You are on page 1of 57

NW3C RemembeRs OuR membeR AgeNCies SI I M M K I IMM K H I H R I R HeROes Killed iN tHe liNe Of duty* 111 tin k i n m h I H I I I M M M r

07/16/07 - 01/20/08
Detective Corporal Kenneth Armstrong Montgomery Police Department, AL Policeman Walter T. Barclay, Jr. Philadelphia Police Department, PA Officer Eric Barker DeKalb County Police Department, GA Officer Scott Eric Bell Jacksonville Sheriff s Office, FL Special Deputy Stephen Bollinger Franklin County Sheriff s Department, OH Officer Ricky Bryant, Jr. DeKalb County Police Department, GA Officer Madeline Carlo New York City Police Department, NY Officer Germaine Casey Rio Rancho Department of Public Safety, NM Officer Charles Cassidy Philadelphia Police Department, PA Officer George Valentino Cortez, Jr. Phoenix Police Department, AZ Officer Nicki James Erfle Phoenix Police Department, AZ Officer Brian Evans Mansfield Police Department, OH Officer William Eric Freeman Huntsville Police Department, AL Officer Alfred L. Gordon, Sr. Orlando Police Department, FL Sergeant Ron Harrison Hillsborough County Sheriff s Office, FL Sergeant Gary Wayne Henderson Shelbyville Police Department, IN Deputy Constable David Joubert Harris County Constables Office Precinct 7, TX Officer Michelle A. Lawless Florida Fish and Wildlife Conservation Commission/Special Operations Coordination, FL Trooper Brian W. Linn West Virginia State Police, WV Deputy Sheriff Gary D. McCormackGreene County Sheriff s Department, MO Deputy Sheriff Chad McDonald Bibb County Sheriff s Office, GA Trooper Brian McMillen Illinois State Police, IL Deputy Sheriff Jason Edward Mooney Stafford County Sheriffs Office, VA Detective Mario Moreno San Antonio Police Department, TX Deputy Sheriff Vu Nguyen Sacramento County Sheriff s Department, CA Deputy Sheriff Paul ReinBroward County Sheriff s Office, FL Sergeant Christopher Reyka Broward County Sheriff s Office, FL Sergeant Michael Ryan New York City Police Department, NY Detective Jarrod Shivers Chesapeake Police Department Officer Jose Somohano Miami-Dade Police Department, FL Deputy Chief George Stanford Cheyenne Police Department, WY Officer Matthew B. Thebeau Corpus Christi Police Department, TX Deputy Sheriff Jonathan D. Wallace Palm Beach County Sheriff s Office, FL

H
Informant: January 2008 June 2008

Deputy Sheriff Donta J. Manuel Palm Beach County Sheriff s Office, FL

*WWW.ODMP.ORG
2

Informant

Features:

32 Crime Online

The Feature Section Crime Online starts off with an Introduction from Lt. Charles Cohen, Indiana State Police
Lt. Charles Cohen

contents
32 34 38

40 Hooked on Phorensics
Purdue professor leads team of grad students in developing a free resource for law enforcement that will take the guesswork out of processing portable digital devices.
Tim Wedge & Rick Mislan

34 Growing Challenge

In police agencies across the country, there are backlogs of computers and devices awaiting examination. Is there a solution on the horizon?
Lt. Charles Cohen

of Computer Forensics

42 Q & A with Steve


DeBrota

With a conviction rate in cybercrime cases of 100% since 1991, Cyber Criminals are no match for this Federal Prosecutor.
Craig Butterworth

38 Cyberbanging

This dangerous new fad is spreading across the country and the world. Read how violent and brutal gangs like MS-13 are using the anonymity of online social networks to further their cause.
Jessica Bennett & Nick Newman

46 On-Site Forensics
Examinations

Are on-site forensics examinations the future of crime scene investigations?


Loreal Bond

http://informant.nw3c.org

Informant
10 11 12 14 15 16 17 18 20
4

In This Issue:

NW3C Kicks Off the VA Support Center

On the Road with BJA National Intelligence Symposium NW3Cs 2007 Global Conference The Fradulent Paper Blizzard CY-FI: The Future of Cyber Forensics Youve Got Mail! Hit-Man E-mails The Patriot Act
Thomas R. Nash Jim Foley Craig Butterworth

contents
Loreal Bond

Regional Training Seminars help our nation fight crime and terrorism.

13

22 24 26 30 31 48 50 52 54 56 60

Does Money Matter? IC3 Trends

Jason Boone

Case Highlights

Jamie Sellaro

Instructor Spotlight Behind the Scenes


Scott Pancoast

CY-FI:

Laura Kenny

Purdue Universitys Dr. Marc Rogers leads the discussion on virtualization in this first installment of his new column. Read about a new topic in every issue!

20

The Future of Cyber Forensics

Investigating Intellectual Property Crime The High Cost of Counterfeiting


Sgt. James Lackey

Dr. Marcus K. Rogers

Chronic Criminals

Sgt. David Miller

Insurance Fraud 101


Cory Cox

Detective Steve Williams

Rodney Huff

Combating 419 Fraud


Lisa McBee
January 2008 June

Lucy Carrillo

This international business is on the rise, and has been connected to terrorist fund-raising activities.

61

Member Success Stories NW3C Cartoons

Informant:

2008

Informant

Editorial Staff Dr. Marcia Williams, Loreal Bond, Craig Butterworth Graphic Design Team Lindsey Bousfield, Jaycen Saab Special Contributors

Lieutenant Charles L. Cohen, Indiana State Police

contributors

On the Cover: Lt. Charles L. Cohen, Indiana State Police

Steve DeBrota, Assistant U.S. Attorney, U.S. Department Of Justice, Southern District of Indiana Steve DeBrota graduated in 1986 from Butler University in Indianapolis with majors in Physics and Political Science. He then received a law degree in 1989 from the Indiana University School of Law in Bloomington. After working in the litigation section of a large law firm, he was appointed an Assistant United States Attorney in 1991 with the U.S. Attorneys Office in the Southern District of Indiana. He is also an expert in the investigation and prosecution of crimes on the Internet and the use of computer forensic evidence, having frequently lectured and written on these subjects. Cailin McDonnell, Administrative Support Specialist, NW3C Cailin McDonnell recently joined our staff as a part time Administrative Support Specialist. She is currently pursuing a masters degree in criminal justice at Virginia Commonwealth University. Along with school and work, Cailin finds time to help others, serving as a Graduate Teaching Assistant. Christian Desilets, J.D., Research Attorney, NW3C Christian Desilets is a research attorney for the NW3C. A member of the West Virginia State Bar, Christian graduated from the Georgetown Law Center in 2001. He did his undergraduate work at Mississippi State University (MSU), studying sociology, computer science and criminal justice. At MSU, Christian was awarded Alpha Kappa Deltas Sociology Undergraduate of the Year award (1997). Christians areas of expertise include investigating the nexus between white collar crimes and the advances of technology. Prior experience with software and web-based utility patents, the Internet and intellectual property issues provide invaluable insights to our members requesting assistance with the investigation and prosecution of high-tech and white collar crimes. Christian is a Contributing Editor for the Informant Magazine.

Lt. Cohen serves the Indiana State Police, where he has been employed for thirteen years. He is currently the Commander of the Special Investigations and Criminal Intelligence Sections. In this capacity, Lt. Cohen is responsible for the cybercrime, white collar crime, vehicle crime, and crimes against children units along with overseeing the departments overt and covert criminal intelligence function. He is cross-designated as a Special Deputy United States Marshal. Before his current assignment, he spent five years assigned to the United States Attorneys Office for the Southern District of Indiana, where he conducted federal and state political corruption, organized economic crime, and cybercrime investigations. Lt. Cohen speaks nationally on topics including cybercrime, online fraud, money laundering, corruption investigation, and the investigation of skilled criminal offenders. He is an Adjunct Professor at Indiana University Bloomington, where he teaches Foundations of Criminal Investigation. Marc Rogers, Ph.D., Purdue University Marc Rogers, Ph.D., CISSP, CCCI is the Chair of the Cyber Forensics Program in the Dept. of Computer & Information Technology at Purdue. He is an Associate Professor and a research faculty member at the Center for Education and Research in Information Assurance and Security (CERIAS). Dr. Rogers is a member of the quality assurance board for (ISC) 2s SCCP designation, and is the International Chair of the Law, Compliance and Investigation Domain of the Common Body of Knowledge (CBK) committee. He is a former police detective who worked in the area of fraud and computer crime investigations. Dr. Rogers is the co-editor of the Journal of Digital Forensic Practice and the Journal of Digital Forensics Security and Law, and sits on the editorial board for several other professional journals.

NW3C Board of Directors Glen Gainer, III Denise Crawford Paul Cordia Michael Brown Kathleen Kempley Sean M. Rooney Christopher Cotta

NATIONAL WHITE COLLAR CRIME CENTER


I
N T E G R I T Y

NWJC
Q
U A L I T Y

E R V I C E

This project was supported by Grant No. 2007-WC-CX-K001 awarded by the Bureau of Justice Assistance. The Bureau of Justice Assistance is a component of the Office of Justice Programs, which also includes the Bureau of Justice Statistics, the National Institute of Justice, the Office of Juvenile Justice and Delinquency Prevention, and the Office for Victims of Crime. Points of view or opinions in this document are those of the author and do not represent the official position or policies of the United States Department of Justice.
http://informant.nw3c.org

New Nw3C MeMbers


NW3C welcomes its new members. The following agencies became members between August 2007 and January 2008!
WA MT ND MN OR SD ID WY NE NV CA NM OK TN AR MS TX LA AL GA SC UT CO IA IL KS MO KY IN OH WV VA NC PA MD NJ DE D.C. WI MI NY VT NH MA CT RI ME

AZ

FL

GREAT LAKES GREAT


National Center for Victims of Crime, DC Pension Benefit Guaranty Corporation Office of Inspector General, DC U.S. Department of Education - Office of Inspector General , DC Bloomington Police Department, IN Brown County Prosecutors Office, IN Michigan City Police Department, IN Whitley County Sheriff s Department, IN Calvert County Sheriff s Office, MD Frederick Police Department, MD Queen Annes County Sheriff s Office, MD Michigan Bureau of State Lottery - Security & Investigations Section, MI Van Buren County Sheriff s Office, MI Bayonne Police Department, NJ Brick Township Police Department, NJ Clifton Police Department, NJ Paramus Police Department, NJ Cobleskill Police Department, NY East Fishkill Police Department, NY Geddes Police Department, NY Orange County District Attorneys Office, NY Stony Point Police Department, NY U.S. Secret Service - J.F.K. Resident Office, NY Canton Police Department, OH Cleveland State University Police Department, OH Ohio Office of the Inspector General, OH Ohio University Police Department, OH Painesville Police Department, OH Parma Heights Police Department, OH Williams County Sheriff s Office, OH Youngstown Police Department, OH Fayette County District Attorneys Office, PA Greensburg Police Department, PA

Internal Revenue Service - Criminal Investigation - Lead Development CenterPhiladelphia, PA U.S. Probation & Pretrial Services Office Western District of Pennsylvania, PA Upper Saucon Township Police Department, PA West Shore Regional Police Department, PA

Washington County Sheriff s Office, NE Madison Police Department, WI McFarland Police Department, WI Wisconsin Department of Agriculture, Trade & Consumer Protection - Office of Privacy Protection, WI

MOUNTAIN
Apache Junction Police Department, AZ Fort McDowell Yavapai Nation Tribal Gaming Office, AZ Mammoth Police Department, AZ Maricopa County Adult Probation Department, AZ Nogales Police Department, AZ U.S. Department of Homeland Security Office of the Inspector General-Tucson Field Office, AZ U.S. Department of Justice - Bureau of Alcohol, Tobacco, Firearms & ExplosivesPhoenix Field Division, AZ Alma Police Department, CO Brighton Police Department, CO Colorado 20th Judicial District Probation Department, CO Elbert County Sheriff s Office, CO Grand Junction Police Department, CO Montezuma County Sheriff s Office, CO Monument Police Department, CO Missoula County Sheriff s Office, MT Mesilla Marshals Department, NM

MIDWEST
Lamoni Police Department, IA Downers Grove Police Department, IL Homewood Police Department, IL Illinois Department of Corrections, IL Illinois North East Multi-Regional Training Mobile Unit 3, IL Rolling Meadows Police Department, IL U.S. Department of Homeland Security Immigration & Customs Enforcement - Field Intelligence-Chicago, IL Coffey County Sheriff s Office, KS Derby Police Department, KS Osborne County Sheriff s Department, KS Moorhead Police Department, MN Olmsted County Sheriff s Office, MN Boone County Sheriff s Department, MO Clay County Sheriff s Office, MO Dent County Sheriff s Department, MO Grundy County Sheriff s Office, MO Kahoka Police Department, MO Mineral Area College Department of Public Safety, MO Montgomery City Police Department, MO Montgomery County Sheriff s Department, MO New Florence Police Department, MO Osage Beach Department of Public Safety, MO

NORTHEAST
Darien Police Department, CT Monroe Police Department, CT Redding Police Department, CT

Total Member Agencies as of January 9, 2008: 2,735


6
Informant: January 2008 June 2008

Seymour Police Department, CT Auburn Police Department, MA Sandwich Police Department, MA Seekonk Police Department, MA Stonehill College Police Department, MA Taunton Police Department, MA U.S. Postal Inspection Service - Boston Division, MA Westborough Police Department, MA Conway Police Department, NH Winchester Police Department, NH Middletown Police Department, RI

SOUTH CENTRAL
Marshall County Sheriff s Office, AL Louisiana State University Police Department, LA New Orleans Police Department, LA Gulfport Police Department, MS U.S. Probation Service - Southern District of Mississippi, MS McClain County Sheriff s Office, OK U.S. Probation Office - Western District of Oklahoma, OK Comal County Sheriff s Office, TX Franklin County Sheriff s Office, TX Harlingen Police Department, TX Huntsville Police Department, TX Kaufman County District Attorneys Office, TX Seguin Police Department, TX

Marshall County Sheriff s Office, TN Falls Church Police Department, VA Franklin County Office of the Commonwealths Attorney, VA Goochland Sheriff s Office, VA Lexington Police Department, VA National Reconnaissance Office - Office of Inspector General, VA U.S. Department of Justice - U.S. Attorneys Office-Eastern District of Virginia, VA U.S. Postal Service - Office of Inspector General, VA Virginia Department of Transportation, VA Warrenton Police Department, VA East Bank Police Department, WV Hancock County Sheriff s Office, WV Nitro Police Department, WV Westover Police Department, WV Yeager Airport Police Department, WV

INTERNATIONAL
Resource Centre for Cyber Forensics, India Serious Fraud Office, United Kingdom State Scientific & Research Forensics Center of the Ministry of Interior of Ukraine, Ukraine U.K. Ministry of Defence - Defence Science Technology Laboratory - Information Management Department, United Kingdom

WEST
California Department of Insurance Enforcement Branch, CA Lompoc Police Department, CA Santa Clara County Sheriff s Department, CA Santa Cruz Police Department, CA Sonoma County District Attorneys Office, CA U.S. Environmental Protection Agency Criminal Investigation Division- Los Angeles Field Office, CA Whittier Police Department, CA Hawaii County Prosecuting Attorneys Office, HI Pendleton Police Department, OR Yamhill County Sheriff s Office, OR Redmond Police Department, WA San Juan County Sheriff s Office, WA U.S. Postal Inspection Service - Seattle Division, WA

SOUTHEAST SOUTHEAST
U.S. Department of Homeland SecurityImmigration & Customs EnforcementEcuador, EC Alachua County Sheriff s Office, FL Atlantic Beach Police Department, FL Cape Coral Police Department, FL Marco Island Police Department, FL Riviera Beach Police Department, FL Barrow County Sheriff s Office, GA Henry County Police Department, GA Metter Police Department, GA Morrow Police Department, GA Mountain Judicial Circuit Office of the District Attorney, GA Hillview Police Department, KY Kentucky Department of Criminal Justice Training, KY Lexington-Fayette Urban County Division of Police, KY Murray Police Department, KY Russellville Police Department, KY West Liberty Police Department, KY Wilder Police Department, KY Buncombe County Sheriff s Office, NC High Point Police Department, NC Kitty Hawk Police Department, NC Troutman Police Department, NC Batesburg-Leesville Police Department, SC South Carolina Department of Revenue & Taxation, SC Henry County Sheriff s Office, TN Madison County Department of Community Corrections, TN

Have questions about membership with NW3C? Contact Barbara Shanes, Membership Services Supervisor at 800-224-4424 ext. 3336, or by e-mail at bshanes@nw3c.org.

K ASBarbara

Thank you to the following Member Agencies for referring new members!
Albuquerque Police Department, NM Athens City Police Department, OH El Paso County Sheriff s Office, CO Ellis County Sheriff s Department, KS Federal Bureau of Investigation-Springfield Division, IL Franklin County Sheriff s Department, VA Greater Cleveland Regional Transit Authority Police Department, OH Hilliard Division of Police, OH Kentucky Department of Criminal Justice Training, KY Monona Police Department, WI Montana Department of Administration - Lottery, MT New York State Police, NY North Carolina State Bureau of Investigation, NC Northern California Computer Crimes Task Force, CA Ohio Bureau of Workers Compensation - Special Investigations, OH Palatine Police Department, IL Pinal County Attorneys Office, AZ
http://informant.nw3c.org

Member Agency Spotlight

Utah Attorney Generals office Salt Lake City, Utah

ith over two hundred prosecutors and nearly forty criminal investigators, the Utah Attorney Generals Office relies heavily on investigative support services provided by NW3C. This is especially true when the Office is investigating major financial crimes that cross jurisdictional boundaries. Recently, investigators working a mortgage fraud case involving millions of dollars in fraudulent loans and over 50 suspects across several states requested help from NW3C. Investigators were in need of information that would identify and link suspects targeted by the investigation through common addresses, business associations or assets obtained as a result of fraudulent activity. NW3C provided significant investigative support information within 24 hours of the request. The Attorney Generals Office has launched a new initiative which is focusing attention on interrupting illicit activity by identifying and freezing the assets of criminal networks. In order to tackle the large multi-jurisdictional

financial crimes involved, the Office needed to partner with an established investigative data-support service that was capable of drawing information from a variety of sources and consolidating it into a single report. Part of that overall strategy involved hiring a new investigator, Steve Sperry, who has extensive experience investigating complex financial crimes. Steve was the DEAs Washington, DC Supervisory Special Agent for Financial Operations. He successfully directed investigations of major money laundering, organized crime RICO cases, massive international asset forfeiture actions, and has instructed the DEAs financial crimes investigations courses. Steve has a graduate certificate in forensic accounting and is a member of The Association of Certified Fraud Examiners. The combination of utilizing NW3Cs data search resources and Steves expertise is a powerful tool for investigating complex financial crimes and facilitating asset freezing and forfeiture. Initial successes in this endeavor have encouraged the Attorney Generals Office to continue in the direction of not only prosecuting individual criminal behavior, but also interrupting any incentives of easy money. According to Attorney General Mark Shurtleff, this undertaking has been immeasurably empowered through our cooperative relationship with NW3C. q

by Scott Morrill, Program Manager, Utah Attorney Generals Office


Above: Utah Attorney General Mark Shurtleff. Left: Kirk Torgensen, Deputy Chief and Scott Morrill, Program Manager from the Utah Attorney Generals Office are presented The Member Agency for Excellence Award by NW3C Director Don Brackman. The Award is presented annually to the Member Agency that has demonstrated excellence in the areas of Investigation, Regulatory Status and Community Involvement.
8
Informant: January 2008 June 2008

M embers
Vinse Gilliam

Representatives from NW3C Member Agencies share their stories, experiences and comments about NW3C services.

Deputy Chief Investigator Ventura County District Attorneys Office - Bureau of Investigation, CA

s a member of NW3C, the Ventura County District Attorneys Office-Bureau of Investigation is able to take advantage of the great and useful resources offered. We often look to NW3C to assist in the case funding of major cases. With the help of NW3C, we have been able to successfully complete high dollar white collar crime cases. Of equal importance, the staff members at every level of NW3C are extremely helpful, responsive to our needs and patient with our redundant questions. While navigating through a grant request is never an easy process, the assistance, support and encouragement provided by the NW3C staff made the process almost painless. q

Mary Ann Vallus, ACFS

Securities Investigator Pennsylvania Securities Commission, PA

Robert McFarland

CFCE, CIS Detective Computer Crimes Unit-ICAC Corpus Christi Police Department,TX

W3C has provided excellent training opportunities for members of the Departments Computer Crimes Unit since 1999. That training has focused on data recovery and forensics, Internet investigations, and financial crime investigations and analysis. The training provided through NW3C has been very well received by department staff because of the low cost and availability of regional training through Sam Houston State University, Huntsville, Texas. The Department receives IC3 complaints from NW3C involving local victims and suspects. The NW3C databases provide an excellent resource for identifying criminal trends and patterns. The databases also provide historical data on prior criminal activity and the linking of suspects to specific crime patterns. The resources provided by NW3C have been extremely beneficial to the Corpus Christi Police Department, and we will continue to promote and support NW3C. q

ince August of 2003, I have had the privilege of representing the Pennsylvania Securities Commission as the NW3C Agency Representative. Through this experience, I have met and communicated with the wellrespected NW3C Staff for the purpose of enhancing the function of the Commission through case funding, case analysis and educational support that NW3C so generously provides. I feel so strongly that NW3C is one of the most invaluable tools in the Nationwide Law Enforcement effort to fight fraud at all levels through its ever expansive training programs, its networking opportunites, and its critical case informationsharing among agencies. So that our agency continues to benefit from the resources offered by NW3C, I look foward to attending NW3Cs 2008 Summit. q

Want to share how your agency benefits from NW3C Membership? Send your story and comments to bshanes@nw3c.org.

plat for M
http://informant.nw3c.org

by Loreal Bond, Communications Specialist, NW3C

n December 2007, law enforcement members and academic professionals gathered to kick-start the inception of the Virginia Program Support Center. The Center is a joint partnership between NW3C, Virginia Commonwealth University and Virginia State Police. This collaborative effort between law enforcement and academia addresses the forefront of technology in the cybercrime world and will benefit from information sharing, training opportunities, and a new initiative development, the Virginia Digital Forensics Laboratory (VDFL). The mission of the Center is to assist in the creation, support and maintenance of regional alliances between law enforcement, academia and private sector; in order to provide localized streamlined economic and cyber-crime reporting, referral, training, research and criminal investigative support based on regional needs. Lieutenant Colonel Robert Northern from the Virginia State Police states The digital age creates new challenges for law enforcement and has literally changed the way we do business.

