[This was originally published on Hacker News Network (HNN) and mirrored on attrition.org.]
This is a follow-up to a previous article titled Is it worth it? Dispelling the myths of law enforcement and hacking, released on November 22, 1999 via Hacker News Network.
Included with this article are several sanitized copies of various documents pertaining to computer crime investigations. Names, dates and locations have been changed.
Some of the information in this article may be a bit redundant from the last article, but is done in order to present a self standing article that is as complete as possible. Some of the links to agency homepages have been changed to point to their true home page, not just the system hosting the page.
More on Search and Seizure The Search The Seizure Statute of Limitations What exactly is illegal? More on Punishment Investigating Agencies Federal Bureau of Investigations (FBI) Defense Criminal Investigative Service (DCIS) NASA Office of the Inspector General (NASA OIG) Naval Criminal Investigative Service (NCIS) U.S. Army Criminal Investigation Command (USACIDC) Royal Canadian Mounted Police (RCMP) Defense Computer Forensic Laboratory (DCFL) Appendix and Additional Information A - Search and Seizure Warrant B - Search and Seizure Warrant, Attachment A (apartment) C - Search and Seizure Warrant, Attachment A (colocated machine) D - Search and Seizure Warrant, Attachment C E - Warrant for Arrest> F - Indictment G - USDOJ Press Release
Before any Law Enforcement (LE) officer/agent may step foot in your place of living, they must obtain a search warrant that gives them explicit permission to do so. The warrant will list the physical address of the premises to be searched, a description of the establishment, a time frame for the search and seizure, and a list of acceptable material that may be seized. The warrant is likely to be issued by your District Court to the agent in charge of the investigation.
Rather than explain each part of the search and seizure warrant, I have included a sanitized version of one with this article. From my experience and communication with others, the warrant included can be taken as a very typical and standard version used throughout the U.S. Appendix A includes the first page of the warrant which details the premises to be searched, dates, who will conduct the seizure and more. Appendix B is a copy of Attachment A which is a wordy description of the premises to be searched. Appendix C is a copy of Attachment C which lists all material covered under the search and seizure guidelines.
Appendix A – Search and Seizure Warrant
Appendix B – Search and Seizure Warrant, Attachment A (apartment)
Appendix C – Search and Seizure Warrant, Attachment A (colocated machine)
Appendix D – Search and Seizure Warrant, Attachment C
Some notes and observations about the material contained in Appendix A. Outlined on the warrant, the agents may conduct the search and seizure either between the hours of 6:00am – 10:00pm, OR “at any time in the day or night as I find reasonable cause has been established”. One of the two options should be struck through and initialed by the Judicial Officer. Also included is a date that the search must be executed by.
Being subjected to an FBI search and seizure is an interesting experience to say the least. No official wording on any warrant can come close to explaining the experience. Typically arriving at your residence between 6:00 and 8:00am, almost a dozen agents are ready to toss your apartment to fulfill the warrant. After being greeted at gunpoint and your residence secured, the agents will mark each room with a post-it note and number. These numbers correspond to the receipt they leave you detailing what material was taken from each room.
In keeping with standard search and seizure practice, not much is left unturned. Some of the places you can expect the agents to search:
- Under the bed, between the sheets, between the frame/box
- Behind each and every hanging picture, especially framed
- Under/Behind dressers and furniture
- In the reservoir of your toilet
- Any attack or crawl space
- Every drawer, cupboard, container, shelf or other storage area
- Inside the refridgerator/freezer
- Under/Inside any cushion with removable insides
- Between the pages of books
- In air vents or other commonly used places to conseal items
If this does not help paint a picture that agents are rather thorough, let me clear it up. They are quite thorough. Do they find everything? Not all the time. In some cases agents even miss items out in the open that they might normally take. To balance this, they almost always take a considerable amount of material that is completely irrelevant or esoteric.
For the most part, you can also dismiss any notions you may have about hiding items before the raid. When they knock on the door, they will not give you time to do anything short of opening the door and complying with their demands. If they have any idea that you may be destroying evidence, they are empowered with the ability to forcibly enter your residence, physically detain you, and carry on.
The search and seizure will not be short by any means. You can expect it to last anywhere from a few hours to a full day. During this time you will be questioned by a number of agents regarding anything and everything they might think to ask. I don’t know if it is intentional and designed to throw you off, but they may ask extremely bizarre questions that lead you to wonder about their intelligence. During this questioning do one of two things.
- Refuse to answer ALL questions until your lawyer is present.
- Answer questions honestly.
Lying to law enforcement agents may seem like a clever thing to do at the time, but it is much more likely to hurt you in the long run. If caught in a single lie during questioning, it will further encourage the agents to question you more. They also have the option of charging you with obstruction of justice if so inclined. When an agent gets it through their head that you are guilty, bad news for you regardless of your guilt or innocence.
It is extremely important that you realize your rights. UNDER NO CIRCUMSTANCE do you have to answer questions without the presence of your lawyer. No matter what the LE agent says, suggests, or implies, this is a fundamental right. In many cases, raid victims are not being charged with a crime. Because of this, their rights are not read to them. Just because you aren’t under arrest does not mean those rights are waived! The courts have recently found that police can be sued if they discourage raid victims from consulting a lawyer. More on this ruling can be found in this Washington post article.
