in any of the exchanges listed in the charging documents. But according to court documents, prosecutors say Murray was logged into a Yahoo! chat room as a 13-year-old girl named cindyndiamond using the screen name Cin when he was first contacted Nov. 15 by duke dukead, who prosecutors allege was Kauffman. Duke contacted Cindy again the next day and said he was 55 years old. The exchange included: Cin: i like to french kiss ... senior boy taught me. duke dukeadk: but it depends on where you want to be kissed at lol. In at least five instant-message sessions through mid-December, Duke allegedly went on to tell Cindy he wanted to have sex with her, asked for nude photos of her and suggested Cindy have sex with another girl in front of a Webcam so that Duke could watch. Murray has arrested other men arriving for trysts they believed they were setting up with the detectives teenage persona. Murray was chief of police in the farm town of Diamond from 1995 to 2000. He got a personal computer after retiring and discovered chat rooms and was angered when he was offered pictures of young girls. He contacted experts in the field of Internet sting operation and got training from the National White Collar Crime Center on basic computer data recovery. Now, Murray patrols the Web from a cramped home office divided between his police computer and a personal computer ringed with photos of his six grandchildren and three adult kids. Murray remains a detective on reserve status with the Diamond police but he donates his investigation time. He says he only spends about 30 minutes a week on average in chats but several hours more going over hard drives of arrested suspects looking for contacts with other potential victims.
Several people have stopped me at Wal-Mart and the filling station and said they appreciate what were doing on the Internet stuff. And thats a good feeling. q
FORMER STATE EMPLOYEE PLEADS GUILTY TO EMBEZZLEMENT

Las Vegas, NV Nevada Attorney General Catherine Cortez Masto announced today that John E. Delap III, age 30, of Las Vegas, has pled guilty to two Category B felony counts of Theft with a Value of Property in Excess of $2,500.00, in connection with his former employment as the Deputy Executive Director of the Nevada State Board of Osteopathic Medicine. Each count carries a possible sentence of 1 to 10 years in prison. The Attorney Generals office takes charges of misconduct by State employees very seriously, particularly when the misconduct involves theft of public funds, said Attorney General Masto. Anyone with knowledge of such activities by State employees should report it to the Attorney Generals office for investigation. Delaps guilty plea follows an extensive investigation conducted by the Attorney Generals Bureau of Criminal Justice, which revealed that during his employment by the Nevada State Board of Ostepathic Medicine between November 2004 and January 2006, Delap embezzled $60,698.54 of the Boards money by forging checks made payable to himself and others, illegally obtaining and using a State Board credit card to purchase personal items and embezzling additional funds to pay off the credit card debt and hide the embezzlement. The sentencing hearing in this matter is scheduled for September 9, 2008 at 8:30 in District Court Department 15. q
POSING AS GIRL, RETIRED COP NABS PREY