This collaboration is truly a win-win for the Commonwealth and its citizens, said Lt.Northern. Sergeant Robert Keeton of the Virginia State Police serves as the Director of the VDFL and explains that the expansion of this Center to include academia and other agencies creates more room and manpower to work through more cases. Keeton also states that the biggest challenge of digital investigations, right now, is the volume of data that is collected. Keeton says his lab has seen what would be equivalent to seven million paper documents this year alone. One case that created a lot of data was Seung Hui Cho, the Virginia Tech shooter. Working alongside law enforcement, digital forensic students will also be part of the VDFL staff, assisting in the research and investigation of cyber cases. Here they will have the chance to experience first-hand the process of collecting, investigating and managing digital data and evidence.

VCUs part in the lab will focus more on the applied research that is involved with digital investigations, The primary initiative of Lt. Colonel Robert Northern, Dr. Russell Jamison, Dean of VCUs School of stated Dr. David Primethe VA Support Center is aux, Computer Science Engineering and Director Don Brackman, NW3C the establishment of the Professor at VCU. These Virginia Digital Forensics collaborative efforts made Lab (VDFL). The VDFL is a regional forensics teaching and by law enforcement and NW3C offer great educational opresearch facility that will provide a venue for Computer Eviportunities for internships, teaching and research. dence Recovery Unit examiners, local state and federal law enforcement agency personnel, and VCUs computer sciThe VA Support Center is one of many partnership Centers ence faculty and scholars to work together. Joint projects established between local law enforcement and academic inwill include the development of programs that aid in the stitutions. Other Centers are located in Florida, Colorado, identification of new research challenges for computer sciIndiana, Texas and West Virginia. q ence, while enhancing the education experience for students of digital forensics.
10
Informant: January 2008 June 2008

by Craig Butterworth, Communications Specialist, NW3C


he Bureau of Justice Assistance (BJA) was on the road again this winter, hosting a series of regional conferences around the country. For the past year, the theme of these regional training series has been Getting It Right: Solutions for Safer Communities. Participants were offered best practices and solutions to emerging and chronic crime concerns. Guest speakers, including BJA Director, The Honorable Domingo S. Herraiz, also served up a wellspring of new information and stimulating discussion. While the workshops primarily focused on the dos and donts of grant-writing, attendees also got the low-down

on some of the latest in high-tech crime-fighting projects like N-Dex. This innovative information sharing system was developed by the FBI and promises to enhance the Nations ability to fight crime and terrorism. Some of the organizations that have participated in the regional conferences include NW3C (National White Collar Crime Center), RISS (Regional Information Sharing Systems), NCPC (National Crime Prevention Council) and GREAT (Gang Resistance Education and Training). BJA traveled to the following cities to present their regional conference: Atlanta, GA; Salt Lake City, UT; Indianapolis, IN; and Hartford, CT. q

Institute for Intergovernmental Researchs IIR Leadership Award

W3C Director Don Brackman was presented with the Institute for Intergovernmental Researchs (IIR) Leadership Award at NW3Cs January 9th Quarterly Board Meeting held in Miami Beach, Florida. General Counsel and Vice President Bruce Buckley presented the award on behalf of IIRs Board of Trustees in appreciation of the outstanding leadership Colonel Brackman has shown as Director of the National White Collar Crime Center, and in recognition of his service and dedication to NW3C, and his support to U.S. and International law enforcement and regulatory efforts. The Institute for Intergovernmental Research is a nonprofit research and training organization specializing in law enforcement, juvenile justice, criminal justice, and homeland security issues. IIR provides local, state, tribal, and federal law enforcement agencies with assistance needed to implement changes that promote greater governmental effectiveness. NW3C is proud of Director Brackman and the outstanding work he does to promote the mission and the vision of our organization. On behalf of the entire NW3C staff, we offer our heartfelt congratulations. q

IIR Vice President Bruce Buckely presents the IIR Leadership Award to Director Brackman.

http://informant.nw3c.org

11

National Intelligence Symposium for


by Jim Foley, Manager, Curriculum Development, NW3C

n August 10, 2007, nearly 100 men and women with an interest in intelligence analysis attended the first National Intelligence Symposium for Law Enforcement hosted by Liberty University in Lynchburg, VA. The one-day event was co-sponsored by Libertys Helms School of Government, The National White Collar Crime Center (NW3C), the Strategic Policies Institute, the Bedford County, VA Sheriff s Office and the Center for Security and Science. Although focused on law enforcement intelligence, the symposium included speakers and attendees from many areas of the larger intelligence community. The purpose of the symposium was to examine the need to include all levels of law enforcement from the street officer to the top executive into an agencys intelligence function. The speakers and discussions also explored the role of law enforcement in the context of counter-terrorism and homeland security. NW3C Deputy Director Mark Gage opened the symposium and spoke of the need for a solid communication connection between law enforcement officers and the intelligence community. This communication must move both vertically and horizontally, between and among various local, state and federal agencies. To improve this type of information sharing, NW3C brought together intelligence experts from law enforcement, academia, and the national security realm to assist with the development of the Advanced Criminal Intelligence Analysis to Prevent Terrorism course. This training for state and local law enforcement exemplifies the all-crimes approach to intelligence analysis used in most intelligence fusion centers. The keynote speaker, Rear Admiral Mark Kenny, Commander for the U.S. Navy Center for Expeditionary Counter-Terrorism Operations, spoke about methods to track down and deal with terrorists in various parts of the world. David Major, President of the CI CENTRE for Counter Intelligence and Security Study, delivered a presentation on the history of Islamic Extremism and explained how events of the past affect what is going on in todays world. Amy Pepper from the FBIs Directorate of Intelligence discussed the role of federal law enforcement in the homeland security process. Captain Tom Martin of the Virginia Fusion Center spoke about the role of fusion centers and about the history and make-up of the center he directs in Virginia. Speakers and attendees also benefited from a presentation by Dr. Robert M. Clark, intelligence author and instructor. Clark, who teaches national security intelligence officers, spoke to the group about the importance of carefully defining your intelligence problem or objective, as well as avoid12
Informant: January 2008 June 2008

ing mirror-imaging by examining the motivation and thought process of your target or enemy. As with most of the presentations, lively Q&A and discussion followed the presentation. Clark was one of the experts to assist with the NW3C intelligence course development. The after-lunch session began with Jim Beeman of the National Ground Intelligence Center (NGIC). This U.S. Army intelligence center in Charlottesville, VA produces intelligence on foreign ground forces, as well as analytical support products for our troops in battle in such places as Iraq and Afghanistan. The process of intelligence analysis as described by Beeman showed that the steps are basically the same whether you are dealing with military, law enforcement or national security intelligence analysis. Because of the large number of military and civilian analysts needed at the facility, NGIC is another good employment opportunity for students graduating with intelligence-related degrees. Phil Connors, the law enforcement liaison to the Intelligence Summit, spoke to the attendees about the need and the importance of ethics in law enforcement and intelligence. The final speaker of the day was James McDermond, Assistant Director of the Office of Strategic Intelligence and Information, Bureau of Alcohol, Tobacco, and Firearms (ATF). This office in the ATF is responsible for the collection of information and dissemination of intelligence within the bureau, as well as with the rest of the intelligence community. Liberty University should be commended for the fine job of organizing and presenting this first Intelligence Symposium. The quality of the speakers, the opportunity for networking and the discussions about intelligence analysis made this an event that will, hopefully, become an annual tradition. q About the Author Jim Foley is the manager of the Curriculum Development Team. His area of expertise is Intelligence Analysis. He is currently enrolled in the American Public Universitys (APU) Masters program, earning an advanced degree in Strategic Intelligence.

L A W E N F O R C E M E N T

by Craig Butterworth, Communications Specialist, NW3C

ver since Lewis and Clark embarked on their legendary journey to the Pacific Ocean from this Midwestern port city, St. Louis has been referred to as the gateway to the west. In late October 2007, this bustling metropolis on the mighty Mississippi served as another kind of gateway- one to unparalleled cooperation in the fight against cybercrime. The sixth State of the States Cybercrime Consortium, an event hosted by the National White Collar Crime Center (NW3C), afforded investigators and prosecutors from 41 states and the District of Columbia a unique opportunity to share information and ideas.

According to NW3C Deputy Director Mark Gage, that kind of exchange is essential to the investigative process. Without the sharing of lessons learned among the practitioners, each jurisdictioneach agency has to learn everything from the bottom up! In addition to swapping cybercrime fighting strategies and techniques, attendees also talked about some of the common problems facing cyber forensics such as examiner certification. In an effort to remedy the problem , NW3C computer crimes manager Robert Hopper suggested investigators enrolled in IDRA and BDRA classes be given realistic problem-solving exercises as part of the certification process. We want to set em up to win, not to lose! The conference also gave investigators a better idea of how different states maintain and operate their respective labs. One issue that triggered a lot of discussion was funding and how difficult it is to obtain from the state and federal resources that are currently available. While struggling to find answers to similar problems, investigators at the conference also got to hear

about some success stories. Lucy Carrillo, Cyber Attorney with the New Hampshire Attorney Generals Office, was enthusiastic about a new prog ram that provides state and local police with remote access to crime scene evidence. The process involves making an image of an artifact and uploading that image onto a server (this would be done by a lab technician or other skilled professional on-scene). This way, an investigator can access the server and evaluate the evidence from the relative comfort of his or her office. But Carrillo points out that investigators arent the only ones benefiting from the new high-tech gadgetry. Its going to help with a lot of the backlog at the state lab. The conference, billed as an informal exchange of ideas, helped identify the litany of challenges being confronted by police and prosecutors engaged in the sophisticated and sometimes frustrating hunt for cyber criminals. At the same time, the process of sharing ideas served to reinvigorate and inspire them and remind investigators that no man is an island in the vast and seemingly end- less reaches of cyber space. q

http://informant.nw3c.org

13

NW3C 2007 Global Conference A Success


T
he word global has become synonymous in todays society with a much smaller and complex world than was once thought possible. Voyages that a mere hundred years ago took weeks to be completed can be done in hours. Faceto-face communications across the world can happen in moments, thanks to the Internet. These technological advancements offer advantages to law enforcement, everyday users and criminals. While criminals use the internet to target victims of all ages, law enforcement uses it to conduct surveillance and collect evidence that will lead to prosecutions. The consequences of these activities can quickly reach past local borders and into the global arena. On October 24, 2007, NW3C held the first Global Conference on Economic and High-Tech Crime. The changing landscape brought about by technological advances and the challenges they pose was a central theme. The event was held at the Hyatt Regency Crystal City in Arlington, VA and included two and a half days of instruction on the latest cybercrimes that affect our world. Similar to previous large NW3C training events such as the Economic Crime Summits, the Global Conference provided informative sessions on a wide array of white collar crime topics. The first session of the conference included a panel with representatives from Canada, The Netherlands, Europol and the United States that illustrated this new objective by highlighting the different challenges faced by investigators pursuing crimes that cross international borders. This session was followed by two days of presentations that discussed investigative and prosecutorial strategies that utilize the Internet in both the apprehension and prosecution of cyber criminals. Emphasis was placed on the use of new Web site tools (such as MySpace and Google Earth) to gain trust and acceptance from victims in larger areas than ever before. This forces both the detective and the prosecutor to think outside of the normal realm of investigation such as the case illustrated by Les Lauziere, Criminal Investigator with the Office of the Attorney General Commonwealth of Virginia. Lauzieres session centered on a local murder case that was solved through the collection of information from various online social sites including Myspace. Another first for NW3C was a second panel session, held on Thursday, October 25, 2007 with members of the educational community. This panel discussed the changes in college curriculum surrounding white collar crime and also gave attendees the chance to voice opinions on the types of educational classes they would like institutions across the country to pro14
Informant: January 2008 June 2008

by Laura Kenny, Communications Specialist, NW3C


vide. Over 311 attendees from three countries, 44 U.S. states and one U.S. Territory joined us at the Conference to experience the unique educational experiences that NW3C has to offer. Among those experiences was the first ever STOP class held in conjunction with the Conference. Cyber-Investigation 101 (STOP) Secure Techniques for Onsite Preview is a two-day course that is intended for probation/ parole officers, detectives, and officers conducting knock and talk interviews or spot checks and home visits. This class utilizes a Linux-based bootable CD to preview a suspects computer system for potential evidence in a forensically sound manner. The STOP class that was held in conjunction with this years conference had 17 attendees and was a great test case for the inclusion of such classes in future meetings. If you are interested in hosting this class or another NW3C course, please go to the NW3C Web site at www.nw3c.org for more information about hosting a training event. Finally, the years event included a new service available to all speakers, staff, attendees and guests. Through the increased efforts of the Information Technology section, NW3C was able to offer a Cyber Caf. At the caf, any person associated with the conference could check their e-mails free of charge. This allowed everyone to stay in contact with their home offices while still enjoying the benefits of the educational sessions. By all accounts, the first NW3C Global Conference on Economic and High-Tech Crime was a success. The expanded number and intensity of the educational sessions, available services and increased networking opportunities all combined to make this years event truly one for the record books. NW3C thanks each and every one for their participation and support of this and other programs sponsored by the National White Collar Crime Center. We look forward to bringing you more of these services and events. q

inancial institutions are being inundated with counterfeit checks, not directly from fraudsters, but by their good customers. Welcome to the 21st Century! International fraudsters are thinking globally and acting locally by engaging in practices to entice honest, albeit nave and unwary, consumers to participate in their dirty work schemes. The scams include cross-border lottery frauds, job scams, chat room scams, overpayment scams, and a host of others. Thousands of counterfeit checks and money orders enter the United States daily through the U.S. Mail and private delivery services. The U.S. Postal Inspection Service (USPIS) reported that through September 2007, they had intercepted more than $2.1 billion in counterfeit checks. Despite these Herculean interdiction efforts, a substantial number of counterfeit checks do reach their intended targets. With a few exceptions, those who negotiate the counterfeits believe they are legitimate. Greed and gullibility often blind people who need to only ask themselves, How can I win a lottery I have never played? or Why would someone I have never met trust me with thousands of dollars? Cases are rare where the recipient recognizes the scam and uses the counterfeit item with the intent to defraud the institution. And when they do, it is difficult to prove intent, leaving financial institutions to absorb the loss. A significant number of the frauds originate from overseas, leaving the criminals out of the reach of local law enforcement which does not have the resources to investigate them. The U.S. Postal Inspection Service devotes significant investigative and financial resources to these crimes and has demonstrated a willingness to work with organizations such as the International Association of Financial Crimes Investigators (IAFCI). This was most recently evidenced at an IAFCI regional seminar in Connecticut this past October 2007. The Boston Division co-hosted the seminar and inspectors from throughout New England and New York were among the more than 300 registered attendees. Significant efforts are being made to educate the public about these frauds. The Postal Inspection Service in collaboration with financial institutions, consumer advocacy groups and businesses, recently announced the formation of the Alliance for Consumer Fraud Awareness. The Alliances Web site www. fakechecks.org is designed to inform and educate consumers on how to recognize and avoid scams.

More can still be accomplished at the local level, however. Partnerships can be formed between financial institutions and financial crimes investigators. The partnerships can be utilized to develop and deliver outreach presentations to community service organizations, senior citizen centers, and other interested groups. These educational sessions deliver a cogent message when actual counterfeit checks and related documents involved in real scams from the community are put on exhibit. Obviously, all personal identifying information is obliterated for privacy reasons, but the city or town name can be left public. By all reports, the problem of counterfeit checks continues to grow. The Internet has shrunk the world to the size of a pea, and perpetrators no longer need to have face-to-face contact with their marks. Using the Internet, they can be whatever or whoever they wish to be from anywhere in the world. A bottom up effort originating at the community level can be an effective way to inform and educate consumers. The message to be delivered is: if something seems too good to be true, it probably is! q
About the Author Thomas R. Nash, CPP is the security officer for Nutmeg Financial Mutual Holding Company in Naugatuck, CT and its two wholly owned subsidiary banks, Castle Bank & Trust Company and Naugatuck Savings Bank. He is the president of the Connecticut Chapter of the International Association of Financial Crimes Investigators and is Board Certified in Security Management by ASIS International.

http://informant.nw3c.org

15

CY-FI:

The Future of Cyber Forensics


Topic This Issue:

VIrTualIzaTIon
I
t is probably a gross understatement to say that the field of cyber forensics or digital investigations is an exciting and dynamic area to be involved in. We currently sit at the beginning of a time period where rapid changes in the field are imminent. Those of us that have been involved with technology and/or technology related investigations in the past understand only too well how difficult it is to keep pace with constant changes and new developments. There are several factors that are coming into play that will only accelerate the pace of change for cyber forensics and digital investigations. These factors include but are definitely not limited to, changes in operating systems such as the release of Microsoft Vista and Apples Leopard, as well as changes in storage capacity and storage devices (e.g., solid state secondary storage), and the formal recognition by the American Academy of Forensics Sciences (AAFS) of the discipline, under the new section title of Digital and Multimedia Sciences. It is also anticipated that we will see numerous changes and advances in legal precedents related to digital evidence, as more digital evidence appears before the courts. How then does one keep abreast of the advances and challenges facing the discipline? This is truly the proverbial 64 thousand dollar question. One solution is to stay informed by subscribing to various lists, digests and periodicals such as NW3Cs Informant Magazine. In the spirit of assisting in the endeavor of staying ahead of, on top of, or maybe just slightly behind the curve (as opposed to not even being able to see the curve), I will be authoring a series of articles focused specifically on issues, technological advances and topics related directly to the future of cyber forensics and digital investigations.
16
Informant: January 2008 June 2008

by Dr. Marcus K. Rogers CISSP, CCCI, Cyber Forensics Program Department of Computer & Information Technology, Purdue University
Now that I have finished my rather long-winded preamble it is time to jump right in with the first article in the series. The topic for coverage chosen for the inaugural discussion is virtualization. Virtualization refers to the use of software in order to simulate a physical computer system. A more formal definition is an abstraction layer that decouples the physical hardware from the operating system. In essence you have a virtual computer. These virtual computers rely on a host computer and operating system and share resources such as CPU, RAM, and I/O. With todays modern computing systems that use multi-core processors and 8+ GB of RAM, several virtual machines (as they are often called) can run on a single physical computer. This equates to a system running Windows XP as the host and having a Linux virtual machine, Vista virtual machine and even a DOS machine all running at the same time. These virtual machines are contained in a single file (also referred to as encapsulation) that contains what is commonly thought of as secondary storage (i.e., hard disk drive) and smaller files that contain system configuration information, RAM information and other housekeeping data1. The concept of a virtual machine offers some interesting challenges for investigators as well as benefits. At a recent workshop on virtualization in digital forensics held last year at the University of Central Florida, nine broad challenges were discussed2. A complete discussion is beyond the scope of this limited article, but lets briefly touch on some of the more core challenges and benefits. Regarding challenges, an investigator can now be faced with a case in which there may be only one physical computer but for all intents and purposes there are actually multiple computers, operating
Continued on page 65

Youve Got Mail!


Hit-Man E-Mails
W
hat would you do if, one day, you opened an e-mail to find that someone has been hired to kill you, and that the only way to save yourself was to pay this person $20,000? Messages such as these seem to be finding their way to more and more e-mail boxes. The e-mails are called hit man e-mails, representing a shockingly grim method of extorting money from Internet users. The Internet Crime Complaint Center (IC3), a partnership between the Federal Bureau of Investigation (FBI) and the National White Collar Crime Center (NW3C), began receiving complaints about the fraudulent hit man e-mails in November of 2006. Since then, the IC3 has received innumerable complaints regarding these e-mails. In October of last year, the NW3C held its annual Global Conference on Economic and High-Tech Crime in Arlington, VA., where IC3 Manager Greg Donewar was interviewed about the hit man e-mails by Shelaney Campbell of Americas Most Wanted. Donewar, who provided The Informant with a paraphrased transcript of the exchange, said that, in essence, the hit man e-mail contains a message from an anonymous person who claims to have been hired to kill the recipient. The e-mail explains that by paying the hit man a specified amount of money, the recipient can escape being murdered. Fraudsters prepare these e-mails for mass distribution, targeting potentially thousands of e-mail addresses. To date, the IC3 has yet to receive a single report that links one of these e-mails to an actual assault or murder attempt, Donewar said.

by Rodney Huff, Research Assistant, NW3C

Campbell also asked why the hit man e-mails, as well as other e-mail-based scams, seem to be proliferating. A low costhigh benefit ratio, Donewar replied, makes this type of illegal activity appealing. Responding to Campbells question about the growing sophistication of e-mail-based scams, Donewar suggested that the low cost of trying out new approaches gives fraudsters the opportunity to refine their techniques and adapt them to exploit vulnerabilities in their targets. The Internet, combined with the low cost of commission, provides a fertile environment for experimentation and refinement, Donewar said. The opportunity to share information among other perpetrators using the Internet offers another advantage, since users can educate themselves on techniques that may lead to greater success. Campbells final question dealt with the reasons why the hit man and other e-mail-based scams have been so successful in separating people from their money. Donewar cited the expansion of computer usage world wide and the ease with which fraudsters, via the Internet, gain access to a wide cross-section of potential victims, some of whom may be more unsuspecting than others. Perhaps the best way to fight e-mail-based scams is to simply educate the public. Keeping informed of the latest scams on the Internet may enable people to recognize and report these scams instead of losing money in them. To learn more about the latest e-mails scams, go to the www.ic3.gov. q

Investigate a suspect in Dubai while sitting at your desk in New York. .. want to know how? .
LiveWire Investi gator delivers a broad suite of applications for timel y incident response. It is simp le and strai g htforward to operate , adheres to di g ital forensics best practices , and provides an extensive array of data acquisition options and anal ytical tools. Capture:
Memory Running State * Disk Images File Information

1-877-WETSTONE ext. 2 17 Main Street , Suite 237, Cortland, NY 13045

www.wetstonetech.com

W WetStone

A Division of Allen Corporation

Intellig ent Solutions for Digital Investigat ions


http://informant.nw3c.org

17

Practical Tips for Investigators to Obtain Information from ISPs


I
by Lucy Carrillo, Cybercrime Prosecutor, New Hampshire Attorney Generals Office
investigators sent an emergency request to MySpace about a missing girl. The investigator was then able to track the residence where the girl had been logging on to the Internet and was successful in bringing her home quickly. Once an investigator determines what information they need and when, the next step is to send the ISP a freeze letter or preservation request pursuant to 18 USC 2703(f), requesting they save the information you will ultimately be requesting. Until they receive that preservation letter, ISPs are under no legal obligation to retain anything. The ISP may notify the subscriber, so in your letter, request that the ISP refrain from doing that. The ISP is required to retain the records for 90 days after receipt of this letter and you can request an additional 90 days if necessary. Next, consider how to get more information with a search warrant, subpoena or court order. It is important to remember that under 18 USC 2703(b)(1)(B), government entities are required to provide notice to the subscriber that the ISP is providing the contents of their stored communications pursuant to administrative subpoenas, grand jury subpoenas, trial subpoenas and court orders. This notice can be delayed for 90 days and extended for an additional 90 day extension upon request. This request for delay should be supported by the assertion that notice may lead to endangering the life or physical safety of someone, flight from prosecution, evidence destruction or tampering, intimidation of potential witnesses or in some other way seriously jeopardize the investigation. Notice is only required for subpoenas and court orders for content and not for subscriber information, nor is notice required to be given to the subscriber if any information is obtained pursuant to a search warrant,(18 USC 2703(b)(1)(A) and (B) and 2703(c)(3)). tigation. They arent used very often at the state level and therefore state judges may not be familiar with them, and because a court appearance is required, there is significantly more work involved. But keep in mind, you can obtain more information with a court order than a subpoena, including e-mails stored for more than 180 days. The disadvantages are that subpoenas must be reviewed by a neutral magistrate, and often times ISPs will shut down a users account when they receive a warrant, essentially notifying the subscriber that something is going on. Also, do not rely on boilerplate language that was successful previously, but be particularly careful to craft the search warrant affidavit to fit the facts of your case and what you are looking for. Although you can get whatever the ISPs have, remember they are not required to retain anything unless they get a preservation letter from you. One final instrument to consider is a search warrant, which requires probable cause. The advantages of a search warrant are that you are entitled to receive all relevant information possessed by the ISP and the subscriber is not entitled to notice. Additionally, this is the only way to obtain e-mails stored for 180 days or less 18 USC 2703(a). Finally, it should be noted that relevant case law is unsettled in this area. In June 2007, a 6th Circuit case stated that people have a reasonable expectation of privacy in stored communications and therefore to obtain e-mails stored more than 180 days, you need either a no-notice search warrant or a court order and notice to the subscriber. The court also opined that the government might not be entitled to all e-mails in its possession, only relevant ones. However, in October this n our digitally connected world, many criminal investigators require information to be obtained from Internet Service Providers (ISPs) which are located outside the state where the investigation is conducted. After 9/11, Congress passed the USA PATRIOT ACT, which allowed authorities to exercise their jurisdiction over companies doing business outside their respective states, thereby attempting to give search warrants for stored communications (such as e-mail) nationwide application. This article will outline a few steps investigators should consider in obtaining information from ISPs, starting at the quickest and lowest level and ultimately leading to the retrieval of information under 18 USC 2703. The tips here are not legal advice, simply suggestions on how to structure a search. Any questions you might have should be directed to your local prosecutor. In figuring out how to get electronic information from an ISP at the beginning phases of an investigation, some of the first questions the investigator needs to answer are what do I need? and how soon do I need it? The quickest and easiest route is to first find out what is publicly available about a person. Theres a lot of information out there; your law enforcement databases and the DMV are not the only sources. For instance, many ISPs publish information about their subscribers and MySpace routinely posts profile information about members that can be found either by searching for a name or an e-mail address. Google is another good resource that can provide a lot of information about what a person has posted online, events they have participated in and articles they have written. Another tool is Zabbasearch which can show the addresses where a person has lived.

C
A L L

F O R A R T I C L E

Help others in the fight against cyber and economic crimes.


Contribute your articles and ideas to the Informant Magazine

In cases of harassment, internet fraud or criminal threatening, you also want to ask the victim if they will simply consent to authorizing the ISP to provide account information; however, be careful not to exceed the scope of the consent. Putting it in writing is a good way to document that a person consented and that he or she agreed to the scope of the consent. In emergency situations, ISPs may disclose information. However, they are not required to do so. An emergency is defined as the immediate danger of death or physical injury to any person (18 USC 2702(b)(8) and (c)(4)). Most ISPs have a 24 hour hotline to cover emergency requests. Their contact information can be found at www.forensicsweb.com. Generally, a signed request on official letterhead will suffice. But some ISPs have drafted a form for emergency requests and they will likely request that you send a subpoena or search warrant as soon as it is practical. Recently in New Hampshire,
18
Informant: January 2008 June 2008

Which process you use to obtain information is dependent upon what information you require and whether you have probable cause or simply reasonable suspicion. In New Hampshire, RSA 7:6-b subpoenas may be issued for subscriber information upon reasonable suspicion that the ISP has been, is being, or may be used for an unlawful purpose. (I note that legislation is currently pending which will create some minor changes in RSA 7-6:b, and investigators in New Hampshire should consult with local prosecutors regarding these changes.) Grand jury subpoenas, on the other hand, require probable cause and are more cumbersome because the grand jury is involved; however, there is no requirement that the ISP was used or may be used to commit a crime. With a court order under 2703, you can obtain a larger scope of information, and it requires specific and articulable facts showing that there are reasonable grounds to believe that the information is relevant and material to an inves-

opinion was vacated and the case sent back for a rehearing en banc, Warshak v. U.S., 490 F.3d 455, (2007). To recap, figure out first what you need and how quickly you need it. Conduct quick research yourself with publicly available information and request consent. Next consider whether you will use a subpoena, court order or a search warrant. Send out a preservation request to the ISP. And dont hesitate to ask your local prosecutor should any questions arise. A well-crafted affidavit is your best defense against having evidence suppressed later at trial. q

The next Informant will feature articles on the topic of Computer Intrusions. If you have experience and expertise in the area of Computer Intrusions, we welcome your article submission to be featured in the Informant. Send your articles and article ideas to lbond@nw3c.org. Deadline to submit articles for the September 2008 issue is July 18, 2008.

hare your expertise, experience and knowledge with Informant readers. We are looking for articles on any topic related to cyber or economic crime.

http://informant.nw3c.org

19

Combating 419 Fraud

O n the Front Line s i n t h e B a t t l e A g a i n s t a G lob al Scam Op er a t io n


by Lisa McBee, Postal Inspector, United States Postal Inspection Service

n July 2007, eleven U.S. Postal Inspectors traveled to Lagos, Nigeria to investigate and combat the onslaught of 419 schemes in the area. USPIS Inspectors worked side by side every day with the local Nigerian postal employees, courier service employees and police from the Economic and Financial Crimes Commission (EFCC). Guards from the Nigerian Police escorted our inspectors to and from work every day to ensure our safety, due to the soaring crime rate in the city. Our mission was to intercept as many counterfeit documents as possible, preventing the delivery of these fraudulent documents to intended victims in the United States With the help of the EFCC, U.S. Postal Inspectors were able to intercept approximately $2 million in checks and or money orders daily from outgoing mail in Nigeria addressed to potential victims in the United States, as well as numerous other countries around the world. Why are these scemes labeled as 419 fraud? Chapter 38 Obtaining Property by False Pretences; Cheating, Section 419 of the Nigeria Criminal Code is the statute that states Any person who by any false pretense, and with intent to defraud, obtains from any other person anything capable of being stolen, or induces any other person to deliver to any person anything capable of being stolen, is guilty of a felony, and is liable to imprisonment for three years. False pretense is defined in Section 418 as any misrepresentation made by words, writing or conduct, of a matter of fact, either past or present, which representation is false in fact, and which the person making it knows to be false or does not believe to be true. A number of the counterfeit instruments seized in Lagos included large shipments of smaller packages with instructions for the receiver to send those smaller packages, contain inside,
20
Informant: January 2008 June 2008

to other people within the United States. The smaller packages were already addressed and sealed and contained 10-20 counterfeit checks or money orders. Usually, the addressee of the package was expected to pay for and affix postage to the smaller envelopes before mailing to other victims. The recipient of the smaller packages would then be asked to cash the checks or money orders and wire a portion of the proceeds to the original mailer. Most commonly, these types of schemes are originated by soliciting work at home employees via employment ads on the Internet or through e-mails. Reshipping scams are huge business in several African countries, the United Kingdom and Eastern Europe. These scammers order merchandise using stolen credit card numbers, then contact someone, generally via the Internet, to persuade or hire them to accept packages for them at their residence. The internet victim is then bombarded with packages of merchandise addressed to the credit card victim. They are also provided mailing labels from various private couriers to put on the packages and reship them out of the country back to the original mailer. The account numbers provided for reshipping are generally stolen account numbers too. 419 fraud is not only limited to reshipping scams; while driving through the streets of Lagos, it was common to see homes with the words Beware of 419- This property not for sale, spray-painted on them. Locals from the area explained that the property is being sold via the internet; however, those people selling the property are not the owners and the actual owners have no knowledge of their property being sold until the new buyer arrives for inspection of the property they believe they have purchased.

The final days of the investigation in Lagos were spent at NiPost, the Nigerian Postal Service. The employees of NiPost were welcoming and most accommodating as the EFCC and U.S. Postal Inspectors arrived daily to sort through packages and letters. On our last day, an EFCC officer found a large package that he believed contained counterfeit instruments. Once the package was inspected, we found what appeared as a simple framed portrait of a sweet little boy. Imagine our surprise when the back of the portrait was broken and $500,000 in counterfeit instruments was discovered.

CASE FUNDING
NW3C may be used as a source of funding for voting member agencies that are faced with budgetary shortfalls. Limited case funding is available for voting member agencies who are involved with white collar,high-tech or cybercrime.

Limited Case Funding is Available for:


- Out-of-State Investigative Travel
- Out-of-State Witness Travel - Document Recovery - Expert Witness or Personnel Service Contracts - Equipment Lease/Rental - Temporary Employees

Eligibility/case requirements
Over $500,000 was found during the inspection of a framed portrait of this little boy.
- A voting member agency with a designated case which encompasses an economic or high-tech crime - The case must be interstate in nature,involving at least two participating agencies from different states - Voting agency must certify an inability to dedicate funding for any expense for which NW3C funds are requested

We prevented thousands of checks from reaching the intended victims in the United States. The U.S. Postal Inspection Service has spent millions of dollars in a preventative effort against these reshipping scams. In October 2007, commercials were run in the United States demonstrating consumers skepticism about the scams and schemes that these cyber criminals are using. One commercial asks, If a stranger approached you on the street and ask you to deposit a $5,000 check into your bank account and give them the proceeds, youd say no. Why would you do this for someone via the Internet, someone you have never met? A Web site, www.fakechecks.org, was created and publicized. Many of these commercials and variations of 419 schemes can be viewed at this Web site. Although the 419 schemes never stopped while we were in Lagos and continued after we left Lagos, our message was clear: You never know where we might be, but we know where you are and well catch you. q
About the Author Postal Inspector Lisa McBee is assigned to the Ft. Worth Division Mail Fraud team in Ft. Worth, TX. She has traveled extensively in personal adventures, but claims her business travel to Nigeria was not only rewarding, but is one of her most memorable treks.

Kteffl/ 033SO
Contort IK
If you would like more information on case funding please contact Robin Elkins,Chief Analyst with NW3C Investigative Support Services (804) 273-6932 ext. 388 (800) 221-4424 ext. 388 Toll Free

http://informant.nw3c.org

21

believe my first reactions were shock, disbelief and denial, followed by rage, resentment, guilt and then utter depression. The pain and hurt and always thinking of what was done to you just dont go away. I have nightmares.1 The preceding statements are from anonymous individuals recalling their experiences after being victimized. The scarring of which many individuals speak is not from acts of violence but from various white collar crimes (WCC) involving substantial portions of their earnings and or life savings. Currently, the FBI estimates the total monetary impact of WCC to be $300 billion annually.2 The monetary impact of WCC captures a glimpse of the primary victimization, or initial effects of the crime; however, the majority of victims are left to deal with secondary effects that follow their lives for months or even years after their initial victimization. In the past 10 years there has been a growing interest in understanding the physical, social, and psychological effects of white collar crime victimization. The following will shed some light on what weve learned so far and how law enforcement can help victims cope. Secondary Victimization Secondary victimization describes the consequences of violent crimes such as domestic abuse and rape. Secondary effects include emotional and interpersonal disturbances such as depression, stress, anxiety, divorce and loss of employment.3 As previously stated, these effects in WCC victims have gained interest in recent years and have been found to hold a striking similarity to victims of violent crimes. In 2004, the Identity Theft Resource Center conducted a one year follow up study to assess the secondary victimization that occurred in ID theft victims. As expected many victims reported considerable stress and difficulties in financial areas such as obtaining credit, handling collection agencies and getting tenancy. More severely, psychologist Charles Nelson found that many victims reported feeling dirty or defiled, guilty, ashamed or embarrassed, being an outcast, undeserving of assistance or having brought this crime upon myself.4 Oftentimes, WCC victims feel a significant amount of selfblame and take sole responsibility for their victimization. This pattern of self-blame is similar to rape myths regarding victims and responsibility.5

In 2004, members of NW3Cs Research Section partnered with psychology researchers at West Virginia University to explore the psychological and somatic impact of identity theft. The study concluded that anxiety, anger, and frustration are common reactions immediately following the discovery of ID theft. Whats more, six months after discovery, the majority of victims reported that they experienced continued distress and desperation, and many felt anxiety, fear, mistrust, and paranoia.6 Once again, the six month follow up in this study found victims reporting very similar feelings associated with crimes of violence. A 2002 best practices study conducted by NW3C and researchers from West Virginia University found similar results. Identity theft victims reported elevated levels of fear, distress, and anger immediately after discovery which continued at lower levels six months following discovery.7 The secondary effects just described are not exclusive to victims of identity theft, however, as individuals have reported similar experiences after becoming victims to corporate fraud8 and other various white collar crimes.9 Research has shown that the effects of WCC on victims have been found to mimic violent crimes, with victims commonly suffering from great stress, anxiety, depression, and consequently, serious health concerns. Furthermore, victims often blame themselves for their victimization, making resolution of these effects even more difficult. In extreme cases, these effects can last for months or years, resulting in lifelong clinical depression, permanent loss of employment, leading some victims to commit suicide.10 Given the magnitude of secondary effects, law enforcement personnel play an important role in serving victims of WCC. Helping Victims Excluding the private sector (banks, credit companies, etc.), law enforcement personnel are the victims first point of contact in attempting to resolve the crime. Due to the nature of WCCs, the victim is not physically harmed and has very little (if any) information regarding the identity of their perpetrator, especially in cases of Internet and identity theft. In 2002, NW3C partnered with AARP to study the best practices of agencies around the country in handling identity theft.11 Statements from victims experiences offered insight on ways law enforcement can ease the effects of secondary victimization.12

1. Communication with the victim and their financial institutions. Providing direct contact with financial institutions to verify that a crime as taken place can assist the financial institution in question to work to resolve the victims issues promptly. 2. When possible, the agency ensures an official report is taken. Victims perceived this step was of the utmost importance. Individuals view an official report as the official first step in taking back control of the situation. 3. Give an accurate portrayal of the response that is expected from the criminal justice system. The victims perspective may be such that they feel they will see a quick resolution following the crime. It is best to give the victim a realistic outlook on the criminal justice process appropriate to their case. 4. Provide victims with a wide-array of information to resolve their cases successfully. The burden of resolving credit issues lies on the shoulders of the victim. It is extremely important that they are given the proper information to follow steps that can lead to taking control and gaining peace of mind in the process. 5. Ensuring two-way flow of communication between victim and agency. Despite the overload of caseloads, agencies often provided victims with updates on investigative and prosecutorial efforts (when applicable) during the resolution period. Doing so allows the victim to remain involved in the process of resolving their case. Conclusion The title of this article poses the question, Does money matter? Given what weve learned about the personal and psychological aspects of WCC victimization, it most certainly does. Although WCCs are nonviolent, and oftentimes the victims do not know their perpetrator, the after-effects can be highly stressful, life altering, and in many cases, tragic. Research suggests that this is due to lost sense of control on the victims part. Law enforcement can assist victims to regain a sense of control by having an open and realistic communication process and keeping the victim informed during the resolution of their case. q

References 1. Kivenk, Ken. Is white-collar crime non-violent? The Fund Library. http://www.fundlibrary.com/features/columns/page. asp?id=12263. Retrieved December, 16, 2007. Cornell University Law School. White Collar Crime. http:// www.law.cornell.edu/wex/index.php/White-collar_crime. Retrieved January 4, 2007. George Mason University: Sexual Assault Services. Secondary Victimization. http://www.gmu.edu/facstaff/sexual/Helping_ SV.htm. Retrieved December 10, 2007. Identity Theft Resource Center. Identity Theft: The Aftermath 2004. http://www.idtheftcenter.org/artman2/uploads/1/The_ Aftermath_2004_1.pdf. Retrieved August 20, 2007. National Center for PTSD. Sexual Assault Against Women. http://ncptsd.va.gov/ncmain/ncdocs/fact_shts/fs_female_sex_ assault.html. Retrieved January 4, 2007. Sharp, T., Shreve-Neiger, A., Fremouw, W., Kane, J., & Hutton, S. Exploring the Psychological and Somatic Impact of Identity Theft. Journal of Forensic Science. Vol.49, No.1. Kane, J., Hutton, S., Desilets, C., Mason, D., & Mascari, A. Best Practices Used by States to Assist the Victims of Identity Theft. NW3C. November, 2002. Spalek, B. Knowledgeable consumers? Corporate Fraud and its devastating impacts. Center for Crime and Justice Study, Briefing 4. August, 2007. Spalek, B. Exploring the Impact of Financial Crime: A Study Looking into the Effects of the Maxwell Scandal upon the Maxwell Prisoners. International Review of Victimology. 1999. Vol. 6, pp. 213-230.

2.

3.

4.

5.

6.

7.

8.

9.

10. Kivenk, Ken. Is white-collar crime non-violent? The Fund Library. http://www.fundlibrary.com/features/columns/page. asp?id=12263. Retrieved December, 16, 2007. 11. Kane, J., Hutton, S., Desilets, C., Mason, D., & Mascari, A. Best Practices Used by States to Assist the Victims of Identity Theft. NW3C. November, 2002. 12. Ibid. About the Author Jason Boone is currently a Research Assistant at NW3C. He holds a masters degree in psychology. With this background, his interests in white collar crime include social and emotional factors in victimization, and crimes committed over the Internet.
http://informant.nw3c.org

22

Informant:

January

2008

June

2008

23

New Trends
N
EWS FLASH!! THE IC3 DATABASE PASSED THE ONE MILLIONTH COMPLAINT MARK IN 2007. IC3 has become the nations most frequented site for Internet crime complaints. Having this valuable resource of data gives IC3 the opportunity to alert law enforcement agencies of the new trends and twists on old scams for the purpose of early prevention and detection of crime. Here are some of the latest scams now trending on the Internet: www.socialsecuritycard.net is offering replacement social security cards for $14.99. Complainants reported supplying their sensitive personal information to this Web site to obtain their replacement cards, only to realize too late the potential of identity theft, since replacement social security cards are offered free by the Social Security Administration. This scam dates back to 2004. SPAM e-mails purportedly from the U.S. Department of State congratulate recipients for winning the Immigration Visa Lottery. The e-mail requests recipients to forward personal identification to Immigration Services in Kentucky, along with a clearance/acceptance fee of $989.67 payable through Western Union or Money Gram. The information and fee supposedly buy them the visa necessary to reside in the United States. All correspondence and payments were routed to an e-mail contact in Jamaica Queens, New York. Spam e-mails purporting to be from Agent Louis Freeh (former Director of the FBI) accuse the recipient of being involved in fraudulent transactions via the Internet and failing to report these transactions to concerned agents. The e-mail states that Agent Freeh had been notified of these transactions and intends to immediately take action based on files maintained on the recipient. According to the e-mails, private investigators are investigating other suspects, and if the recipient plays his cards well things will work out. The recipient is then instructed to contact Agent Freeh ASAP and not to notify anyone of the email received. More e-mail scams have been circulating that have supposedly originated from the FBI and other U.S. Government sources. Be wary of e-mails with the following subject lines: FBI Warns Public Of E-mail Scams, An Increase In Internet Schemes Purportedly From the FBI, Justice Department Alerts Public About Fraudulent Spam e-mail, Fraudulent spam e-mail purported to be from FBI Director Mueller, Another fraudulent FBI e-mail alert. In a new credit card scam occurring over the telephone, an individual calls a victim and states, This is (name), and I am calling from Visa or MasterCard and my badge number is 12460. Your card has been flagged for an unusual purchase pattern, and Im calling to verify this would be your Visa/MasterCard that was issued by (name of bank). Did you purchase an Anti-Telemarketing Device for $497.99 from a Marketing company based in Arizona? After the victim advises they did not purchase the device, the caller continued, then we will be issuing a credit to your account. This is a company we have been watching, and the charges range from $297.00 to $497.00, just under the $500.00 purchase pattern that flags most cards. Before your next statement the credit will be sent to (gives your address), is that correct? After confirming the address, the caller continues, I need you to verify you are in possession of
Informant: January 2008 June 2008

by Jamie Sellaro, Internet Fraud Analyst, IC3


your card. The victim is requested to turn the credit card over and provide the three security numbers on the back. Once the numbers are provided, the caller states, that is correct, I just needed to verify the card has not been lost or stolen, and you still have your card. The victims card number is not requested; only the CVV code on the back of the card. This is a social engineering scam. Obtaining the security code of the card provides the scammer with all the information necessary to assume the victims identity and fully utilize the card. Use these prevention tips to protect yourself from various types of e-mail fraud: Spam Don't open spam. Delete it unread. Never respond to spam as this will confirm to the sender that it is a "live" e-mail address. Have a primary and secondary e-mail address - one for people you know and one for all other purposes. Avoid giving out your e-mail address unless you know how it will be used. Never purchase anything advertised through an unsolicited e-mail. Lotteries If the lottery winnings appear too good to be true, they probably are. Be cautious when dealing with individuals outside of your own country. Be leery if you do not remember entering a lottery or contest. Be cautious if you receive a telephone call stating you are the winner in a lottery. Beware of lotteries that charge a fee prior to delivery of your prize. Be wary of demands to send additional money to be eligible for future winnings. It is a violation of federal law to play a foreign lottery via mail or phone. Phishing/Spoofing Be suspicious of any unsolicited e-mail requesting personal information. Avoid filling out forms in e-mail messages that ask for personal information. Always compare the link in the e-mail to the link that you are actually directed to. Log on to the official Web site, instead of "linking" to it from an unsolicited e-mail. Contact the actual business that supposedly sent the e-mail to verify if the e-mail is genuine. For more IC3 current trends and prevention tips, visit our Web site at www.ic3.gov or the www.lookstogoodtobetrue.com. q

24

Criminal Intelligence Analysis


American Military University offers a 100% online Masters Degree in Intelligence Studies with a concentration in Criminal Intelligence designed specically for law enforcement professionals. Other areas of study within the MA in Intelligence Studies include: Intelligence Analysis, Intelligence Operations, Terrorism Studies and many others. These programs are entirely online and are designed specically for working adults. CONVENIENT & AFFORDABLE 100% online, with exible weekly schedules 8 and 16 week courses start monthly Competitive tuition Small class sizesno cohort groups No on-campus residency requirements Join 30,000 civilian and military students currently pursuing 57 associate, bachelors and masters degree programs online at AMU.