Diamond, MO No one will ever confuse Jim Murray with a teenager. His tall frame, broad shoulders and clipped gray hair give him away for the grandfather he is. But the 69-year-old retired police chief of this small Missouri town cuts a credible figure as a 13year-old girl surfing the Web, looking for friends. He knows all the instant-messaging shorthand, the emoticons. Murrays retirement job from a rural home office has netted 20 arrests since he started in 2002. His latest catch was the biggest: four felony enticement charges against a town mayor, who after his arrest called Murray up and begged him to make the case go away. The nineteen other defendants includ a Missouri furniture company executive, an Arkansas professor and a Tulsa, Okla., school security guard. Ten of those men have been convicted and sent to prison. One was deported. The other cases are still pending. The defendants ranged in age from 24 to 62, with an average age of 39.4 years, and they mainly come from Missouri, Arkansas and Oklahoma, Diamond police said. Internet child safety experts say police officers like Murray are heroes who do good work at the cost of wading through the muck of online pedophile fantasies. Hes a trailblazer. 2002 was very early for smaller police departments to start doing this, said Parry Aftab, executive director of Wiredsafety.org, a childrens Internet safety group. Murray, who taught elementary school for 27 years before switching to police work, is more humble. This is really about the kids, he said. The first thing he hands a reporter at the start of an interview is a neat packet of newspaper stories about Kacie Woody, a 13-year-old girl in neighboring Arkansas who was abducted, raped and killed by a man she met online. Its not a case Murray worked on. Instead, he said, its a motivator.
57
Cyber-Riots
Continued from page 37 The next question to ask is: If a ragtag gang of cyber-rioters and a couple of hired botnets could shut down a small country for denial-of-service attack against the infrastructure of another government? When such an attack is conducted, at what point does the attack constitute casus belli, an Act of War, resulting in traditional military retaliation? In the 2008 Annual Threat Assessment of the Intelligence Community for the Senate Armed Services Committee, there is specific mention of nations, including Russia and China, have the technical capabilities to target and disrupt elements of the U.S. information infrastructure19 Perhaps the most important question, Can this happen in the United States?, has been addressed in Washington; in addition to land, water, and sky, National Security departments have extended United States military superiority into cyberspace. The most publicized military department addressing cyber attacks came about in 2008, when the United States Air Force formed the Air Force Cyber Command to directly combat and defend against the threat of a cyber attack against the United States20. The U.S. Air Force; however, is not the only branch of the military addressing the possibility of an attack against the United States on the digital front. The Navy created the Naval Network Warfare Command and the Army established the Network Enterprise Technology Command (NETCOM).
Perhaps the next war will not be fought entirely with tanks and guns, but also with computers and keyboard. q References SeeEstoniaentryintheCIAWorldFactbook: https://www.cia.gov/library/publications/theworld-factbook/geos/en.html 2. See BBC news article Tiny Estonia Leads Internet Revolution: http://news.bbc. co.uk/2/hi/europe/3603943.stm
1. 3.
9.
The authors translation from Russian to English is not meant to be taken literally, but as a general expression of the message. botnets, helped in Estonias defense and wrote the post-mortem analysis of the attacks. See Gadi Evrons presentation online at: http://chaosradio.ccc.de/media/ camp/2007/video/CCCamp2007-2050-enestonia_information_warfare.m4v
10. Gadi Evron, a renowned expert on
A traffic flood is a denial-of-service attack in which more connections are made to a server than the server can handle. SYN flood attacks involve the attacking system sending spoofed SYN (synchronize) packets to the target. The return address on the packets returned by the target do not match valid (or true) systems, so the target server waits longer for the target of the spoof to return an ACK (acknowledge) packet. Eventually the target server will become overwhelmed with connections. An ICMP ECHO flood is synonymous to a ping flood, in which the attacking machine rapidly and repeatedly pings the target machine. Gadi Evron, a renowned expert on botnets, helped in Estonias defense and wrote the post-mortem analysis of the attacks. See Gadi Evrons presentation online at: http://chaosradio.ccc.de/media/ camp/2007/video/CCCamp2007-2050-enestonia_information_warfare.m4v w8lk8dlaka.livejournal.com/52383.html
11. Botnets
4.
are massive quantities of compromised zombie computers geared toward being platform for denial-of-service attacks. In a denialof-service attack, the amount of traffic generated by the botnet is more than the victim machine can handle, thereby not allowing legitimate connections to be established to the victim machine. of unleashing cyberwar to disable Estonia: http://www.guardian.co.uk/ world/2007/may/17/topstories3.russia http://www.economist.com/displayStory. cfm?Story_ID=E1_JTGPVJR
12. See The Guardian article Russia accused
5.
13. See Estonia and Russia | A cyber-riot: 14. See The Guardian article Russia accused
6.
of unleashing cyberwar to disable Estonia: http://www.guardian.co.uk/ world/2007/may/17/topstories3.russia Russian youth anti-fascist movement.
15. Nashi (Ours!) is a government-sponsored 16. See article at Swiss Baltic Chamber of
7. Site referenced is viewable at: http://

8.
The ping command simply sends a packet of data requesting the remote machine to respond if it is online and available.
Commerce in Lithuania: http://www.sbccchamber.com/index.php?lng=en&page_ id=60&news_id=888
801.796.0944
Comprehensive Digital Forensic Solutions Technology Training Testimony The forensic process begins in the field and ends in our courts. Do you have the technology and training you need to combat the 360 degrees of the digital forensic process?
email: forensics@paraben.com
2008
Paraben Corporation
rporation w w w . p a r a b e n ,co i l
58
Informant: July 2008 December
Copyr g hlQ 2008 Paraben Corporation Alrights reserwd ThePMlMn kxjo ana tne 3iiC lo-t nix-. logs; j-e :i ddcrr.ir.j , or f*g Stored trademarks c-t Paraben Corporation in the USA.
17. See Annual Threat Assessment of the
Intelligence Community for the Senate Armed Forces Committee: http://armedservices.senate.gov/statemnt/2008/ February/McConnell%2002-27-08.pdf
Combating Adaptive Adversaries

Continued from page 45
Palantir Technologies was founded in the summer of 2004 by the same team that founded and led Paypal, in order to bring similar methodologies to the defense, intelligence, and law enforcement communities.
References 1. Saydjari, O. Sami, Cyber Defense: Art to Science in Communications of the ACM, March 2004/Vol. 47, No.3. Kassner, Michael, http://blogs.techrepublic. com.com/networking/?p=482, Accessed August 14, 2008
Broadband Theft
Continued from page 39 information. It was found t h at he had a set of high-end tools installed on his system and the Hero HACKING MODEM. He also owned three storage media devices sized at 800 GB a piece and a set of CD, DVD and Blueray discs. All of the teenagers equipment was confiscated as evidence and the teen was taken into custody. Cyber criminals have existed in the past and will continue to thrive in the future. A remedial tip for malicious activity is practicing legitimate usage of the Internet. A good Internet culture should grow from your homes, schools and colleges and spread to surrounding societies. The cyber police, E-Security, and Law Enforcement have to attempt to catch up with the new technologies and crime techniques. The Resource Center for Cyber Forensics (RCCF) at C-DAC-Center for Development of Advanced Computing, Thiruvananthapuram is a core competency center in Cyber Forensics established by the Department of Information Technology (DIT), Government of India. Our mission is to attain self reliance in Information Security and Cyber forensics. The center helps in creating awareness about cybercrimes, investigation of cybercrimes, and provides cyber forensic analysis service with a state-of-the-art cyber forensics lab. We are striving to build responsive and preventive measures for tackling cybercrime. We are happy to be a part of the global community that puts efforts to combat high-tech crimes across the world. q About the Author T.R. Sreekanth is a Cyber Forensic Analyst with the Resource Center for Cyber Forensics (RCCF) in India. Sreekanth holds a masters degree in computer applications in addition to working expertise in the field of cyber forensics and cyber security. Sreekanth regularly interacts and assists investigators from the Law Enforcement officials in Kerala, India. He also gives lectures and presentations as an Instructor for the various training programs conducted by RCCF across the country. In a very short span of time, the analyst was able to begin with a known attack signature, use the platform to identify the depth of compromise, and develop additional patterns of intrusion that were not initially identified by the automated defense systems. The human brain has a truly remarkable ability to identify behaviors it has never seen before. The next-generation of cyber defense and intrusion analysis systems will capitalize upon this ability by finding ways to better integrate the human and cyber defender. A full-spectrum cyber intrusion detection and analytical capability will only have a real impact if it includes humanmediated analytical tools and techniques. These tools identify and map previously unknown attack vectors, before feeding this information back into signature and heuristic-based defense and analysis toolsets. The application used in this article was developed by Palantir Technologies in order to demonstrate the capabilities required to perform powerful analysis on large sets of cyber data. For more information, visit www.palantirtech.com.
2.
About the Author Carl Cohen is a cyber crimes researcher and network analyst working with Palantir Technologies government team. He joined Palantir in 2006 and is currently supporting a number of deployments in the computer network defense space.
The analysis concludes with the identification of a large number of servers involved in communication with the attacking IP. Using a linking algorithm based on their coordinated behavior, the analyst quickly sees that the compromised servers communicate with a central grouping of four IP addresses.
59
Macintosh Forensics
Continued from page 46 Even Apple itself has recognized that law enforcement and investigators need assistance in dealing with Macintosh computers and devices. In order to address this demand, Apple has sponsored several seminars, Webcasts, and support pages devoted to digital investigations. The private sector has also recognized the need for training in this area. There are now several companies that offer both introductory and advanced training in Macintosh forensics. As I mentioned previously, colleges are also beginning to offer courses for law-enforcement, private sector, and traditional students in the area of Macintosh forensics and other nonWindows-based file systems (Linux). Although it is very difficult to keep up with every one of the latest trends, we need to be extremely careful that we do not develop blind spots in our investigative abilities. If at the current time your lab or investigative department lacks the ability to deal with Macintosh computers or devices, you have a glaring blind spot that needs to be addressed. q
References Forensic Software for Macs http://www.macforensicslab.com http://www.blackbagtech.com Books Seibold, C. (2008). Big book of Apple hacks first edition. Sebastopol, CA: OReilly Singh, A. (2006). Mac OS X internals: A systems approach. Indianapolis: Addison-Wesley
URLS http://www.cyberforensics.purdue.edu http://www.seminars.apple.com/seminarsonline/ forensics/apple/index.html?s=207&locs=us_en http://www.macosxforensics.com List Servers appleforensics@lists.apple.com
Cyber Security Training
WEB-BASED CYBER SECURITY TRAINING