LEARN MORE AT OR CALL

www.amuonline.com
PUSH YOUR MIND

877.777.9081

American Military University

INTERNET C R I M E C O M P L A I N T C ENTER

1L, ALERTS

IF YOU ANSWER YES TO ANY OF THESE QUESTIONS YOU MAY BE GETTING SCAMMED!
ARe yOU AbOUT TO CASh A CheCk FROM AN iTeM yOU SOlD ON The iNTeRNeT, SUCh AS A CAR, bOAT, JeWelRy, eTC.? Is it the result of communicating with someone in jail? Did it arrive via an overnight delivery service? Is it from a business or individual account that is different from the person buying your item or product? Is the amount for more than the items selling price? ARe yOU SeNDiNG MONey OVeRSeAS? Did you win an international lottery you didnt enter? Have you been asked to pay money to receive an inheritance from another country? Are you receiving a commission for accepting money transfers through your bank and/or PayPal account?

To report an online crime go to: www.ic3.gov


http://informant.nw3c.org

25

Over the next three months, Turner transferred over $200,000.00 from Bakers credit union account to the checking account in Blanchard. Turner was an authorized signer on the Blanchard account. In October 2001, Bakers residence in Bakersfield, CA was sold. The sale generated net proceeds of $47,600.00. The title company issued a settlement check payable to Baker in the amount of $47,600.00. Turner endorsed the check as Power Of Attorney for Baker then deposited $40,000.00 from the settlement check into the checking account and the remaining $7,600.00 into the money market account under Bakers name. Turner took back less cash received of $4,000.00 from the money market deposit. For the following nine months or so, Baker noticed that Turner was always spending money on her grandchildren, buying them lots of clothes and gifts. Baker also noticed that the Turners made many improvements to their property and acquired many assets that they did not have before she arrived, which included an extra car and a new pickup truck. Turners husband purchased some horses and built a corral and a fourth mobile home was placed on the property for their son and his family. Meanwhile, Baker had not received the proper care she was promised by Turner. She was forced to stay alone in a small mobile home on the Turners property without a telephone or many visitors. Most days Turner would not check on her for hours at a time. In April 2002, Turner resigned as Bakers caregiver and moved her into a nursing home in Lexington, OK. After Baker was moved to the nursing home, she learned that Turner had spent all of her money. During a chance meeting with David Thompson, a retired attorney and member of a local religious organization, Baker told him about her experience with Turner and asked if he could help to recover her money. Thompson contacted Turner and found that she did not have any money left and she refused to give him a proper accounting of where the money went. Acting on Bakers behalf, Thompson contacted the Blanchard bank and received copies of all of Bakers monthly statements for the checking and money market accounts. The checking account balance was $8.00 and the money market account balance was zero. Thompson examined the statements of both accounts and found that Turner had taken tens of thousands of dollars in cash from Bakers accounts. Turner also made over $50,000.00 in e-payments from the checking account to make payments on her own personal credit card accounts. Thompson contacted the Adult Protective Services (APS) division of the Oklahoma Department of Human Services. APS conducted an investigation and found reason to believe that Baker may have been the victim of financial exploitation. APS forwarded a report of its investigation to the McClain County District Attorney. The district attorney asked the Oklahoma State Bureau of Investigation to conduct a crimi-

ies summar l case cessfu 3C Members Suc W from N

Case Name: Elder Exploitation Author: Tommy L.Johnson, Special Agent Agency: Oklahoma State Bureau of Investigation

uth Baker was an 84 year-old widow who was living in a California nursing home. She was confined to a wheelchair and needed care and assistance with her daily activities. Baker lived on a monthly social security check of $1,253.00 and a small pension left to her by her late husband, Fred. In addition to a home she owned in Bakersfield, CA. Baker also had a credit union account that had a balance of over $210,000.00 and two Certificates of Deposits (CDs) totaling $10,300.00. Baker called her only living relative, Carol Kelly, who lived in Duncan, OK, requesting that she accept Power Of Attorney (POA) for her. Kelly was not able to accept the responsibility but recommended her daughter and Bakers niece Connie Jo Turner. Turner was eager and accepted the responsibility. After months of persuasion, Turner convinced Baker to move to Oklahoma with her and her husband, Jerry. Turner worked as a private duty caretaker and assured Baker that she would take care of her if she were to move in with them. Once in Oklahoma, Baker moved into a mobile home with her niece and family. In June 2001, Turner opened a checking account in Bakers name at Blanchard, a local bank. Turner had Bakers monthly social security check direct deposited to the bank account. Turner also opened a money market account at the same bank through a $40,000.00 wire transfer from Bakers credit union account in California. A month later, Bakers two CDs matured and $10,388.66 was deposited into her credit union account. Turner directed the credit union to wire the money into Bakers checking account at Blanchard bank. Turner then withdrew the money from Bakers checking account and used it to purchase a cashiers check payable to her mother, Carol Kelly.
26
Informant: January 2008 June 2008

nal investigation, to which Special Agent Tommy Johnson was assigned. Since all of Bakers money had gone through her bank accounts, Johnson simply followed the money. He found a paper trail that lead directly to Turner who had converted nearly all of Bakers money to her own personal use. Turner used Bakers money to finance a life of excesses for herself, her husband, children and grandchildren. She paid for family vacations, made capital improvements to her property, purchased cars and expensive gifts and gave away thousands of dollars in cash to her children. Johnson presented the case to the McClain County District Attorney and one felony count of Exploitation by Caretaker (after former conviction of a felony) was filed against Turner. He also found that Turner had two previous felony convictions for bogus checks in Stephens and Cotton Counties. After fully confessing to stealing Bakers money during a private and videotaped interview with Johnson, Turner entered a guilty plea to the charge of Exploitation by Caretaker. She was given a five year suspended sentenced and ordered to pay a fine of $500.00. Turner was also ordered to perform 80 hours of community service and she agreed to pay restitution of $186,000.00. Turner paid $9,000.00 at the time she entered the plea and she agreed to pay the remainder in monthly installments of $800.00. Johnson never found out whether the videotape would have been admitted had Baker been unable to testify, but he did learn something that was probably more important. Whether you are investigating a homicide or a white-collar crime, there is no substitute for innovation, intuition and dumb luck. q Case Name: Surgery and Deception Author: Tricia Carney, Public Information Specialist Agency: Idaho Department of Justice

or his surgery. Roberts surgery went so well that the next day, he put the experience behind him and went jet skiing. Meanwhile, going through the procedure of divorce with Jeri, Frank arranged to have his mail forwarded to his new residence. In June 2005, Frank received a letter from the doctor asking him to come in for a follow-up visit for his surgery. Not having had surgery, Frank was surprised by this news. He called the doctors office and insisted he had not had gall bladder surgery. His next call was to the insurance company, Blue Cross. Frank put two and two together and realized that Robert had been the one to have surgery under his name. Blue Cross contacted the Idaho Department of Insurance and asked for help resolving this situation. DOI investigators Kevin Blue, a former Alaska State Trooper and Chuck Hudson, a retired San Bernardino police officer, went to work. By this time, Jeri was serving a jail term in Boise, IL on unrelated charges. Blue and Hudson visited the jail and questioned her. She admitted to dropping Robert off at the hospital but denied any other involvement, even saying that she was afraid of Robert. Jeri was reluctant to talk to Blue Cross and lied to them, telling them she was never at the hospital with Robert. Blue and Hudson caught up with Robert and his parole officer in Albany, OR. After questioning, Robert confessed to everything. Blue and Hudson then returned to the Boise jail and questioned Jeri, but she became so aggressive and verbally abusive, they were forced to leave. Eventually, the consistent efforts of the investigators paid off and Jeris part in the conspiracy was confirmed. The case was turned over to the Special Prosecutions Unit of the Idaho Attorney Generals Office for prosecution. In March 2007, Jeri and Robert were tried by a grand jury and indicted for insurance fraud and grand theft. Both were given a sentence of seven years, one year fixed. Jeri and Robert were ordered to pay restitution in the amount of $13,252.76 to the hospital and the doctor. q Case Name:Mississippi Embezzlement Author: Earl Smith, Deputy Director of Investigations Agency: Mississippi State Auditors Office

nvestigators at the Idaho Department of Insurance (DOI) regularly respond to complaints about insurance fraud. The fraud team at the DOI is made up of trained investigators, several with law enforcement backgrounds. In September 2005, the fraud unit responded to one such complaint from Blue Cross of Idaho. Jeri Willets and Robert Pratt were the key players in a masquerade involving emergency surgery and deception. In May 2005, Robert was suffering from severe abdominal pain. When the pain became so intense that he could not stand it, Jeri offered to drive him to the local hospital. Robert, on felony probation in Oregon, had no medical insurance. Jeri assured him this would not be a problem. She suggested Robert pose as her estranged husband, Frank. Using Franks insurance card, Jeri checked Robert into the hospital under Franks name. Hospital procedure required the completion of various documents which Robert signed using Frank Willets name. Robert specifically requested that no photos or videos be taken of him

uring the years beginning in 2000 and ending January 2003, a Meridian, Mississippi Elementary School Principal and her co-conspirators embezzled over $200,000 from the Meridian Public School District. Judy Radcliff was employed as Principal at West End Elementary School, Meridian, MS from July 1995 through February 2003. Radcliff devised a scheme whereby she and her coconspirators submitted false invoices for consulting services and the sale of school supplies to the Meridian Public School District to receive funds from the school district without performing the consulting services or providing the school supplies. The co-conspirators involved in the scheme kicked back
http://informant.nw3c.org

27

funds they received to Radcliff. Radcliff was a long-time educator in the Meridian Public School District and up until the time of the embezzlement was a highly respected teacher. Radcliff involved a family member, longtime friends and associates in her scheme. The co-conspirators in this investigation included: (1) Sandra Thompson (Grady) Todd, the sister of Judy Radcliff. Todd owned a real estate company in Jackson, MS known as Todd & Associates Realty, (2) Tammie Davis, an employee of Todd & Associates Realty, (3) Joycelyn P. Wilson, a principal at Bay Springs High School, Bay Springs, MS and (4) Carolyn Evans, a retired principal. Evans, Wilson and Radcliff met at the University of Southern Mississippi and remained friends and close associates throughout the years. On January 10, 2003, the Investigative Division of the Mississippi Office of State Auditor was contacted by the Business Manager with the Meridian Public School District. The school district reported that it appeared that Judy Radcliff was involved in submitting false invoices for consulting services to the school district. The school district reported that an individual named Carolyn Evans contacted the school district inquiring about her check for consulting services. After reviewing the list of authorized consultants and interviewing teachers, it was determined that Carolyn Evans had not provided consulting services for the school district but had received a substantial amount of money for consulting services. The school district requested that the Office of State Auditor investigate this matter. The source of the funds that were embezzled from the Meridian Public School District were funds that were received from Title One Federal Grant Funds, Reading Excellence Federal Grant Funds and local grant funds. Since federal funds were involved in the embezzlement, the U. S. Department of Education Office of Inspector General was contacted and participated in the investigation. The Internal Revenue Service Criminal Investigation Division also participated in the investigation to deal with money laundering charges. The U. S. Department of Education Office of Inspector General provided invaluable direction and assistance in guiding the investigation through the federal system which culminated in a successful federal prosecution. This investigation was a prime example of how local, state, and federal agencies can work together to insure that violators of the law are brought to justice. After a review of consulting services paid for by the Meridian Public School District, it was determined that consulting fees had been paid to Sandra Todd, Tammie Davis, Carolyn Evans and Joycelyn Wilson for which no consulting services had been provided. Teachers and schedulers of consultants verified that these individuals did not conduct consulting services at West End Elementary School. The scheme was perpetrated by Radcliff preparing false invoices and false consultant forms for consulting services, either signing the forms herself, or having the form signed by a co-conspirator, and submitting the form to the school district for payment.
28
Informant: January 2008 June 2008

The conspiracy started with a payment to Sandra Grady (aka Sandra Todd) on April 13, 2000, in the amount of $3,500.00, for consulting services. Radcliff caused two other checks to be issued to her for consulting services. Sandra Todd submitted fraudulent consultant forms to the Meridian Public School District alleging she provided consultant services at West End Elementary School. Sandra Todd received a total of $9,700.00 for consulting services she did not provide. Todd kicked back a total of $2,000.00 from these funds to Radcliff in the form of checks payable to Radcliff. Tammie Davis submitted fraudulent consultant forms to the Meridian Public School District alleging that she provided consultant services at West End Elementary School. Teachers verified that Davis did not provide the consulting services she claimed she provided. The majority of the checks for Davis were picked up by Judy Radcliff and given to Davis. Davis deposited the checks into her personal bank acccount. At the time Davis deposited these checks, she would either withhold cash from the deposit, write a check to cash, or write checks to Judy Radcliff. Tammie Davis received a total of $46,128.00 from the school district. Of this amount, Davis wrote checks directly to Judy Radcliff in the amount of $27,086.80. On at least two occasions, Davis wrote a check to cash out of her personal bank account and cashed the check. One check was in the amount of $2,500.00 and one check was in the amount of $1,700.00. On or about the same date, Radcliff deposited amounts in cash equal to these into her personal bank account. Carolyn Evans, long time friend of Radcliff s, also submitted fraudulent consultant forms to the Meridian Public School District alleging that she provided consultant services at West End Elementary School. Teachers verified that Evans did not provide the consulting services she claimed she provided. Evans was in poor health at the time. Evans had diabetes, both of her legs had been amputated, and she had a severe cough. Evans maintained throughout the entire investigation that she actually performed the consulting services. Teachers stated that Evans would have been readily noticed if she had been in the classroom due to the fact that she was in a wheel chair and had a severe, constant cough. Evans actually had a driver drive her from her home in Wiggins, MS to Meridian, MS to meet with Radcliff and pick up her check. Radcliff drove Evans to Radcliff s bank and Evans cashed her check. On numerous occasions, Radcliff made cash deposits into her personal bank account either on the same day of or within a day or two of the date Evans cashed the check. The total amount of the checks received by Carolyn Evans from the Meridian Public School District was $73,475.90. Joycelyn Wilson, another long time friend of Radcliff s, also submitted fraudulent consultant forms to the Meridian Public School District alleging that she provided consultant services at West End Elementary School. Teachers verified that Wilson did not provide the consulting services she claimed she provided. Wilson admitted that she never went to West End Elementary School. Wilson stated that she printed items off the internet or from manuals and provided this information

to Judy Radcliff for the funds that she received. This same information was available on the Internet at the Mississippi Department of Education Web site. Wilson stated that Radcliff delivered the checks issued to her for consulting services to her in Bay Springs, MS. Wilson stated that she took the checks to her bank in Bay Springs, MS and cashed the checks. On numerous occasions, Radcliff made cash deposits into her personal bank account either on the same day of or within a day or two of the date Wilson cashed the check. The total amount of the checks received by Joycelyn Wilson from the Meridian Public School District was $48,178.20. In addition to the scheme to defraud the school district by submitting false invoices for consultant services, Radcliff, Sandra Todd and Tammie Davis conspired to defraud the school district by creating a bogus company known as Todds Associates. Todds Associates was set up to purportedly sell school supplies to the Meridian Public School District. Radcliff and Todd prepared false and fraudulent invoices and submitted the invoices to the school district for payment. Documents received from the Meridian Public School District indicated that school supplies were shipped from Todds Associates to the Meridian Public School District warehouse. Personnel at the Meridian Public School District warehouse provided records that verified that no shipments were received from Todds Associates. Current and former employees of West End Elementary School, whose names appeared on requisitions to Todds Associates, stated that they had no knowledge of the orders, never heard of Todds Associates, and did not sign the documents. Evidence was obtained that supported the assertion that the employees name were forged on the requisitions. Many of the invoices for Todds Associates were for items that were purchased by the Meridian Public School District from other vendors. The items on the Todds Associates invoices were identified by the unique item name, catalog number, and price as items purchased from other vendors. Many of these items were items for which other vendors were the sole source providers. Checks were issued to Todds Associates by the Meridian Public School District. The checks were either mailed to Sandra Todd or picked up by Judy Radcliff and given to Sandra Todd. Todd deposited the checks into her personal bank account. At the time the checks were deposited by Todd, she either withheld cash, wrote checks to cash, or wrote personal checks directly to Judy Radcliff. Judy Radcliff deposited the checks she received from Todd into her personal bank account. The total amount of the checks received by Todds Associates from the Meridian Public School District was $33,823.58. Of this amount, Todd wrote personal checks to Judy Radcliff for $16,780.00. Judy Radcliff also received checks from the Meridian Public School District for the purpose of purchasing school supplies at conferences sponsored by the Success For All Foundation (SFA). Radcliff failed to submit receipts for items she allegedly purchased at conferences. The SFA verified that some of the items Radcliff allegedly purchased were items that only

SFA sold, but that they did not sell these items at conferences. The total amount of the funds that Radcliff failed to provide documentation for was $6,200.00. In early 2005, Radcliff, Todd, Davis, Evans, and Wilson were indicted by a Federal Grand Jury on various federal charges, including Title 18 USC 371, Title 18 USC 666(a)(1)(A), and money laundering charges. Radcliff pled guilty in U. S. District Court to Conspiracy to convert Public Funds in violation of Title 18 USC 371, and Title 18 USC 666(a)(1)(A). Judy Radcliff was sentenced to 30 months in federal prison and ordered to pay restitution of $217,505.68. Sandra Todd pled guilty in U. S. District Court to Conspiracy to convert Public Funds in violation of Title 18 USC 371. Sandra Todd was sentenced to 12 months in federal prison and ordered to pay restitution of $89,651.58. Joycelyn Wilson pled guilty in U. S. District Court to Conspiracy to convert Public Funds in violation of Title 18 USC 371. Joycelyn Wilson was sentenced to five months in federal prison and ordered to pay restitution of $48,178.00. Tammie Davis pled guilty in U. S. District Court to Misprision of a Felony in violation of Title 18 USC 4. Tammie Davis was sentenced to three years of supervised probation and ordered to pay restitution of $46,128.00. Carolyn Evans passed away after she was indicted and the indictment against her was dismissed. The Investigations Division of the Mississippi State Auditors Office has the primary responsibility for conducting investigations into illegal practices on the part of public officials and governmental entities of the State of Mississippi. q

Submit your Case highlights to be published in the informant. Send your case summaries to loreal bond at lbond@nw3c.org.

http://informant.nw3c.org

29

Instructor Spotlight
Police Officer, Regional Police Academy, Kansas City Police Department, Kansas City, MO

Phillip Stockard
Profile

Specialty Intelligence Analysis Class Taught FIAT Favorite Quotes: Learn from those that came before you, teach those that will follow If it aint on paper...it never happened Just when I thought I was out...they pull me back in

began my Adjunct Instructorship with NW3C in July 2004 when I attended the first Foundations of Intelligence Analysis Training (FIAT) Instructor Development Course in St. Louis, MO. Since that time I have had the opportunity to instruct the FIAT course in Minneapolis, Kansas City, Honolulu and twice at Fort Belvoir, VA. I also assist with the instruction of another NW3C instructor development course in Richmond, VA. Throughout my teaching experience with NW3C Ive had the opportunity to work with top-notch instructors, both from the NW3C family and other adjuncts. I get to be both instructor and student as I learn from others lives and professional experiences. Developing contacts and lifelong friendships is an exciting part of instructing with NW3C. It is so much easier when I need information to be able to pick up the phone and make a quick call as my range of contacts continues to expand. I like to keep the atmosphere in the classroom light and fun. Most people learn if they enjoy being there, so make it fun to be there. You can still accomplish the mission, but make the trip more enjoyable. You can still be professional but dont be afraid to be human. If you mess something up, have a little fun at your own expense and move on. I began my teaching career as a Field Training Officer with the Kansas City, MO Police Department in 1987. Later, serving as Detective in the Narcotics & Vice Division, I was selected to be one of the first Intelligence Analysts with the Midwest High Intensity Drug Trafficking Area (H.I.D.T.A.) program.
30
Informant: January 2008 June 2008

In 1999 I instructed the Basic Intelligence course for the H.I.D.T.A. Assistance Center. There was a desperate need for basic intelligence analysis skills in rural areas that had little or no training budget. In response to this problem, Shelly Volker (who is also an NW3C FIAT adjunct instructor) and I developed a very basic intelligence analysis course to provide entry-level skills for personnel from rural agencies, as well as local and state agencies that wanted to attend, free of charge. After realizing my passion for training, I transferred to the Regional Police Academy with the Kansas City, MO Police Department where I am assigned to the Basic Training Section. This section is charged with providing basic training to regional candidates who are beginning their career as police officers. As I enter the twilight of my law enforcement career, I thrive on watching the learning among new officers or analysts take place. q

Their enthusiasm, when it all makes sense and they run with it rejuvenates me.

n August 2006, the New York City Police Department and NW3C hosted a Secure Techniques for Onsite Preview (STOP), course at the New York Police Department Academy. The STOP course, taught over the course of two days, was designed for probation and parole officers and detectives that conduct spot checks and home visits. The New York Police Department invited local law enforcement personnel and probation and parole officers from the surrounding jurisdictions to attend the recently held STOP course. STOP is the first class, created by NW3C to cater specifically to probation and parole officers. When criminals are released they might use computers to violate the terms of their parole. Therefore probation and parole officers could make good use of training in the proper techniques for conducting on-site previews of computer and computer storage media. Steve Larsen of the Suffolk County Probation Office stated Our unit provides community supervision of convicted sex offenders; therefore the need for tools [to conduct on-site previews] is self explanatory. The class is designed to train the street officer, new detective and probation and parole officer how to view contents of computer hard drives, or computer storage devices without altering the data on those devices. By avoiding any changes to the computer data storage devices, the probation and parole officer previewing the data preserves the integrity of the data on the computers hard drive, or other storage devices for various legal proceedings. The Law Enforcement Community recognizes that some probationers do use computers to engage or further their illicit prohibited behavior. To address this issue, the Probation Community has been asking for additional terms, restrictions and limitations to probation orders. These additional terms and conditions of release include prohibitions on how a computer can be used and the authority for probation and parole officers to review the contents of the computers. Joseph Abramo, Supervising Probation Officer, Suffolk County Probation office, commented that the ability to preview data on a computer system has been very helpful in managing probationers. The information the probation officers have found on the computers has resulted in probationers being successfully charged with violations of their probation. Information found during on-site previews has been helpful in other areas as well. Abramo further comments, that the information found in computers has lead, in some cases, to changes in the probationer therapy treatment programs. This in turn, may make the therapy more effective in preventing the probationers from re-offending and creating other victims in the community. Abramo also stated that, searches of computers have provided information on probationers activities that they have tried to hide. There have been cases where a probationer has appeared, superficially, to be in compliance with the terms of his or her probation, however, when the computer used by the probationer was reviewed, the probation officer learned that in fact, the probationer was not in compliance.

Steve Larsen shared one case where the probationer was not supposed to use a computer to obtain or view sexually stimulating material. Prior to his on-site preview of the probationer computer, he would have said the probationer appeared to be complying with the terms of his probation. Larsen said he used his STOP training to pre-view the probationers computer. He found the probationer had not only been viewing sexually stimulating material on his computer, but the information on his computer indicated the probationers behavior was progressing toward more violent behavior. He also said the information he gathered from the probationers computer was used to get the probationer rated as level 3 Sexual Predator. Previously, the probationer had been unrated. Abramo stated that frequently, one of the conditions of probation is therapy. Those on probation dont usually divulge their various sexual deviations. When this happens, the therapist cant design the best treatment plan for the probationer, thereby making the therapy less than fully effective. Larsen stated that in a recent case he was asked by another probation officer to do an on-site preview of a probationers computer. The probationer was demonstrating superficial compliance with the terms of his probation but the supervising probation officer wasnt certain. According to Larsen, the therapist working with the probationer thought he was only a transvestite. However, during the on-site preview of the probationers computer Larsen and the other probation officer found that not only was he a transvestite, but had sadomasochistic and exhibitionistic desires. These additional paraphilias were identified because the probationer was preparing to launch a Web site where he was the star of the show. To Larsen, the ability to demonstrate what a probationer is doing on a computer improves his ability to effectively show to at the court or therapist, activities or paraphiliac behaviors of the probationer, versus dry descriptions. In the above case, the therapist made a significant change in the treatment plan of the probationer. Other evidence found during the on-site preview may get the probationers probation revoked. The probation and parole community has recognized that with the ability to do on-site preview they may discover evidence of additional criminal activities that need to be preserved for presentation in court. Abramo and Larsen both stated that with the training provided by the STOP class they are significantly more comfortable in reviewing the data on a probation or parolees computer. q

by Scott Pancoast, Computer Crimes Specialist, NW3C


http://informant.nw3c.org

31

The goal of this Informant issue is to help bridge the gap between the perceptions of white collar and cybercrime, highlighting the way criminals are using the Internet as a tool to commit every type of crime imaginable. Lt. Charles Cohen kicks off the Feature Section with this introduction.

32

Informant:

January

2008

June

2008

The line between white collar crime and cybercrime has blurred to the point of being nearly indistinguishable. It is hard to find a crime in which the perpetrator violates a position of trust without communicating with, exploiting, or otherwise subverting technology in furtherance of the activity. Likewise, criminals using the Internet in furtherance of their criminal activity regularly take advantage of trust placed in them by those in the greater online community. One need look no further than the recent scandal within the unregulated banking industry of Second Life (SL), a virtual world. SL exists only in cyber space, but has a real, robust banking industry where investors deposit funds in unregulated interest-bearing accounts. The largest bank in SL was offering rates of return as high as 44% before collapsing, and has been alleged to have engaged in a Ponzi scheme1. On January 22, 2008, after the collapse of that bank, which resulted in the loss of investor funds, SL stopped allowing financial institutions to do business in the virtual world unless they are registered with a country-any country 2 . Is this a cybercrime or a white collar crime? Are you and your agency prepared to take the lead in an investigation with similar allegations? As computer-facilitated crime becomes increasing ubiquitous, those investigators and agencies that are most successful in the interdiction of such criminality are those that do not view cyber crime investigation in a vacuum, but rather as a potential resource in a wide range of investigations. In the frenetic, evolving world of technology no investigator can be an expert across all aspects of the field. That is why it is more important than ever to maintain a close network of skilled investigators working in concert to interdict these activities. q

http:secondlife.reuters.com/stories/2006/10/15/ginko-financial-pioneer-or-pyramid/
2

http://blog.secondlife.com/2008/01/08/new-policy-regarding-in-world-banks/
http://informant.nw3c.org

33

The

GROWING

of
by Charles Cohen, Lieutenant, Indiana State Police
34
Informant: January 2008 June 2008

omputer forensics is arguably the single most significant advance in criminal investigations over the last decade. While DNA analysis has garnered headlines, funding and resources, digital forensics has quietly resolved cases that would otherwise have gone unsolved. Computers and digital devices capable of retaining data are ubiquitous in modern society. Computer forensics is a tool unique from other scientific techniques used in investigations. It can provide evidence of motivation, a chronology of events, insight into an offenders true interests and activities and links among multiple offenders. Even DNA analysis falls short of this investigative panacea. Every type of investigation has the potential to benefit from computer forensics. Challenges and Opportunities GPS devices, vehicle data collectors, and smart phones are just a few of the digital devices that can yield relevant information when investigating a vehicle crash or tracking an illicit drug transaction. Most homes contain computers, digital video recorders, digital cameras, gaming systems capable of storing data, digital music players and a myriad of electronic storage media. Each device is a potential goldmine of useful evidence. As the variety of digital devices is exploding, the storage capacity of each is also growing exponentially and the prices are plummeting. In August 1996, a 2.0 gigabyte hard drive cost $439.991. By comparison, in November 2006, a 1.0 terabyte external hard drive cost $444.992, representing a 500-fold increase in storage capacity. This creates 500 times the potential for relevant evidence on the hard drive, but also creates 500 times more innocuous material through which an examiner must sift in order to find that which is relevant to the investigation. Communication by traditional telephone or snail mail is now almost quaint. The modern criminal, or fourteenyear-old, communicates with VoIP3, video IM4, cellular camera phone, and text messaging in a language that is foreign to most police officers and parents. The trail to uncover this valuable investigative resource often starts with a forensic examination, but this trail quickly grows cold as Internet Service Providers overwrite logs and data retention periods expire. Police agencies throughout the country are facing the same challenge when dealing with computer forensics. From the largest agencies to departments consisting of only a few officers, police managers must find a way to examine an ever-increasing number of digital devices, each containing an immense volume of data, in a timely manner, and with very limited resources. At the same time, offenders are becoming more skilled at concealing both the devices themselves and the information contained within. A MicroSD card, is 15mm x 11mm x 1mm, roughly the size of a fingernail, and can hold 2 gigabytes of information5. One can easily purchase software capable of wiping hard drives to Department of Defense specifications6 from the local convenience store or download it free online7. Anyone with an Internet connection and an interest can find information on, and resources for, forensic countermeasures ranging from encryption and steganography8 to computer cases rigged with incendiary devices and work areas with hidden degaussing cables. Like many large police agencies, the Indiana State Police started a Cybercrime Unit about ten years ago. Also like many other departments, it experienced both successes and setbacks. Other issues, such as the Methamphetamine explosion and emergence

of DNA analysis as the primary forensic tool, tend to focus institutional attention and funding away from computer forensics. Computer examiners, detectives and prosecutors all have similar lamentations: There is an unacceptable backlog of computers and devices waiting for examination. By the time that computers are examined, it is often too late to follow many of the leads that are produced. The vast majority of detectives do not have a true understanding of computer forensics and what it can accomplish to further their investigations. Computer examiners often lack a clear understanding of the investigation, causing them to overlook relevant information and expend unneeded resources.

Two years ago, the Indiana State Police saw the opportunity to develop a new paradigm for computer forensics and its role in investigations. The goal was to address current challenges and design a foundation on which to build in the future. The last two years have been a time of experimentation, interaction, and growth that is rare in a large police agency. Partnerships In order to build a substantive and sustainable program, the ISP saw the need to form strategic alliances. The department looked to sectors that traditionally do not interact with public investigative agencies. The agency formed a partnership with Purdue University and the National White Collar Crime Center (NW3C). The objective was to develop a beneficial dynamic among the three, with each reciprocally sharing their unique skills and attributes. NW3C, a congressionally funded non-profit company, has a long history of providing quality police training and networking in matters related to financial and cybercrime. The organization built on this experience to produce new tailored training opportunities relevant to computer forensics and cybercrime. In return, the Indiana State Police provides subject matter experts with real-world experience and an ideal environment to beta test the newly developed courses. Purdue University is rich with highly skilled computer science researchers who bring an academic perspective and credibility to the curriculum. In return, their students have access to practitioners working in this specialized field. Among the faculty and students at Purdue are some of the brightest minds working in fields related to digital forensics. Most universities are isolated environments. All investigators know finite resources force proactive investigations to fall by the wayside as detectives and examiners react to a never-ending stream of cases. Through graduate student internships, the Indiana State Police is able to undertake projects that have a real benefit to ongoing and future investigations while extenuating this isolation. Criminals involved in online fraud tend to associate with others involved in related crimes. This association is no different from those in other criminal subcultures except that it occurs in a virtual environment. Electronic data inadvertently kept by a known offender holds links to other offenders. Due to
http://informant.nw3c.org

35

the volume of data, time and resource constraints, such links traditionally are not explored unless directly related to the incident offense under investigation. Interns can extract this information from known offenders computers. At the same time, these students refine their skills and test various software tools. The nature of cybercrime is such that associations among multiple offenders, and among offenders and victims, span wide geographic areas. Information sharing, facilitated by NW3C, overcomes this. Through their participation, leads can be sent to departments with jurisdiction over the newly linked offenders. Through collaborations with organizations such as the National Center for Missing and Exploited Children, this method is used with equal or greater success, for traffickers in child pornography. Examiners sometimes encounter unique challenges and situations when involved in an active investigation. It is common for an examiner to uncover something outside his experience, such as a newly introduced small-scale digital device, unusual storage medium or proprietary software. The growth in online social networking has created several such situations. When trying to timeline an individual suspects or victims online activity, it is necessary to understand how various activities on a particular networking site leave traces on a hard drive or other media. With over 300 known online social networking sites,9 no examiner can be familiar with the nuances of each, nor would it be justifiable to devote police resources to such an endeavor. Here is an opportunity for directed research by faculty and students that serves the dual purpose of academic advancement and positive investigative outcome. Through its networking and training capabilities, NW3C can then share this with others, both fulfilling one of its goals and advancing the field of computer forensics. The Indiana State Police formed a related alliance with the United States Attorneys Office for the Southern District of Indiana. The citizens are a police departments clients, but the prosecutor is the consumer for the fruits of an investigation. This partnership establishes benchmarks for both forensic outputs and outcomes. One of the primary goals set in conjunction with the federal prosecutors is the ability to conduct on-scene computer examinations under certain circumstances and more quickly produce relevant results from all examinations. Cybercrime investigation and computer forensics is an expensive undertaking. Todays cutting-edge hardware is in next years discount bin. Programs, such as the Internet Crimes Against Children Training and Technical Assistance Program and other federal mechanisms help mitigate this concern. We also are working in partnership to both standardize, and raise the standard of affidavits in support of computer related search warrants and the search warrant language itself. As all police professionals know, the ability to properly articulate and document doing the right thing is almost as important as the act of doing the right thing itself.

On-scene Examinations The traditional model for computer forensics calls for an investigator, who is usually not a trained computer examiner, to seize computers, digital media and electronic devices when encountered during a search. Customarily examinations are conducted later, in a remote location, after the material is packaged and transported, regardless of whether an examiner is present at the scene. There are many anecdotes of investigators being forced to wait over two years to see examination results. That examination then sometimes produces more questions than answers for those conducting the investigation. The Indiana State Police learned to view computer forensics differently than other types of forensics. Among other things, it requires more interaction between the examiner and the investigator. It is sufficient and proper for a detective to ask an examiner to, Quantify the white powder and examine for the presence of controlled substances or, Compare document #1 to document #2 to determine whether they were created by the same individual or instrument. It is not, however sufficient or efficient to ask an examiner to, Examine the hard drive for the presence of child pornography. One examiner describes such a request as, Like being told to find the stolen property in a twenty-story apartment building, but without being told in which apartment to look. There needs to be greater interaction so that both the investigator and examiner have a clear understanding of relevant issues. Just a few of the pertinent issues are how many images are enough to prove the allegation, whether it is relevant that images were sorted or viewed, if it is important when the images were acquired and in what manner, and if it matters whether images were distributed to others and to whom. It is counterproductive for an examiner to spend days examining terabytes of data to locate every unlawful image when a smaller number of images might prove the case. It is even more important for the examiner to know the appearance of a likely molest victim so that an attempt can be made to identify similar images. About two years ago, the Indiana State Police began a pilot program in which examiners conducted on-scene computer forensics. The program was an immediate success. The agency found that the model of exclusively conducting examinations in a laboratory setting was inferior in comparison to the ability to conduct examinations on-scene. There are also specific circumstances when an on-scene examination is the only viable alternative. Under a variety of other scenarios, on-scene examinations are useful in conjunction with subsequent examinations in a centralized location, and elicit results unmatched by delayed examination alone. Along with an increase in drive storage capacity, the amount of volatile memory on many computers has drastically increased. Volatile memory can loosely be described as the immediately accessible memory that is lost if power is disconnected. Mass produced computers routinely come with as much as 3 gigabytes of volatile memory. It is standard operating procedure in most agencies to unplug computers found during a search preventing data alteration before examination in a forensically sound manner. If this procedure is followed on a running computer, all of the data in the volatile memory will be lost. The question is, How important is that? And, the

36

Informant:

January

2008

June

2008

answer is, You never know. What is lost may include that which was most recently done on the computer, the most recently viewed Web sites, unsaved work in various programs, content of instant messaging sessions, and Webcam uploads and downloads, to name just a few things. Along with the potential irretrievable loss of incriminating evidence, there is the theoretical possibility of lost exculpatory evidence. Everyone that has interacted with criminal defense attorneys knows that they tend to exploit effective tactics. Such a tactic would include the following exchange: DEFENSE ATTORNEY: Did you recover and preserve the volatile memory from my clients computer? EXAMINER: No. DEFENSE ATTORNEY: Is there a way to recover and preserve the volatile memory in a forensically sound manner. EXAMINER: Yes. DEFENSE ATTORENY: Why did you not recover and preserve the volatile memory? EXAMINER: It was lost when the computer was unplugged. DEFENSE ATTORNEY: Who unplugged the computer? EXAMINER: The detective. DEFENSE ATTORNEY: Is it true that about one thousand books worth of information can be stored in one gigabyte10 and that there were three gigabytes of information lost when this computer was unplugged? EXAMINER: Yes. DEFENSE ATTORNEY: Is it possible that the evidence of my clients innocence was among those three thousand books worth of information? EXAMINER: Yes. DEFENSE ATTORNEY: So the detective destroyed the evidence of my clients innocence. PROSECUTOR: I object. Delayed examinations produce other harsher consequences. Imagine a scenario in which the computer examiner discovers a folder in the file structure of a suspects hard drive containing homemade pornographic images of the suspect molesting a pre-teen girl. Further, imagine that this examination takes place one year after the computers seizure during the execution of a search warrant at a suspects residence. Finally, imagine that the images are of a neighbor and that there was insufficient evidence to establish probable cause for the suspects arrest before examining the hard drive. In this scenario, on-scene forensics could have prevented the victim from being at risk for an additional year. There are times when the failure to conduct on-scene forensics can result in the inability to conduct a successful investigation. For an example, one needs look no further than a real investigation in Indiana in mid-2006. Some details are omitted because this involves an ongoing prosecution. The suspect in this case has a prior conviction related to child pornography. He spent his period of incarceration diligently studying how to avoid another conviction. Fortunately, investigators knew that he was employing forensic countermeasures. Investigators executed simultaneous search and arrest warrants at his residence while the suspect was engaged in a conversation with an undercover police officer from another state. Detectives

lured him away from his computer, and to the front door by means of a ruse. The first words that the suspect said while being taken into custody were, I want a lawyer. Investigators found that the suspect was using an effective, but relatively simple, encryption system. The suspect kept all of his unlawful material and evidence of criminality on fully encrypted external hard drives that did not contain the encryption software. In this way, he could transport the material with no fear of being interdicted by law enforcement. He had one desktop computer where no contraband was stored, but on which the encryption software resided. To view his large collection of unlawful material, the suspect connected an external drive to the desktop computer. He decrypted images and material by dragging them to the desktop or any folder that did not have encryption enabled. To enable the encryption software, and decrypt an image, the suspect kept his encryption key on a USB thumb drive, and had a logon password that he memorized. The encryption is re-activated by simply removing the thumb drive. In addition to the memorized password, which he cannot be compelled to reveal, the suspect had a mechanism to quickly destroy the thumb drive. If the thumb drive containing the encryption key is broken, all encrypted material is permanently irretrievable. The traditional procedure for preserving digital evidence includes unplugging the desktop computer before transport. If this had occurred, not a single contraband image or piece of digital evidence could ever be recovered. Fortunately, an on-scene examination was already planned. In this case, investigators remained at the search scene for over thirty-six hours because they knew that once power was interrupted to the desktop computer, the data would be irretrievably lost. A Tiered Approach It takes a significant amount of time and funding to properly train a forensic examiner. A department can expect to spend tens of thousands more in equipment, ongoing training and capital expenses. For this reason, it is not practical to have an onscene examination for every investigation or to have every piece of storage media from every search examined. It is also not practical to continue sending all computers from search scenes to examiners at remote locations, adding to an everincreasing backlog. For this reason, the Indiana State Police, in conjunction with its partners, implemented a tiered approach to forensic computer examinations. An approach that Assistant United States Attorney Steven DeBrota coined, computer forensics field triage has been extremely successful. In this approach, a number of experienced detectives receive specialized training as first responders, such that they can review the contents of digital storage media and computer hard drives in a forensically sound manner. The specialized training is coordinated through, and certified by, the NW3C and Purdue University.11 The first responders use hardware write-blockers to safeguard the integrity of the suspect hard drives contents. They also use external devices in conjunction with write-

Continued on page 65
http://informant.nw3c.org

37

38

Informant:

January

2008

June

2008

rucho is proud of his gang affiliations; so proud, in fact, that hes decked out his MySpace page in blue and white and filled his album with pictures of his heroes (who are either incarcerated or en-route to being incarcerated). Instead of being an arrow, his MySpace layout changes the mouse cursor to crosshairs, forcing users to shoot links in order to navigate through his profile. Aside from gang paraphernalia, Trucho has also put some more personal information about himself on his profile, such as the city he lives in (Los Angeles, CA) and the high school he goes to (hes a little old to be in high schoolhis profile says hes twenty-one years old). Truchos also put a few pictures of himself online with his entire face all but his eyescovered by blue bandannas. Scrolling down to his Friend Space, almost every one of his friends is wearing the same color: blue and white. Some have their faces covered by bandannas, while others are flashing their tattoos and gang signs. Further down his profile are comments other MySpace members have left him, bragging up the gang he claims to be a member of, and leaving him respect. Information like this is exactly what law enforcement officers have begun monitoring; it allows them to track gang members by browsing through their online profiles and discussion boards. Street gangs communicate through their own style of language, clothing, graffiti, hand signals and tattoos; their unique dress, language and symbols reinforce gang cohesiveness and loyalty, as well as the gangs image and the reputation of its members. These are the traditional ways that gangs communicate to each other; however, there is a new way of conversing: cyberbanging. Just as some gangsters tag buildings with spray paint, these online taggers leave their mark in cyberspace (Carreon, 2005). Cyberbanging is referred to as delivering messages or issuing threats to rival gangs via Web sites. The Web sites are legal, but, given the anonymous nature of the Web, authorities admit it is nearly impossible to gauge whether postings, blogs or instant messages come from actual gang members or wannabes (Barguiarena, 2006). People so much as posing to be members of gangs put themselves at risk, as some gangs are known to hunt down and murder anyone claiming to be a member who isnt (Klein, 2006). Traditional gang investigations usually entail lengthy undercover and covert investigations, typically involving the tapping of phone lines or surveillance of certain neighborhoods. It is important for police officers not to miss clues of gang activity and gang violence. In 2003, online social networking exploded with MySpace, which, by 2007, had over 200 million members from all around the globe. Social networking has become notoriously dangerous for the amount of information members (especially younger members) will share online with all the world, but this coin also has another side: Gang-members are typically just as open on the Internet to sharing information as everyone else on social networking sites. Some gang members openly brag about their affiliations, skipping school, getting high and battling rival gangs (Klein, 2006). Cyberbangers, however, are also volunteering information about their street activities on these social networking Web sites, often providing details through text, digital pictures and video.