Training to protect Americas information infrastructure!
Sponsored by the Department of Homeland Security Free of Charge to U.S. Citizens To receive additional information for ACT-Online, go to www.act-online.net Or contact Susan Lee (256.428.3653), Tammy Alexander (901.678.1521)
This project is supported by Cooperative Agreement Number 2006-GT-T6-K009 administered by the FEMA, National Preparedness Directorate, National Integration Center, Training and Exercise Integration to the University of Memphis Center for Information Assurance.
Adaptive Cyber-Security Training Online
COMPANY ST
Our Company Stores are constantly growing. Each agency has an array of products exclusive to their own respective organizations. Embroidered apparel, luggage, plaques, watches and patches are among the many products we offer in our company stores.
B^OK ' M = E
c/o Success Centerlnc. 1292 State Route 5 Unit B Chittenango,NY 13037 ph 315 687 7800 '(fax > 315.687 7878 . Service@CopShop.Com
*' - -
WATCHES
"Your good name on our good products."
60
Informant:
July
2008
December
2008
-NUJ3C CARTOONS
BUSTED
So many credit ards, so little time!
Downloading files now. .
CARTOONIST: CRftlG"3UTTERUJ0R7H CAPTIONS: CHRISTI RNTJESILETS

How's that new hack-> back progam working Real good! Got one on ^ the line now! I'm feeding him \google earth ^poordinates!
4214 6754 9410 4315 6240 7322 4311 5517 7234 5107 6044 5110 5703 6515 3541 5003 2141 1007 1234 5678 9101 2345 6760 1011 3456 7891 0111
V.
Pete r Pa n Tink er B ell Cap tain Hoo Mr. k Sne ed Wen di Los t Bo ys
What do you mean were on the No Fly list?

61
Memphis is here!
Microsoft
PhilipMorrisUSA
an Altria Company
^W American Military University CRIME
NATIONAL WHITE COLLAR CRIME CENTER
/ SUMMIF1
MM M QE TEE
October 6-8, 2DD8 Memphis, TN

Informant July-Dec 08

Transféré par

Informations du document

Description originale:

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

Informant July-Dec 08

Transféré par

Droits d'auteur :

Formats disponibles

Higher price = greater incentive

Sgt. Jonathan Washer

Robert Holtfreter, Ph.D.

38 Stealing the Internet:

Mobile Forensic World Conference

Fraud Gold Diggers

Classifying Child Porn Images in Law Enforcement Cases

Health Care Fraud

From Street Corners to Computers: Investigation Tips for Cyberbanging

Criminal Information System Liability

Case Highlights Bedford County Sheriffs Office

After the Bust: Recovering Known Videos in Unallocated Space

The Business of Drivers License Fraud

Convicted Swindler Sheds Light on Investment Scams!

Straw Ownerships: Please Operate Responsibly

Member Success Stories NW3C Cartoons

On the Cover: Jeremy Cannon, NW3C Network Administrator

Dr. Marcia Williams, Loreal Bond, Craig Butterworth, Cam Brandon

Graphic Design Team Special Contributors

Jaycen Saab, Lindsey Bousfield

NATIONAL WHITE COLLAR CRIME CENTER I

New Nw3C MeMbers

A T IT A\ "X "B<S GREAT LAKES

Hinsdale Police Department Moline Police Department

Burrton Police Department Sedgwick County Sheriff s Office

Buchanan County Sheriff s Department Wellsville Police Department

Jefferson County Sheriff s Office Merrill Police Department

Simla Police Department Rigby Police Department

Cascade County Sheriff - Coroners Office

New Mexico Utah

Roswell Police Department Logan City Police Department

Danville Police Department Fairview Heights Police Department

Total Member Agencies as of June 30, 2008: 2,849

Platte County Sheriff s Office

Bonney Lake Police Department

Dover Police Department

Las Vegas Paiute Tribal Police Department

University of Central Arkansas Police Department

Member Agency Spotlight

Mobile Forensics World is hosted by Purdue Universitys College of Technology.

Beware of Investment Scams in the Gold Market

Use a safe method of payment for precious metals such as a

Be leery of promises that you can buy precious metals

Learn more at www.amuonline.com or 877.777.9081

American Military University

Signs of excess treatment.

Seven patients from the same family treating three to four

by Aaron Naternicola, Internet Fraud Analyst, NW3C

Follow these tips to ensure your Internet security.

Report online crimes to www.ic3.gov

DESILETS , RESEARCH RTTOR nEa,

Constitutionally, the 14th Amendments Due Process

By statute, 42 U.S.C. 1983 (Civil action for deprivation of

3. a relationship between the state and the plaintiff existed such

4. a state actor affirmatively used his or her authority in a

4. to the Bureau of the Census for purposes of planning

5. to a recipient who has provided the agency with advance

6. to the National Archives and Records Administration as

7. to another agency or to an instrumentality of any

8. to a person pursuant to a showing of compelling

9. to either House of Congress, or, to the extent of matter

10. to the Comptroller General, or any of his authorized

States in this category are Alabama, Alaska, Hawaii, Idaho,