So what is it that law enforcement should be on the lookout for? Most cyberbangers design their pages to flash in-your-face images of gang flags, hand signs, marijuana, women, and stacks of cash. Some show pictures of themselves with guns and bandannas covering their faces below the eyes, casting menacing glances. Sometimes a visitors mouse cursor will turn into a handgun, forcing them to shoot something to click on it. At other times, cursors turn into smoking cigarettes or sports cars (Klein, 2006). The sites even provide jail information of those whove been caught and are hoping to stay in the loop with correspondence (Borunda, 2006). Most cyberbanging takes place by a gang notorious for their brutality: Mara Salvatrucha, or MS-13. MS-13 consists of mostly Salvadorans and other Central Americans, which has an international profile, and is considered the fastest-growing, most violent and least understood of the nations street gangs. An estimated 8,000 to 10,000 members operate in 33 states in the United States (Campo-Flores, 2005). Until recently, MS-13 members have been easy to recognize, just by simply looking at them: members of the ruthless gang often have not just their faces, but their entire heads, covered in tattoos. Recently, however, new recruits to MS-13 have been advised against having their faces tattooed, as that makes their gang affiliations to law enforcement obvious. In addition to obfuscating their presence by diverging from their trademark tattooing, MS-13 members have adopted the preppy look in an attempt at fitting-in with and recruiting college students (Llorca, 2007). With the roles online social networks play in the college atmosphere, MS-13 will have access to a seemingly limitless pool of potential recruits, as well as a nearly, though not completely, anonymous channel for communications. As can be seen, cyberbanging is becoming the new fad for gang members across the country, and is spreading throughout the world. Although this activity is relatively easy to commit and identify, it is however, a very hard activity to investigate. Cyberbanging brings on a whole new arena of crime to the law enforcement world. q
References Barguiarena, K. (2006) Police: Cyberbanging helps track gangs online. KHOU-TV. Borunda, D. (2006) Street gangs use Web sites to promote their agendas. El Paso Times. Campos-Flores, A. (2005) The most dangerous gang in America. Newsweek. Carreon, C. (2005) Gangs use Internet to bang out messages of pride, hate. Knight Ridder Newspapers. Klein, A. (2006) Cyberbanging, its called, but gang threats are real: Web pages give police new look at violent lives. The Boston Globe. Llorca, A. (2007) Central American gangs undergo makeover to avoid detection. Associated Press.

About the Authors Jessica Bennett is a Curriculum Developer II with NW3C and criminal justice adjunct faculty for Fairmont State University. Nick Newman is a Computer Crimes Specialist II in the Computer Crimes Section of NW3C.

http://informant.nw3c.org

39

PHORENSICS
by Tim Wedg

On ed ok Ho

e, Pro gram Suppo rt Cen ter Co Profe ordin ssor R ator, ick M NW3 islan, C and Purdu e Un iversi ty

40

Informant:

January

2008

June

2008

Purdue University to provide free mobile device forensics resource to Law Enforcement and Intelligence Communities.

rofessor Rick Mislan, Purdues resident mobile phone wizard, is developing a Web-based resource that will greatly expand the ability of law enforcement nationwide to extract useful evidence from various models of mobile phones, personal digital assistants (PDAs), and smart phones. The use of mobile phones, PDAs and smart phones is nearly ubiquitous. In some way shape or form, almost any criminal activity has the potential to involve the use of this technology, and therefore, leave some kind of recoverable evidence. Information such as recent calls, recovered text messages, address books, pictures and other types of files may be recovered from these devices. The ability to quickly recover this evidence is becoming both increasingly important and increasingly difficult. Investigators who wish to recover information face many challenges. There is no universal standard interface hardware or software for interacting with these devices. A software tool that works fine on one mobile phone model, may not work at all for another model phone from the same manufacturer. Cable interfaces may look remarkably similar for some models, yet be incompatible. An examiner must have the correct hardware for a given model, and a software tool that will correctly interface with the particular make and model as well. Investigators and examiners are often forced into a hit or miss approach to mobile phone examinations, troubleshooting hardware and software interface and compatibility problems with every examination, losing valuable time in the process. Professor Mislan and his students are hard at work to create a free, online resource for Law Enforcement and the Intelligence Community. Expected to debut in spring of 2008, P3, or Purdue Phone Phorensics is intended to help investigators cut through the morass of literally hundreds of unique models of mobile phones and their accompanying requirements. This resource will literally take the guesswork out of processing most mobile phones, PDAs, and smartphones. Dont know what hardware and software to use? P3 will tell you. If you have the brand name and model, P3 will provide the means to identify the hardware, software, and appropriate procedure to properly extract evidence from that device. This online resource will include multiple on-site assets and tools to enable investigators or examiners to successfully process the myriad of hand-held electronic devices they will encounter during virtually any type of investigation. Building this resource continues to be a challenge for the Purdue team, but progress continues, the site is taking form, and the kinks are being worked out. Work continues on building and updating the database of known devices, as well as the user-friendly knowledge base feature that Professor Mislan wants to be the cornerstone of the site. In the long term, the resource will become a self-sustaining operation, acquiring data as it goes from the very people it is designed to help. It will require not only good programming and data manage-

ment from the Purdue team that is constructing it, but also constant input from the target audience to keep the resource up to date and functional.

Screenshot of Purdues P3 (Purdue Phone Phorensics) Web site.

In addition to user friendly tools, the site will provide wealth of technical references and background information with its interactive knowledge base feature. Professor Mislan can be reached at rmislan@purdue.edu. Readers who would like more information on mobile device forensics may want to check out Purdues upcoming Mobile Forensics World Conference: www.MobileForensicsWorld.com. q

About the Author Tim Wedge has been a Computer Crime Specialist with the National White Collar Crime Center (NW3C) since 2001. In 2004 he was selected to manage NW3Cs Program Support Center located on the campus of Purdue University in West Lafayette, Indiana. A partnership between the Indiana State Police, Purdue University and NW3C, the Program Support Center is one of five centers located throughout the United States. Hubs of interaction and collaboration, these Centers assist in the creation, support and maintenance of regional alliances between law enforcement, academia and the private sector. At Purdue, Tim is also a visiting faculty member where he provides training and technical assistance to both students and law enforcement in various aspects of computer crime. We are honored and proud to have Tim as a part of the NW3C team.

http://informant.nw3c.org

41

Cyber nals are Crimi atch for no M Federal this secutor Pro worth,

utter by Craig B cations Communi , NW3C Specialist

42

hen it comes to prosecuting cybercrimes, no one does it better. Debrota has never lost a case. In fact, 98% of the people he brings charges against in the U.S. 7th District plead out because the evidence is so overwhelming. His triage model of collecting that evidence has been described as revolutionary. Yet some people consider him a maverick. When hes out collecting evidence, he wants his information fast. Why? So he can detain a criminal before he or she victimizes someone else. He regards the Internet as one of the three most important creations of mankind along with language and the printing press. At the same time, he considers the Internet to be the most unregulated institution ever devised. NW3Cs Craig Butterworth caught up with Debrota at his office in downtown Indianapolis.

manhunt for Eric Rosser who was actually on the FBIs Ten Most Wanted list for a while before he was caught. The Americas Most Wanted show was the way they caught him actually. Somebody watching that show in Bangkok, Thailand noticed that Rosser was taking classes in Bangkok to learn how to teach English to kids in Thailand and they caught him. And then we had to go through all the international process of getting him extradited to the United States and getting him convicted and so forth. So, in terms of the amount of work and different steps and new things we had to learn -- and also the human side of it that involved a lot of live victims -- that was probably my most difficult case.

Q: What obstacles and challenges have you had


getting cases successfully prosecuted?

A: In the early days, yes, we had extremely limited foren-

Q: How did you get involved in cyber forensics? A: In the early 80s I got an undergraduate degree in phys-

sic resources. What Forensic Examiners we had were kept extremely busy and would have a range of different priorities they needed to serve. So the analysis of computers, even really basic analysis like pulling files off a computer as opposed to anything more complicated, was taking weeks and months to accomplish. That was causing harmful delays in the process of investigations because in the meantime, the witnesses would move on, their memories would fade. As computers became more and more commonly encountered in the cases I did, there were markedly more problems. In 1993 we started running into computers in crimes against children, and by 1995-1996, virtually everyone we investigated in these cases had a computer. After 2000, I cant think of an example where somebody didnt have a computer. And as computer use over time has increased, so has the likelihood of investigators finding significant related files on that computer increased. One of the biggest obstacles we continue to face is How are we going to break this chain of events where we do an interview, we get a search warrant, we seize the computer and then we have to wait months to find out what we got? Because in those months we wait, events are happening. We have to worry about. Is this person going to re-offend? That process alone creates a very significant obstacle. Not in the sense of getting the investigation done but of making sure we have an interview that stops the initial criminal activity. Another challenge is that it takes quite a lot of specialized training to work with law enforcement personnel and prosecutors so that they understand what digital evidence can do for them in their investigations, what Internet communication components can be used by criminals and how criminal tradecraft has evolved as well as social networking. If investigators dont understand, for example, that people who are heavily involved in computers are likely to use their computer to research their criminal tradecraft, then they may not take the computer from the persons house as part of the investigation. They may not realize that in addition, a computer can be used as a substitute to a telephone. They
http://informant.nw3c.org

ics and political science. In the context of studying physics, I took classes in computer systems architecture and the mathematics of how computers function. So I had a lot of experience using larger computer systems. When I was hired by the U.S. Attorneys office in 1991, a computer crime case came in the door, and because of my past experience with computers and science, it was assigned to me. Thats how it started.

Q: What can you tell our readers about your most


difficult case?

A: I did a series of prosecutions beginning with a man

named David Dancer who owned a video store in Bloomington, Indiana and who was also involved in molesting children and producing child pornography. Through his human interactions with three other offenders in this area, we were able to identify several children being molested and having child pornography produced involving them. And ultimately, it turned out that those four cases were linked to a man then living in Bangkok, Thailand named Eric Rosser. Eric Rosser was one of the people involved in a chain of events that led to the dissemination on the Internet of images of some of the victims from Indiana as part of the material thats available through Internet sources like Usenet user groups. The process of starting with David Dancer and prosecuting the cases all the way through Eric Rosser took several years and involved a lot of victims and involved an international

43

may get telephone records from landline, but not realize that there are a very large number of ways criminal offenders can communicate with people in greater or lesser levels of detail through Internet communications.

A:

Q: How do you determine which cases you will


prosecute?

A: Because Im a federal prosecutor, we have a confined

Ive heard that complaint before. I think that investigators sometimes have trouble communicating the potential significance of digital evidence to prosecutors. Prosecutors often dont fully understand what digital evidence can do for them. It takes quite a bit of effort, if youre a prosecutor, to learn what you can do with this evidence and how it can be tactically deployed- how to make it understandable to a jury. And if youre reading this and youre a state prosecutor, your caseload is a lot higher than mine. At any one time, a state prosecutor will have a lot of different cases of a lot of different types. And it wouldnt be unusual if they only had one or two that had even a moderate amount of digital evidence in them. Until the prosecutors have got the training and experience to really understand how it can be tactically used, theyre going to skeptical of its potential value.

jurisdictional reach of federal law. Its not nearly as wideranging as state law in some areas, although its still pretty wide-ranging in some areas. So, the first thing iswe have to make sure that we can, in the investigation, find the jurisdictional elements of the federal crime. Now, in a lot of cases of cybercrime, thats not difficult to establish because the Internet communications are going to cause information to travel over a state or over state lines and interstate or foreign commerce which is going to establish jurisdiction for a range of different federal offenses. But some of the considerations we use in deciding what to look at if were talking about potential cybercrime would be What was the harm? Did the offender have a longstanding and persistent pattern of behavior? If its a harm that can be monetized, what is the dollar loss? What is the level of criminal intent behind the offense? Whats the persons criminal history? Generally speaking, if theres one common factor we look for, it would be cases where theres a longstanding and persistent pattern of behavior because the longer they have that pattern, the more likely the digital evidence will be available because of the fact that it was accumulating over time. A wide range of other considerations can also apply. If were talking about crimes against children, we focus on contact offenders, and sadistic offenders we think present a heightened danger. We also tend to prosecute high dollar economic crimes.

Q: Any advice on dealing with prosecutors? A: Investigators, you need to make sure that the results

of your investigations can be easily explained. Because if you cant explain it well enough for a prosecutor to have confidence in your cases success, its not likely the prosecutor will be able to explain it to the judge or the jury either. And the more difficult time you have explaining what the evidence means, the more I wonder if it really does mean what you think it does. Its often a red flag that youre having difficulty explaining to a prosecutor what it all means.

Q: Do you think its important for judges to have

some understanding of digital forensics? Has this ever been a factor in any of your cases?

A: It is very important. Ive been involved in several trials


where the judges understanding of the digital evidence was a big plus. Prosecutors need to work with judges to help them understand what digital evidence is and what it can mean. Ive been impressed by the speed with which judges have understood the significance of the evidence!

Q: What percentage, if any, of your cases are appealed?

A:

About five percent. And thats fine. Our conviction rate in cybercrime cases since 1991 is 100 percent. Weve never lost a cybercrime appeal of any kind.

Q: What can law enforcement do to make sure


they meet your criteria?

Q:

Many high-tech crime investigators have complained that they have a hard time getting their local prosecutors to take cases that rely heavily on digital evidence. Do you think this is a legitimate complaint?

A: Take a class! A good one is the Indiana State Polices

On-Scene Computer Forensic Triage Class. It gives forensic first responders 20 tricks really methods and procedures that are aimed at getting evidence to the forensic examiner quickly, so that he/she can determine if the suspect poses a harm to others and can therefore be detained. Also check into NW3Cs Classes. They have a wide variety of beginner through advanced cyber forensic classes that are another good place to start.

44

Informant:

January

2008

June

2008

Q: You were instrumental in developing the triage model used in this class. Can you tell us something about it?

A: Theres a lot of ground-breaking potential with this

People readily understand this in the physical world when were talking about evidence like DNA and fingerprints. But were still teaching people where electronic and digital evidence can be found both in the possession of offenders as well as in sources such as Internet servers, e-mail storage and places like Hotmail and so forth. When you get to the question of evidence processing, in many instances, information isnt being processed because of the overwhelming amount of evidence thats already in the cue to be examined by forensic labs and examiners. Whats happening isbecause those resources are extremely taxed, people are making decisions on what not to examine because adding more evidence to examine makes the problem worse.

triage model. Having forensic first responders do the first 20 tricks gets effective results in nearly every case. The triage model acts as a force multiplier. Because Indiana was the first to use it they now have more forensic power than any other state. And its not because they have more resources or more examiners, its just that the system is more efficient --and it works. The evidence in most cases leads to a plea by the defendant because its overwhelming (98 % plead - 2% go to trial).

Q:

What can investigators do to make your job easier?

Q:

A: Detectives must embrace the technology and come

What advice would you give to agencies or prosecutors that are reluctant to deal with electronic evidence?

to understand what social networking means and how far reaching it can be. If they feel threatened by advances in technology and refuse to understand what it means and what digital evidence can do, as an investigator, they will become obsolete. There are very few cases nowadays where digital evidence doesnt matter.

A: Investigators dont have a choice anymore.if theyre

Q:

Are there any technologies that pose particular problems for you with respect to evidence collection and case preparation?

not part of the solution, theyre part of the problem and they need to get out of the way! Investigators must recognize that the Internet is here to stay. It produces digital evidence. Digital evidence is objective and not subject to error. It is the investigators job to get the information and establish a timeline. Thats very convincing for juries.

Q: Youve been involved in NW3C activities and


conferences through the years. What contributions have you seen NW3C make to the betterment of law enforcement?

A: Data encryption. There are several methodologies

to deal with this, including using the proper interview technique during on-scene triage. For example, ask the offender for his password. He may offer it right up once he realizes what the charges against him might include. And as opposed to a typical bag and tag, the proper interview technique can get you the answers you want 9 out of 10 times.

A: For more than 25 years NW3C has been at the fore-

Q: Is the law enforcement community as a whole A: Let me say that investigators are getting much better

collecting and processing as much digital evidence as it should be?


at evidence collection. But as a whole, clearly the answer is no. Many law enforcement agencies dont understand the role of Internet social networking in peoples criminal tradecraft and as a result, they dont understand that the computer in someones residence, the PDA theyre carrying around, their cell phone, their GPS device in the car all could contain useful evidence depending on the type of case were talking about. So, we still have a training need to have people identify where evidence may be found.

front of developing an effective law enforcement response to the challenges posed by computer-related crimes. NW3C has recognized that law enforcement officers have a critical need to understand how computers can be used in an offenders tradecraft and the resulting digital evidence such use will leave behind. NW3C has a strong track record in preparing law enforcement in these areas. q
About the Interviewer Craig joined the NW3C family in October 2007. A seasoned news veteran with over 25 years broadcasting experience, he has covered over 500 criminal and civil court cases and reported on hundreds more major events throughout his career, receiving three individual awards from the Associated Press for outstanding news coverage. Craig is a native of Central Virginia.

http://informant.nw3c.org

45

hen a crime scene is discovered, you expect first responders to be police officers, Emergency Medical Technicians and an investigator; however, today that list of first responders extends to forensic examiners ~~ at least to advocates of on-scene forensic triage. Todays crimes are so intertwined in cyber forensics that it is not uncommon for cyber investigators to accompany traditional first responders to crime scenes to find digital evidence immediately from computers. In keeping with the growth of digital crimes, Indiana State Police in collaboration with faculty at Purdue Universitys Department of Computer and Information Technology have developed and implemented the On-scene Computer Forensic Triage Model. This process model allows investigators to examine and find evidence from computers, cell phones and small scale digital devices while still on-site. Previously, computers found during a search were unplugged by the police officer and transported to a laboratory for examination. During this process volatile memory and data is lost when the plug is pulled on a running computer.

Indiana State Police Lt. Charles Cohen, a proponent of the model tells NW3C It is really a matter of the time value of evidence. We are talking about getting the most important information from the most likely locations within a device, in a forensically sound manner, while its still of the most value to the investigations. On-scene Computer Forensic Triage is designed to complement remote examinations, not replace it. The model was developed by faculty members at Purdue Universitys Department of Computer and Information Technology, Marcus Rogers, Ph.D., Rick Mislan and James Goldman, along with Steve DeBrota, Assistant U.S. Attorney, U.S. Attorneys Office for Southern Indiana and Tim Wedge, Computer Crimes Specialist at NW3C and visiting professor at Purdue. The purpose of the program is to effectively capture digital evidence onsite, and in a forensically sound manner. On-scene examinations are conducted in a mobile forensics laboratory, a recreational vehicle, converted by Indiana State Police. The mobile forensics lab has room for three examiners and is equipped with a server, generator, equipment to review video media and a temporary storage area. In October 2007 Indiana State Police were awarded the International Association of Chiefs of Police-iXP Excellence in Technology Award for the triage program. Today, criminals are using technology to research and commit every type of crime. They have the infinite ability to look up information on victims, and with the click of a mouse can even get instructions on how to commit a crime ~~ simply Google it. The use of computers and other digital devices in this capacity changes the way crimes are committed and the evidence thats produced. The Onscene Computer Forensic Triage Model is an attempt to keep up with these criminal acts. It is the first-of-itskind. Untrained police officers dont conceive the crime scene as being on the

computer; therefore they risk losing valuable evidence. With proper forensic training investigators are better able to capture digital evidence for prosecution. Prosecutor DeBrota, along with Lt. Cohen, are advocates for the triage model and are trying to convince other law enforcement agencies to implement the program. So why havent all law enforcement agencies jumped on the bandwagon? The process model calls for a huge paradigm shift for regular investigators who are trained to do advanced examinations on computers. This can make some nervous. Prosecutor Steve DeBrota and Lt. Charles Cohen are advocates for the program and believe that a broader group of cyber investigators should be trained in mass to respond to the growing challenge. Prosecutor DeBrota states that investigators with no forensic training will become obsolete within the next three years; their ability Sgt. Barnes prepares for class and skill to interview cyber criminals will be inadequate. Prosecutor DeBrota also explains that most law enforcement agencies (over 80%) are small and have no forensic lab components. So, how do they respond to cybercrime? Prosecutor DeBrotas solution is to train everyday police officers to gather and examine digital evidence. Lt. Cohen agrees, saying, The training is not appropriate for all officers or investigators, but when you limit those that can even triage a computer to those that have received expensive, protracted training to perform functions like breaking complex encryption schemes, you are overlooking a whole population that can be addressing the problem. That is like saying that only chemists can field test a seized powder to see if it is most methamphetamine or cocaine. Purdue University currently offers training to of-

ficers in forensic triage, which officers at Indiana State Police have taken. Lt. Cohen and Prosecutor DeBrota are encour- Sgt. Jennifer Barnes, Forensic Examiner, aging other agencies to Indiana State Police Instructor take part in the invaluable training opportunities available in forensic triage. q
About the Author Loreal Bond works as a Communications Specialist with NW3C and has been with the organization for nearly two years. She graduated with a bachelors degree in Mass Communications from Virginia Commonwealth University in 2006, and is currently in graduate school working towards a masters degree in marketing.

Lt. Charles Cohen and Sgt. Jennifer Barnes

46

Informant:

January

2008

June

2008

http://informant.nw3c.org

47

some statistics, the global trade in counterfeit goods has been estimated at $450 billion1 with the U.S. Chamber of Commerce estimating losses in the United States at over $250 billion annually.2 During 2007, the Department of Homeland Security recorded the largest seizure of counterfeit goods in U.S. history, arresting 29 people and seizing goods totaling $700 million. Much like narcotics cases, intellectual property crimes and counterfeiting are a multi-billion dollar a year industry that can be effectively worked at the local level. For a criminal, intellectual property crimes can be a highly rewarding financial venture while minimizing the risk of discovery and prosecution. In many jurisdictions, the punishment and sentences for Intellectual Property Crimes tends to be light when compared to violent crimes and drug trafficking. According to the Secretary General of International Criminal Police Organization (INTERPOL), the link between organized crime and counterfeit goods is well established, and trends indicate that Intellectual Property Crime is now the preferred method of funding for a number of terrorist groups including Al-Qaeda and Hezbollah.3 At the local level, many offenders who are arrested for selling counterfeit merchandise have lengthy criminal records, including violent crimes and drug offenses. The flea markets, roadside vendors and small businesses in your jurisdiction that sell fake Nikes or counterfeit Louis Vuitton bags are often funding terrorism and other criminal organizations simply by funneling the money back through the wholesalers without ever knowing where the money is going. In most cases, intellectual property crime is a low-priority for law enforcement agencies and there is a lack of expertise in the investigation of these crimes. You can change this by realizing the scope of the problem and changing your priorities. The Mobile County, Alabama Sheriff s Office White Collar Crime Unit has had some success in the area of Intellectual Property Crimes. Since beginning to focus more time on these types of crimes in 2006, the White Collar Crimes Unit has made several arrests and seized over $1 million in counterfeit goods including brand names such as Nike, Louis Vuitton, Coach, Prada, Polo, Phat Farm, Apple Bottom and others. Also seized have been items bearing logos of various professional sports teams and even Motorola Blue Tooth technology. Many of the cases initiated at the local level have been adopted for prosecution by the U.S. Attorneys Office and have led to convictions in federal court. In order to successfully investigate these cases at the local level, it is often easiest to compare the investigation style to that of narcotics cases. You may need to use confidential informants and cooperating witnesses to not only identify locations that

ntellectual Property Crime (IPC) is an area that many local law enforcement agencies do not fully understand, much less actively investigate. When faced with questions involving intellectual property rights, most investigators quickly become overwhelmed with the issues of what is civil versus what is criminal, jurisdictional uncertainty and a general lack of knowledge about the investigation and prosecution of these types of crimes. Intellectual Property Crimes include trademark counterfeiting and copyright piracy and do not just affect the multi-million dollar corporations that own the trademarks. According to
48
Informant: January 2008 June 2008

may be selling the merchandise, but also to make undercover buys of suspected counterfeit items. In many cases, the counterfeit goods may be openly displayed in the store but in other cases, the items that youre looking for may be stored in back rooms and only available to people that know to ask for them. Once the items have been purchased, you will need to have them confirmed to be counterfeit. If anyone in your agency has had any specialized training in this area, you may be able to have this done in-house. But in many cases, you will need to consult with someone employed or trained by the trademark holder. Most companies will be happy to assist you in this area if you contact them directly. There are also investigative firms that specialize in trademark counterfeiting that may be able to determine the authenticity of items from various companies. Once the items purchased have been verified as counterfeit, you may have several options including plain view seizures or search warrants. It is highly recommended that before beginning these types of cases, you review your local and state statutes, and consult with a prosecutor in your jurisdiction to determine your proper course of action. One of the reasons that many agencies do not place a high priority on these types of crimes is because of limited resources. If you begin an investigation of this type, you may need to buy money to purchase the items initially, and in many cases, storage of seized items can become a problem. It is important to talk with representatives of various trademark holders and develop a good working relationship with them from the start. These representatives, on behalf of the trademark holders, can often assist your agency financially with costs associated with your operation such as buy money, storage facilities for seized items or even boxes or trucks to transport seized goods. It has been the experience of many agencies that once they begin to actively investigate intellectual property crimes, many other offenses are discovered and prosecuted including narcotics violations, weapons charges and probation and parole violations. With the proper knowledge and the use of good investigative techniques adapted to this area of white collar crime, you can make a significant impact on the criminal element in your community. q
References 1. 2. 3. The Economic Impact of Counterfeiting, Organization for Economic Co-operation and Development, 1998 U.S. Chamber of Commerce Web site http://www.uschamber. com/ncf/initiatives/counterfeiting.htm. Public testimony of Ronald K. Noble, Secretary General of INTERPOL before the U.S. House Committee on International Relations July 16th, 2003

FDLE Launches Operation WebLock


by Neil Sindicich and Mary McLaughlin, Florida Department of Law Enforcement
n October of 2007, the Florida Department of Law Enforcements (FDLE) Computer Crime Center (FC3) launched the first Operation WebLock seminars designed to give businesses throughout Florida a better understanding of disaster preparedness. Seminars were held in Tallahassee, Tampa, Jacksonville and Fort Lauderdale, FL. The goal of Operation WebLock is to show that all businesses, large and small, can improve their disaster response plans, and demonstrate what can happen if these improvements arent made in advancebefore that disaster strikes. The two-day events featured a series of Information Technology (IT) and security experts who presented topics on network security and business continuity. Tabletop exercises with scenarios such as internal employee data theft, blackmail plots, and viral outbreaks that threatened to take down entire networks were presented by teams from University of Texas at San Antonio and FDLE. Operation WebLock 2007 was a huge success! With more than 325 attendees the response was overwhelmingly positive. Attendees stressed throughout the event and after that this was exactly the type of training that they needed to have more of. Many agreed that policy planning was lacking in their organization, and that this event helped them to better see the direction they should be heading. Operation WebLock was the latest project in FDLEs Secure Florida Initiative. The Initiative began in 2003 with the creation of www.secureflorida.org as a way to educate citizens and businesses throughout the state on how they can stay safe online. In addition to information on the site, users are able to register for free e-zmail cyber-security alerts and The Secure Florida Beacon newsletter. As SecureFlorida.org continued to flourish, its staff realized that to reach more citizens they needed to go to the community directly, and from this C-SAFE: Cyber-Security Awareness for Everyone was born. C-SAFE seminars contain basic level information, and are presented to citizens and businesses, as well as to state and county employees, as a way of bolstering individual and business cyber-preparedness. Over the past four years, the C-SAFE seminars have spun off several smaller sessions that include Best Practices for Internet Security, Frauds and e-mail Risks, Securing Wireless Networks, and the often-requested Family Online Safety, designed for parents. C-SAFE is directed at the average computer; the Secure Florida staff recognized that IT and network professionals need a more advanced technical level of information. Operation WebLock was created in order to address this more advanced user with series that would captivate them on a different level entirely. To learn more about www.secureflorida.org. q Operation WebLock, visit

About the Author Detective Sergeant James Lackey is the supervisor of the Mobile County Sheriff s Office White Collar Crime Unit. He has been granted the Designation of Certified Fraud Specialist and is an Adjunct Instructor for the NW3C Financial Investigations Practical Skills (FIPS) Course. He holds a Bachelors Degree in Criminal Justice from Troy University.

http://informant.nw3c.org

49

There are numerous public health and safety concerns involved with counterfeit products. These products can contain unknown harmful materials that are eventually consumed or absorbed by persons using or coming into contact with the items. Several incidents have received local, state and national media attention involving various counterfeit products such as toothpaste, shampoo and medications. In addition, there are problems that law enforcement have to work through when dealing with these investigations. The role of law enforcement in maintaining intelligence on the criminal enterprises and the individuals involved with this activity is complicated by the sheer volume of different products and items counterfeited (It is highly advised to maintain a relationship and open line of communication with local and state fusion centers which are better equipped to maintain databases and information sharing). The items counterfeited and trafficked to communities are organized through clandestine and formal business models. The law of supply and demand with these items gives criminals an opportunity to prey on those consumers who, trying to save money, are more likely to be quickly defrauded. Items such as brand name or trademark clothing, electronics, cigarettes, movies, music or even sports tickets can quickly be produced, marketed and sold before law enforcement has a chance to act. Companies which hold the trademarks, copyrights or other rights may not cooperate with law enforcement. In addition, these companies may not have proper resources/legal departments to provide what is needed or are lax about wanting to prosecute. The Internet has become widely used by persons wanting to buy and sell these counterfeit items. But for the spam e-mails we receive and delete, this Internet activity goes largely unnoticed. Most importantly, law enforcement must work with our state and federal prosecutors who are sometimes not familiar or experienced with counterfeit, pirated or bootleg investigations. A large crackdown is occurring with counterfeit, pirated and bootleg music and movies. Law enforcement is working with the Recording Industry Association of America (RIAA) and with the Motion Picture Association (MPA/MPAA). Both associations have reached out to law enforcement and have provided excellent color brochures regarding the identification of unauthorized recordings. These brochures greatly enhance training among law enforcement and the community. The movies and music are easily duplicated for quick sale either by a street vendor, a sale inside a legitimate business or even inside a home. This activity is widespread, highlyprofitable and involves products which are in great demand and sell very fast. Law enforcement can utilize several investigative methods to go after counterfeiters in their jurisdiction. The criminal enterprises and individuals involved sell these items out in the open for people to examine and handle. The items are sold in street stands, flea markets, wholesale stores or inside any storefront which may be conducting an otherwise legitimate business. In addition, there are purse parties that can be held in a persons home. Plain clothes officers can buy the items themselves and thus, identify the individuals, business locations and vehicles involved. These purchases can lead investigators to the manu-

he counterfeit merchandise trade is thriving in communities across the United States and has a global economic impact. The counterfeit products can be produced here in the United States or in foreign countries. Individuals, some of whom are suspected of having ties to terrorist organizations, then sell these products around the country. There are numerous reasons for this criminal activity such as a high-profit potential, limited enforcement and prosecution, easily-laundered profits, poor cooperation by businesses and great consumer demand. Dr. Matthew Will, a University of Indianapolis business professor, offers some insight on how counterfeit merchandising impacts the economy. According to Dr Will, counterfeiters cost our economy about $200 billion a year and have a direct negative impact on about 750,000 workers. This underground black-market steals from our economy in many ways, among them - jobs and taxes. Counterfeiting and theft go hand in hand. You may think youre getting a deal paying $20 for that Gucci bag on the street corner, but as the old saying goes, Buyer Beware. Counterfeiters clone and sell poor quality brand name knockoffs. They steal factory seconds from disposal bins and sell them as first quality. They even steal merchandise out of delivery trucks. Whats the solution? Buy from reputable businesses. Check to see if door-to-door salespeople have a license to sell. And remember the old saying if it seems too good to be true, it probably is.
50
Informant: January 2008 June 2008

facturing sites, stash locations, residences and financial institutions utilized in the criminal enterprise. This enables officers to bring racketeering charges which can open the door to additional charges and forfeitures. When a raid involving imported items is conducted in businesses or residences, documentation and records involved with this illegal trade will often be found. This documentation often includes invoices, United States Customs paperwork, letters, ledgers, order sheets and electronic information. This is primarily a cash business at the consumer level and you should be prepared to act quickly to go after the money involved. Conducting follow-up work with the use of search warrants on identified safety deposit boxes, residences or storage facilities is crucial. This enforcement is an investigation tool for street officers to utilize when dealing with problem businesses in their community. An ideal way of educating law enforcement about counterfeiting is through the current established training programs already in place within your agency. The use of roll call read-offs with accompanying brochures provided by the business community is a good first step. Awareness of the counterfeit items can also be covered in training academies, in-services or videos. An Indianapolis Case Study Operation Bogus Horseshoe The counterfeit merchandise trade in Indianapolis area has tripled with the success of the Indianapolis Colts 2006-2007 season. Roadside vendors, flea market booths and retail establishments have started participating in what is presumed to be a victimless crime. The truth is, this crime has many victims, the most obvious being the trademark holder. The consumer, who assumes that they are purchasing a legitimate quality product, is in fact, purchasing a low-quality illegal product. The lesser recognized victims are the companies that pay to hold the license to produce legitimate trademarked merchandise, their employees and subcontractors. The charities that organizations such as the Colts support are equally victimized. For instance, the Indianapolis Colts donate a portion of the sales from pink Colts merchandise to Breast Cancer Research. This crime multiplies through the broken window effect; citizens observe someone making money from this illicit venture and decide to set up their own business. The more it is allowed to continue, the bigger the problem it will become. In January 2007, an anonymous tip alerted police to an Indianapolis-based company that was selling counterfeit Indianapolis Colts merchandise. The company carried an Indianapolis address and had two kiosks in a large shopping Mall. A detective made a plain clothes purchase of two counterfeit Colts garments. The Indianapolis Metropolitan Police Departments Crime Action Team executed a search warrant on the two kiosks and confiscated 224 counterfeit pieces of Colts merchandise. The owner of the business argued that the merchandise was not an infringement on the Colts trademarks. The general counsel for the Indianapolis Colts inspected the confiscated items and confirmed that they were in fact, an infringement on the Colts trademarks. The owner of the kiosks then agreed to supply the names of his local suppliers. From the information gathered, a multi-jurisdictional raid of the three manufacturers was coordinated and operation Bogus Horseshoe was launched.

In cooperation with the Greenwood Police Department and the Johnson County Prosecutors office, an undercover buy was made from a graphics printing and production store in Greenwood, Indiana that was mass-producing various items. In cooperation with the Shelby County Prosecutors office and the Shelby County Sheriff s Department, an undercover buy was made from a gift store with production capability. The Indianapolis Metropolitan Police Department Crime Action Team made an undercover buy from a screen printing and graphics location in Indianapolis. It was agreed upon that all warrants would be served on Thursday February 1, 2007. IMPD and Greenwood Police Department assisted with the search warrant in Greenwood where over five dozen pieces of Colts merchandise, six screen Colts patterns (used in the screen printing process) and computer hard-drives were confiscated. IMPD Crime Action Team then served the search warrant on a screen printing and graphics location in Indianapolis where approximately 30 garments bearing counterfeit Colts trademarks, four garments bearing Warner Brothers trademarks, and business records were confiscated. An additional seizure of 75 items of counterfeit Colts merchandise was made from two other locations. IMPD Crime Action Team next assisted the Shelby County Sheriff s and Prosecutors offices in serving a search warrant at the gift store in Fountaintown, Indiana where 293 counterfeit Colts, Harley Davidson, Fox Racing, Playboy, NBA, Oakley, Nike and Major League Baseball items were seized. 500 heat transfers and a heat press machine were also seized. Information obtained in the above listed search warrants led to an additional supplier of counterfeit merchandise located in Indianapolis. An undercover officer observed counterfeit Colts merchandise for sale in a wholesale store. The IMPD Crime Action Team executed a search warrant on the business on February 2, 2007. Over 2300 items of counterfeit Colts merchandise were seized in addition to business records. Intelligence gathered from this operation has identified at least a dozen locations in the Indianapolis area selling counterfeit merchandise. On February 2, 2007 the IMPD Crime Action Team began plain view seizures from these locations. Six retail establishments were hit on a Friday with over 330 pieces of counterfeit merchandise seized. Additional retailers were visited and the value of items confiscated in this operation exceeded over one hundred thousand dollars. Numerous local television and print media ran stories on the counterfeit items and issued buyer beware precautions so that consumers would be informed. q

http://informant.nw3c.org

51

e all know who they are, we see them time and again. Their exploits come across our desks in the form of incident and arrest reports. The revolving door of the criminal justice system puts them out into our communities over and over again because white collar crime does not resonate with the public like violent crime. They are the repeat offenders, those relatively few individuals who commit most of the property and drug crimes in our community. We arrest them for one incident and sometimes before we can even finish the reports, they are out the front door of the jail and back at it. How do police agencies address those who create what prosecutors call a disproportionate negative impact on the community? Do we even address them in a manner that both identifies the problem and looks for a solution? Eugene, Oregon, is neither a small town nor a large city. We have a population of about 140,000 and share a border with Springfield and their 60,000 citizens. Another few thousand people live in neighboring communities and unincorporated areas. The Eugene Police Department has around 170 sworn officers. A recent study showed we have 1.2 officers per 1,000 population, the lowest in the nation. We do more with less every day and it isnt going to get any better. I work in the Financial Crimes Unit, which has five detectives and a sergeant, exactly what we had in the 1980s. We are the only dedicated white collar crime unit in the county. This is all we do. We cover a wide variety of criminal offenses ranging from simple forgery to financial abuse of the elderly to embezzlement to fraudulent drug prescriptions. The detectives in this unit see the same offenders day in and day out. Since we are often assigned cases involving suspects we have worked in the past, we joke that we are their personal detectives for life. The legislators for the State of Oregon gave us a tool to deal with repeat offenders a few years ago, a statute that identified defendants as repeat property offenders. Criminals who had been convicted of four property crimes from a laundry list of offenses were in this category. New convictions from a list of felony property crimes can earn the defendant 13 months in prison. The key is that these prison terms can be made consecutive for each conviction, providing for longer sentences than could have otherwise been allowed by law. We started to see some of our worst offenders get years in prison instead of probation or local jail time. When I first
52
Informant: January 2008 June 2008

joined the unit in 1998, it was common to see offenders get nothing more than probation. Now we are seeing prison terms upwards of 17 years! Working the repeat offenders, or what older officers in our department used to call ropers, means putting together a team. This does not necessarily mean a task force or anything formal. Task forces and working groups can get bogged down in meetings and minutiae. This team is a list of individuals in law enforcement, the financial institutions, local retailers, probation officers, prosecutors and other state agencies, each having an interest in seeing the worst white collar criminals locked up for extended periods. These are the people you draw upon when a repeat offender lands on your desk. A case in point: Nicholas Marthias Crapser. This individual had never come to our attention before and did not even live in our city. Rick Capps, a Portland-based loss prevention manager for Fred Meyer, a large retail/grocery chain owned by the Kroger Company based in Ohio, contacted me about incidents happening in his stores. Rick was looking for a home for a case that spanned not only my county, but as many as nine other counties in Oregon. These were not large cases individually, sometimes no more than a few hundred dollars, so Rick was unable to find much interest. I met with him and looked over his documentation and video to learn the details of the scam. Since it looked as though a sizeable amount of the fraud had occurred in my county, I told him I would work it. It was a very slick operation. Like many retail chains, Fred Meyer cashes payroll checks. Two male subjects would come into a store together and present what appeared to be payroll checks from various companies, generally for less than $200 each. The checks were in a variety of names, identification was always presented, but the videos showed the same two men. They negotiated checks in stores ranging from Salem in the north to Klamath Falls in the south. When Rick and I first discussed the case, the financial loss to Fred Meyer was about $15,000. As more incidents came to light, the loss rose to nearly $20,000. With the help of contacts in the financial institutions, I discovered that these were computer-generated counterfeits. I caught a huge break early on even before I took the case. During one unsuccessful incident at a Salem store, the primary suspect left behind his Oregon drivers license and the check he was trying to cash. The information on the face of the card- name, date of birth and license number- was false. However, the card was valid, having been issued by the state with a bar code on the back. Rick scanned the bar code and returned it to Nicholas Crapser, a resident of Florence on the Oregon coast barely an hours drive from Eugene. I pulled up Crapsers drivers license record and verified that the photo on the license and the male in the videos were one and the same. We had identified our first suspect. Crapser had found a hole in the Department of Motor Vehicles system. He discovered he could visit various DMV offices, claim his license had been lost or stolen and pay a replacement fee for a new card. He had obtained six copies of his own license over the course of about two months. He was altering the information on these licenses and then presenting them with the counterfeit payroll checks. My contacts at DMV provided copies of each license he received.

The second suspect took a bit more time. Fortunately, Crapser was on probation for two identity theft and two misdemeanor forgery convictions out of Portland. His probation officer was named Cindy Mazikowski. I spoke with her about the case and she decided to do a home visit on Crapser, who was living with his mother. She reported back that Crapser had a friend living with him named Lucien Golar. As luck would have it, Golar was also on probation out of the Portland area for being a felon in possession of a firearm. I pulled a photo of Golar and confirmed that he was Crapsers partner in the scam. Now both of my suspects had been properly identified. By tracking the various counterfeit check incidents at Fred Meyer stores in Oregon, I could follow trips made by Crapser and Golar around the state by date and time. In some cases, it appeared Crapser made solo trips, but more often than not, he and Golar traveled together. With the help of vigilant store security officers, I got fantastic surveillance videos of the two men both in and out of the stores. In one incident, I got closeup videos of them sitting in their car in the parking lot of one particular store just after cashing two checks. At this point, I asked Lane County Assistant District Attorney Patty Perlow- a team leader in the Felony Division- to assist me. She suggested not only going after Crapser and Golar for identity theft, forgery and theft, but also targeting whichever of them was the ringleader with a racketeering charge for an ongoing criminal enterprise. This charge could add an additional 19 months in prison on top of any sentence received for the other crimes. After spending several hours writing and planning a search warrant for Crapsers mothers house in Florence, I learned that Crapser had abruptly moved back to the Portland area, though Golar was still in Florence. With the help of Ms. Mazikowski, I contacted Golar and interviewed him about the scam. He provided a great deal of information that identified Crapser as the primary target in my case, even though he had passed the majority of the checks. Since Crapser was living in Portland, I enlisted the aid of Detective Sheri Davis of the Portland Police Bureaus fraud unit in tracking down and arresting Crapser. Two of us from my unit made the four hour round-trip drive to Portland, but Crapser either wasnt home or he refused to answer the door. Detective Davis called me later in the day and said Crapser had called her and was willing to meet with her. She issued him a citation on my behalf to appear in the Lane County Circuit Court. Once Crapser appeared in court, his probation officer placed a detainer on him and he spent the time leading up to the resolution of our case in custody at the Lane County jail. Both Crapser and Golar ultimately pled guilty. Due to Golars cooperation, he received probation until 2010. Crapser was convicted of one count each for identity theft, felony theft and racketeering, receiving a three-year prison sentence. Golar was convicted of ten counts of identity theft and one count of aggravated felony theft in excess of $10,000. Both men were ordered to pay full restitution to Fred Meyer in the amount of $20,000. This case could have easily languished in the system as individual minor theft and forgery cases around the state often do.

Both Crapser and Golar were already repeat offenders and by taking their scam on the road and dispersing the losses among multiple jurisdictions, they made the job of investigation and prosecution much more difficult. By agreeing to work the case and consolidating it into a single county, I had to bring in a number of people to assist. Without the tenacity of the Fred Meyer loss prevention staff at the various stores and the corporate office in Portland, we could not have identified the suspects. Without the help of the Lane County probation officer, I may not have identified Golar as the second suspect or had eyes on the inside of the house in Florence where both men were staying. Without the aid of the detectives at the Portland Police Bureau, my task of contacting and arresting Crapser would have been much more difficult. And lastly, without the hard work of a dedicated and aggressive prosecutor, neither Crapser nor Golar would have been brought to justice in a satisfactory manner. The lesson here is that we cannot work these cases alone. By creating working relationships with businesses and other law enforcement and government agencies, we can expand our ability to deal with people like Crapser and Golar and get them out of our communities for extended periods of time. The contact list in my PDA is like gold in any investigation I am assigned. I can call them and they can call me. Together we can take some of the worst white collar offenders out of circulation, at least for a while. In the meantime, law enforcement agencies should look to work with their natural partners whenever the opportunity arises. We must identify repeat offender candidates for special attention and then work with our partners to remove them from our communities for as long as we can. q
About the Author I have been an officer with EPD for 15 years, the last nine of which have been as a detective in the Financial Crimes Unit. In addition to working financial or white collar crime cases, I am a forensic computer examiner and background investigator. I spent 12 years as a hostage negotiator and am a new member of the Arson Unit. I have put on training presentations throughout Oregon, Washington and Idaho, as well as for the US DOJs National Advocacy Center in Columbia, South Carolina. I was also an invited speaker at a seminar hosted by the American Bar Association in the Sultanate of Oman in 2006. I am the current president of the Northwest Fraud Investigators Association, a member if the International Association of Computer Investigative Specialists and the International Association of Financial Crime Investigators.

http://informant.nw3c.org

53

hen the English author Samuel Johnson explained, Fraud and falsehood only dread examination; truth invites it he was eloquently stating an obvious fact. As white collar crime fighters, we know that such examinations of purported facts are a mainstay in developing a good rock solid case. Day in and day out, police, accountants, auditors and investigators pour through evidence and conduct interviews to get to the heart of the truth. Out of all the economic crimes investigated, one of the least understood is insurance fraud. Insurance fraud is complex and foreign to most investigators. Yet it is estimated to be the second most common crime in the United States, right behind tax evasion. Last year, the National White Collar Crime Center, in conjunction with the National Insurance Crime Bureau, assembled a team of professionals from around the country to devise a training program that addresses insurance fraud. That program is in the works, but fortunately, you dont have to wait until that program is in place to understand insurance fraud in its many forms. First, it is helpful if we understand just exactly what insurance fraud is. To put it simply, insurance fraud is any misrepresentation or omission regarding an insurance policy or an insurance claim. We can further break that definition down to hard and soft fraud. Hard fraud is a deliberate action where an individual fakes or stages an accident, injury, or arson in order to file a claim. Soft fraud is where an individual lies or inflates the truth
54
Informant: January 2008 June 2008

about a legitimate claim. While they are different, the goal is the same: to collect money that the individual is not entitled to. Without a doubt, hard fraud is the more glamorous case to prosecute. These are the types of cases that make splashy headlines and get coverage on the evening news. A staged accident is bound to get more attention than an inflated workers compensation injury. But they have the same affect. These claims cost insurance companies money. Those companies, in turn, pass that loss on to the consumer. As a result, you and I are paying for both hard and soft fraud. We are both victims. Insurance is an international business. As such, it is almost impossible to determine how much is lost to insurance fraud every year. The Coalition Against Insurance Fraud estimates the figure at close to $80 billion dollars. Thats an average of almost $1,000 a year paid in additional costs by each household in the nation. Healthcare fraud alone costs an estimated $54 billion dollars a year. As a result, the FBI has made healthcare fraud one of its priorities. Even though insurance is an international business, most states have the authority to prosecute cases that have some nexus to the state. Congress has given the states a mandate to regulate the business of insurance, despite insurance meeting the definition of interstate commerce. Most state insurance departments have a dedicated fraud unit that does nothing but investigate allegations of fraud. Other states have created divisions in their state police operations to investigate these cases. Yet these divisions often have limited resources. Insurance is

Yet these divisions often have limited resources. Insurance is such a large section of the economy that it is next to impossible for all cases to be investigated by state officials alone. As a result, many insurance companies have created special investigative units (SIU) within their companies to investigate fraud allegations. These units are made up of investigators that work only for a specific company, gathering information and taking statements in relation to the instances that they discover. Some companies do not have dedicated SIUs to investigate allegations, but instead are members of the National Insurance Crime Bureau (NICB). NICB is a non-profit organization that investigates allegations on behalf of its member companies. NICB has hundreds of agents throughout the country. They are dedicated to the singular purpose of combating insurance fraud and bringing resources that are otherwise unavailable to SIUs and state authorities. They also take an active role in providing bait cars and other equipment that help authorities catch fraudsters in the act. Despite this rather large group of professionals dedicated to fighting insurance fraud, there seems to be no abatement in fraudulent activity. This is in large part due to the publics perception of fraud. Insurance companies do not make the best victims. They are big, faceless corporations that have the reputation of unduly complicating the process of filing a claim. As a result, many people have no qualms about lying to get a little something extra from a company that they have given money to for years. When you take into consideration that insurance fraud often comes with little risk, the company becomes the perfect victim. But as noted above, there are more victims than just the insurance company. You and I pay for the cost of fraud. Furthermore, insurance scams often cost people their life savings or cause them physical harm. In 1997, a California couple and their two-year old daughter burned to death in a staged accident. Last year, my division prosecuted an insurance agent that stole an elderly womans life savings, leaving her with few options for the medical treatment she needed. These scams cost more than money.

To further complicate things, insurance fraud has been suspected as a terrorist fund-raising activity. One of the purported scams involves foreign nationals purchasing life insurance in the United States. They in turn pay corrupt officials in foreign countries to issue death certificates for them. Their families use these death certificates to collect on the policies and then give the money to terrorist organizations. You may not directly work in the insurance business, but you are nonetheless critical to combating insurance fraud. If you learn whom to contact and what to look for, you can be a desperately needed resource for law enforcement. Contact the Coalition Against Insurance Fraud to determine who the insurance fraud officials are in your state. Take time to learn about fraud indicators and how your business could fall prey to insurance scams. Finally, dont be afraid to speak out. Many states have given immunity from lawsuits to individuals who report fraud on a good-faith basis. q
About the Author

Cory Cox is the director of the Arkansas Insurance Department Criminal Investigation Division. He serves as the chairman of the National Association of Insurance Commissioners AntiFraud Task Force Training and Seminars Working Group. He is a voting member of the Arkansas Crime Reparations Board.

801.796.0944
Comprehensive Digital Forensic Solutions Technology Training Testimony
I Analysis

Paraben Corporation

|corporation '3Den .com

len

The forensic process begins in the field and ends in our courts. Do you have the technology and training you need to combat the 360 degrees of the digital forensic process?
email: forensics@paraben.com
http://informant.nw3c.org

Copyright 2008 Paraben Co 'po ration .All rights reserved. The Paraben logo and the 360 Forensic? logo are trademarks or registered trademarks of Paraoen Corporation in the USA.

55

11 YEAR SENTENCE FOR ID THEFT AND FRAUD Richmond, TX -- On October 15, 2007 Presiding Judge Thomas R. Culver, III sentenced Oluwole Ajayi Gabriel to 45 years in prison for identity theft and fraud he committed in 20042005. Marian Folarin, Gabriels accomplice, was sentenced to 11 years. On July 20, 2007, a jury convicted Gabriel Gabriel of Theft for stealing over $300,000 from J.P. Morgan Chase Bank and 67 associated victims. The defendant elected for the court to assess his punishment and the case was reset to this month. The crimes occurred when the 44 year-old Katy, TX man opened 66 fraudulent credit card accounts, cashed them out and abandoned the debt during 2004 and 2005. According to Michael W. Elliott, Folarin Chief of the Economic Crimes Division, Gabriel first came to the attention of Sgt. David Schultz of the Financial Crimes Unit with the Fort Bend County Sheriff s Office in December 2005 after a nineteen-month investigation by J.P. Morgan Chase Bank. Law enforcement began their investigation which resulted in a search warrant for Gabriel and Folarins home. In the home, authorities discovered over 100 credit cards in many different names along with checks and other forms of identification. They also recovered hand-written ledgers containing names and identifying information related to fraudulent credit card accounts. These are some of the stiffest sentences Ive seen for economic crimes, said Elliott, and the message couldnt be
56
Informant: January 2008 June

clearer crime doesnt pay in Fort Bend County. Gabriels theft conviction is a first-degree felony punishable by 5 to 99 years or life in prison. Folarin plead guilty to Conspiracy to Commit Theft a seconddegree felony punishable by 2 to 20 years in prison, and requested the court assess her punishment. The judge rendered his decisions after considering the facts of the case and a pre-sentence investigation report prepared by the Community Supervision and Corrections Department. Assistant District Attorneys Michael Elliott and Kristen Moore prosecuted the case. Don Bankston represented the defendant. q ATLANTA METROPOL RECOGNIZES GEORGIA STATE OFFICERS Atlanta, GA -- For their work in uncovering a suspected metro-area fraud ring, four Georgia State University police officers will be recognized by Atlanta Metropol, an association of police officials from across north Georgia. The four officers Officers Jacob Brown and David Hickey, Sgt. Willie Johnson and Investigator Nicolay Hammond are credited with making the first moves in what has turned into a federal investigation potentially involving hundreds of thousands of dollars in suspected bank fraud. The recognition will take place in November during an Atlanta Metropol Board luncheon. Georgia State Police say several officers were patrolling the area around the University Commons late one night in July when they came upon three men engaged in suspicious activity in an Auburn Avenue parking lot. A search of a car being driven by one of the men turned up a number of fake IDs along
2008

with several corresponding bank cards, said Johnson, who was leading the directed patrol that night. Since July, about $125,000 in fraud has been uncovered through 17 different financial institutions and the dollar figure is expected to grow, said Hammond. Some estimates put the fraud amount at potentially $250,000 or more. The case just started expanding exponentially and were still adding up the money right now, Hammond said. Georgia State University Police Chief Connie B. Sampson said its often observant officers on routine patrol who crack the big cases. Any time you go to homeland security classes and things like that, theyll tell you its really the officer on the street that makes a difference, she said. Johnson said hes proud to have been a part of the initial investigation. Its something Ill remember the rest of my career, he said, for the rest of my life. q POLICE ARREST LOCAL WOMAN ON COMPLAINT OF EBAY FRAUD Manchester, UK A city woman accused of using eBay to sell a big-screen plasma television set she didnt own was arraigned yesterday in Manchester District Court on a felony charge of theft by deception. Michelle Brown, 24, of 30 Cascade Drive, could enter no plea to that felony charge or to two felony identity theft charges, so a probable cause hearing was set for Jan. 14. Bail was set at $3,000. The identity fraud charges allege Brown used her mothers personal information to obtain credit cards and used them to purchase items. Police obtained arrest warrants for Brown

Police obtained arrest warrants for Brown yesterday, after being tipped that Brown and her husband, who is from England, were planning to purchase airline tickets that day and leave the country. Court documents show Manchester Police received a fraud complaint from the Internet Crime Complaint Center of the U.S. Department of Justice late last month. The complaint alleged Brown had agreed, through eBay and PayPal to sell a 50inch plasma television set for $1,039 to a Maumee, Ohio resident who paid the money but did not receive the television. According to police, an investigation showed Brown did not possess a 50-inch plasma TV and had no intention of honoring her end of the eBay transaction. Detectives also learned Brown may have committed the same type of fraud several times before the Ohio victim filed a complaint and more charges are possible if more eBay victims come forward. Police had already learned from Browns mother that Brown had opened two fraudulent credit card accounts, using her mothers personal information. Court documents show that earlier this month, Manchester Police Fraud Investigator Martin Swirko spoke with Brown and she admitted opening the credit card accounts in her mothers name, and charging some items. Swirko said Brown told him a boyfriend had helped her and encouraged her, but she knew what she was doing. A week ago, Swirko said, he learned from a CitiBank fraud investigator that the credit card accounts Brown allegedly opened in her mothers name, Citibank MasterCard and AT&T Universal MasterCard, resulted in $12,227.02 in losses to the company. Yesterday, Swirko received a phone call with information about Browns plan to leave the country, prompting his request for arrest warrants, which were executed the same day. q

PA MAN PLEADS GUILTY TO FEDERAL BANK FRAUD CONSPIRACY AND ID THEFT CHARGES Richmond, VA -Two individuals have entered guilty pleas in connection with a bank fraud and identity theft scheme that originated in Philadelphia and resulted in fraudulent transactions in the MetroRichmond area. Defendant Antar Bush, age 27 of Philadelphia, PA, pled guilty to Conspiracy to Commit Bank Fraud and one count of Aggravated Identity Theft. The conspiracy carries a maximum penalty of 30 years in prison and a fine of up to $1 million dollars. Aggravated Identity Theft carries a mandatory term of two years of imprisonment, which must run consecutive to time received on the conspiracy charge, as well as a fine of up to $250,000. Bush will face sentencing before United States District Judge Henry E. Hudson on March 21, 2008. Chuck Rosenberg, United States Attorney for the Eastern District of Virginia, announced the plea. Co-defendant Kevin Brown, age 31 of Willingboro, New Jersey, plead guilty to the same charges in September 2007. Brown was sentenced on January 3, 2008. The defendants acknowledged participation in a conspiracy that began in December 2005, and continued until March 2007. The scheme involved the use of counterfeit checks that were presented to area merchants. The checks were created using the routing numbers of legitimate financial institutions. When passing the bad checks, the defendants presented fictitious out-ofstate drivers licenses using the identities of real individuals. The conspiracy is responsible for negotiating a total of $378,785.28 in counterfeit checks for transactions occurring in Virginia and other states along the east coast. The case is being investigated by law enforcement officers from the Henrico County Division of Police and the United States Postal Inspection Service, as members of the Metro-Richmond Identity Theft Task Force. In addition, the Task Force received investigative assistance from the National White Collar

Crime Center based in Glen Allen, Virginia. Other member agencies of the Task Force include: the United States Secret Service; the Federal Bureau of Investigation; Bureau of Diplomatic Security, U.S. Department of State; the Richmond Police Department; and the Chesterfield County Police Department. Federal prosecutions for the Task Force are handled by the United States Attorneys Office and the Office of the Attorney General for the Commonwealth of Virginia. For more information on the Task Force, including assistance for victims of identity theft, visit www.richmondIDtheft.com. The case is being prosecuted by Special Assistant United States Attorney and Senior Assistant Attorney General David W. Tooker. q

http://informant.nw3c.org

57

CY-FI: The Future of Cyber Forensics VIRTUALIZATION


Continued from page 20

systems and file systems. Each of these virtual machines are isolated from the other and from the host operating system. If these virtual machine images (files) are not recognized during the investigation, a substantial amount of potential evidence will be over looked. By using isolation none of the memory residue (e.g., pagefiles), or normal file system artifacts (e.g. file slack) exist anywhere else except in the encapsulated virtual machine. If these virtual images are overlooked, the evidence they contain remains invisible. This encapsulation also makes it easy for suspects to destroy evidence, as they only have to wipe the virtual machine image (ensuring multiple over writes) and all evidence is gone. The good news is that we as investigators can also take advantage of the benefits offered by virtualization. As most of us have limited budgets, there is a substantial cost benefit to being able to run multiple operating systems on one piece of hardware. As well, the isolation and encapsulation properties allow investigators to mount suspect forensic images (bit stream images) in a read only (or roll back) environment and get a better understanding of what the suspect was actually seeing and doing. In fact, Carnegie Melon University has released a free tool (Live View) that assists investigators with this task3. In cases that involve suspicious network activity, investigators can create virtual networks between multiple virtual machines all contained on the host hardware. These machines never actually connect to the outside world, allowing for the monitoring of network packets in a controlled manner. I can personally attest to the benefits of using virtual machines as we routinely conduct investigations using Apple computers running OS X with a Windows XP virtual machine running Windows centric forensic software, and have had good success to date. As indicated by the virtualization working group, the courts acceptance of evidence derived from this new investigative approach is still uncertain. However, as long as we can demonstrate that sound forensic principles were followed, the admissibility of evidence should not be adversely affected. There are obviously more challenges and benefits to virtualization than I have presented here, but hopefully this discussion will spur investigators interest in becoming familiar with virtualization. Investigations containing virtual machines are already occurring and are expected to increase substantially. If the market analysts are correct, we will see a significant increase in virtualization in the business sector due to the cost savings alone, with the home user being not far behind.

In the next article I will cover the emerging need to investigate the dreaded Mac (Apple computers running OS X) and provide some suggestions and forensic resources. q References 1. http://www.vmware.com/virtualization/. 2. Pollit, M. Nance, K., Hay, B., Dodge, R., & Craiger, P. (2008). Virtualization and digital forensics: A research and education agenda. Accepted for publication, Journal of Digital Forensic Practice. 3. http://liveview.sourceforge.net/

Continued from page 41

They also use external devices in conjunction with write-blocked ports on a laptop computer to review storage media. The first responder can feed his findings directly to other detectives on-scene. The information is often helpful in eliciting admissions from the suspect at a time when he is still predisposed to communicate with investigators. There have been instances where the mere sight of the hard drive being removed from his computers case, combined with his guilty knowledge of its contents, has induced a full confession and cooperation from a suspect. Information obtained by first responders can help establish the requisite probable cause to arrest a suspect. What an on-scene first responder does is analogous to a field test on suspected controlled substances. In both instances, something less than a full examination is conducted in a forensically sound and nondestructive manner. Also, in both instances, more elaborate testing can be conducted when necessary. AUSA DeBrota, the Indiana Project Safe Childhood Chair, said, On-scene triage is vital to my ability to assess the danger of a subject when deciding whether to have him taken into custody. Waiting to conduct computer exams in a remote laboratory unnecessarily delays the proper identification of an offenders true interest and activities. Along with identifying contraband and evidence, forensic triage helps to eliminate the need to collect certain items. Many households now have several operational and nonfunctioning computers. Without some screening mechanism, each and every device must be seized and sent for examination. On-scene forensic triage helps to cull the virtual wheat from the chaff. There are certain circumstances, such as those previously described, in which a full examination on-scene is warranted. For those, the ISP uses a mobile computer forensics laboratory,
2008

which is a converted recreational vehicle. This vehicle has room for at least three examiners to work and is equipped with a server, generator, and equipment to review a variety of video media, and a secure temporary evidence storage area. A separate area of the vehicle can be used to conduct interviews. This allows examiners to feed timely information to those involved in an interview with the suspect, witness, or victim. Even with the help of federal funding, there is only one such vehicle in the State of Indiana. It has been an invaluable tool at investigative scenes ranging from homicides to Hurricane Katrina fraud. The tiered approach goes beyond creating first responders. The approach must be applied holistically and include increased training for all involved in the investigative process. As discussed, digital evidence is relevant to every class of crime and plays a role in virtually every investigation. To ignore the need to adequately train and equip every officer is nothing short of reckless. Illustration 1 shows the categories of officer who come in contact with digital evidence. Each category has a role to play in the safeguarding and examination of that material. It is the role of police managers to ensure that each officer has the requisite knowledge, training, and ability, as outlined in Illustration 2, to be effective. (See page 66 for Illustration 2.)

Illustration 1

The Future Statutory and case law has failed to keep pace with changes in technology. There are many open questions regarding the reasonableness of digital forensic examinations as related to issues such as search scope, the interception of communication, the doctrines of plain view and inadvertent discovery, and staleness. There is an emerging trend among the judiciary to set deadlines for the examination of seized material. The prolonged seizure of computers containing business or personal financial information can cause a real loss that is unrelated to, but caused by, the investigation. This means that there is potential not just for the suppression of evidence, but also for civil exposure for agencies and officers. Some who set computer forensics policy fear that if the judiciary fully appreciates the potential of on-scene and tiered examinations, it will be mandated for all cases. This is why it remains important to articulate both the ad-

58

Informant:

January

2008

June

Illustration 2

vantages and limitations of these approaches. The answer is not; however, to refrain from using these capabilities. Investigators have become adept at articulating to the courts the complexity of digital devices and the necessity to conduct thorough examinations over long periods of time. The challenge now is to explain that while this remains true, it is also proper and necessary to engage in some examinations on-scene and contemporaneous with the collection of other evidence. It is not an issue of on-scene or remote examinations in lieu of each other, but a need for on-scene and remote examinations to complement each other. Police agencies are traditionally monoliths that react slowly and with great bureaucracy. This model is not compatible with technology, which is decentralized, experimental, and ever-evolving. Computer forensics is at the mercy of the next Script Kiddie12 or Black Hat Hacker13 that takes an interest in developing countermeasures. If departments want to catch more than the inept and the unlucky, they must continuously devote significant resources. What everyone must ask themselves is: If my son or daughter was

missing, would I want the detective to be able to examine computers on-scene? Would I want them to be able to break the encryption on the computer and track the people with whom my child was communicating through cyberspace? Would I want people working the case to have the knowledge, skills, and abilities to catch and convict the person responsible? This is not a matter for a one-time capital expenditure or planning session, but a commitment to continued improvement. The March 1949 issue of Popular Mechanics predicted, Computers in the future may have only 1,000 vacuum tubes and perhaps weigh 1 1/2 tons. In 2006, a Smart Phone that is less than 12mm thick and weighs 4.2 ounces can take and transmit still and video images, surf the Internet, store, record, and play audio files, handle e-mail, and even function as a telephone14. It is somewhat of a misnomer and understatement to refer to what examiners encounter as computer forensics. Graduates of the 2007 police academy will be eligible to retire in 2032. There is no way to predict what challenges they will face related to digital forensics. The only certainty is that it will continue to be an essential facet of successful criminal investigations. q

References 1. http://www.alts.net/ns1625/winchest. html, November 12, 2006. 2. http://www.newegg.com, November 12, 2006. 3. Voice over Internet Protocol 4. Video Instant Messenger 5. http://www.sandisk.com/Products/Default. aspx?CatID=1099, November 18, 2006. 6. NISP Operating Manual (DoD 5220.22-M), February 28, 2006. 7. LSoft Technologies, Inc., Active@ Kill Disk, http://www.killdisk.com/. 8. Hiding illicit data inside innocuous appearing files 9. Katayama, Lisa. Social Networking Sites Catch on in Japan. Japan Today. September 11, 2006. 10. Witten, I, et. al. Managing Gigabytes: Compressing and Indexing Documents and Images, 2nd Edition. Morgan Kaufman: 1999 (p. 34). 11. Rogers, Marcus K. et. al. Computer Forensics Triage Process Model. Journal of Digital Forensics, Security and Law . 1:2 (2006) 19-37. 12. Usually young and amateurish hacker that uses code, often developed by others, to do mischief for no tangible purpose. 13. Hackers often define themselves as White Hat who try to benefit society, Grey Hat who might break the law without intending to do harm, and Black Hat who intentionally commit crimes and engage in malevolent activates. 14. h t t p : / / w w w . m o t o r o l a . c o m / motoinfo/product/details. jsp?globalObjectId=113, November 30, 2006.

Now You Can Order NW3C Merchandise Online! Visit CopShop.com


NATIONALWhtTE COLLAR CRIME CENTER JWTESBtTY OWJTf Smxe

NWJC

Service@CopShop.Com CopShop.Com

8113 - $29.00 Portfolio 15" x 11" x 3"

1117-S49.00 Expandable Locker Bag 18 1/2" x 9 3/4" x 16 3/8"

1113-S26.00 8116-$55.00 Portfolio Multi-Pocket Attache 15 3/4" x 11 1/2" x 2 3/4" 16" x12" x7"

http://informant.nw3c.org

59

"NUJ3C CARTOONS

0BUSTED
She says shes 14 and alone...and she wants to meet tonight! Sounds like I hit the JACKPOT! This is going to be GREAT! I can hardly wait! WHAT the...?

The ol 14-year old girl routine gets em every time!


Uh... What are you guys in for?

"NUJ3C CAPTION CONTEST!


Starting with this issue, we will be running a Can You Top This??? Caption Contest. Heres what our staff has come up with for this cartoon: While he caught a number of predators, his superiors sometimes wondered if Stevens was a little TOO dedicated to his work. Can you top that? Give it a try! If you think it cant be topped send us an e-mail, and tell us that too!!! Our panel will select the best entry from the emails sent, and the winner will get their name and picture printed in the next Informant. Send your captions to: cbutterworth@nw3c.org We look forward to hearing from you!!!!

CARTOONIST: CRAIG 3UTTERUJORTH