What can LE Agents take from you? EVERYTHING. You can’t argue about it either. While they may take material that is not explicitly covered under the warrant and may later be forced to give it back to you, that doesn’t help you when they are rummaging through your house. Re-read the list of material that are covered under Attachment C again and think about how broad it is.
It is safe to say that absolutely anything remotely computer related is covered under the warrant. There are a few things that are also covered under the guidelines that tend to surprise people when confiscated.
- “electronic organizers”: these include ones with mini keyboards like the Sharp organizers, as well as touch screen like Palm Pilots.
- “personal diaries”: even your little black journal detailing sexual exploits, or a notepad with poetry.
- “books, newspaper, and magazine articles concerning hacking”: this includes ANY computer book in your residence. Newspapers or magazines that have security or hacker articles are included.
- “cassette tapes, video cassette tapes, and magnetic tapes”: If it isn’t a store bought tape, it is subject to seizure. Doesn’t matter if it contains episodes of the Beavers or pornography.
- “fax machines”: despite a fax machine typically not having the ability to store information long term, it is fair game.
- “indicia of occupancy or tenancy..”: Any paperwork or proof that you own or rent your place. Any sales receipts, billing records or anything else close.
- “other items … in violation of Title 18..”: Perhaps the worst listing of them all, this allows them to take just about anything else they may deem necessary.
Another often asked question is how long the feds can investigate you. As long as they want. For most cases, LE can investigate a crime for up to five years after it was committed. This is known as the Statute of Limitations and means how long they can investigate and press charges against you for the crime. Hypothetically that is. If the crime is serious, several agents have assured me that the U.S. Government will find a way to stretch that timeframe.
Regardless, if the agents have not made a case against you, the government attorney’s will not press charges. Even so, you can expect them to hold onto any seized equipment until the conclusion of their investigation. If they go so far as seizing equipment and not pressing charges, you can expect to get your stuff back 1,825 days after it was taken, just to spite you.
Thanks to the vague (or was it intentional?) wording of the Title 18 laws, several actions you may consider harmless could fall into murky legal territory. As a DCIS agent recently said in a conversation about the last article, “Even if you telnet to a machine and type anything in, that can be attempted intrusion!”. As fascist as that may sound, it is true. Any activity or connections to a remote machine without authorization may be illegal. Because it is partially based on intent and partially based on your activities, this is still somewhat uncharted territory. While it is highly unlikely you will be charged for portscanning a machine, repeated poking at an open port could be enough to spark interest in your activities.
Another term often used by agents and lawyers is “illegal access device” (IAD). What has turned into another all encompassing term, this can be used for a wide variety of things in a case against you. Some of the few things that fall into this category:
- login/passwd: Any login and password for any type of system be it Unix, VAX/VMS, voice mail or something else.
- ESN/MIN: Cloning cell phones is illegal as you know, but each ESN/MIN pair counts as one IAD.
- CC/Exp: Each Credit Card w/ Expiration Date. Remember, it takes both pieces to purchase anything.
- Access keycard: Find an access device in the dumpster? Pick it up after someone dropped it? This allows access (illegally) into a building.
- Employee ID: Like an access keycard, these are often used to bypass controlled access points or visual checks at guard desks.
Consider that when some hackers are busted, they are caught with a list of thousands of logins and passwords to systems around the world. Disturbing to think that each one can be used as a felony charge against you. When federal agents hold up to a thousand felony charges over your head, it is often enough to make you want to cut a deal. This is one reason that strong encryption is the friend of hackers.
The punishment for hacking crimes is growing. Convicted hackers five years ago could expect a light slap on the wrist, a few hours of community service, and not much else. These days, a single felony count of computer hacking can lead to 15 months in jail along with restitution in the tens of thousands of dollars.
Looking at a verbose list of restrictions placed on Kevin Mitnick, examine them closely and consider what they really entail.
While the following restrictions may not be applied to every case, consider that they have been applied to one convicted hacker. Further consider that as such, these restrictions may be used as case law in future court hearings. The following restrictions are taken from a larger document concerning Kevin Mitnick and the restrictions.
A. Absent prior express written approval from the Probation Officer, the Petitioner shall not possess or use, for any purpose, the following: 1. any computer hardware equipment; 2. any computer software programs; 3. modems; 4. any computer related peripheral or support equipment; 5. portable laptop computer, 'personal information assistants,' and derivatives; 6. cellular telephones; 7. televisions or other instruments of communication equipped with on-line, internet, world-wide web or other computer network access; 8. any other electronic equipment, presently available or new technology that becomes available, that can be converted to or has as its function the ability to act as a computer system or to access a computer system, computer network or telecommunications network (except defendant may possess a 'land line' telephone); B. The defendant shall not be employed in or perform services for any entity engaged in the computer, computer software, or telecommunications business and shall not be employed in any capacity wherein he has access to computers or computer related equipment or software; C. The defendant shall not access computers, computer networks or other forms of wireless communications himself or through third parties; D. The defendant shall not acts as a consultant or advisor to individuals or groups engaged in any computer related activity; E. The defendant shall not acquire or possess any computer codes (including computer passwords), cellular phone access codes or other access devices that enable the defendant to use, acquire, exchange or alter information in a computer or telecommunications database system; F. The defendant shall not use any data encryption device, program or technique for computers; G. The defendant shall not alter or possess any altered telephone, telephone equipment or any other communications related equipment.
For a period of THREE years, being subjected to these restrictions. Not only does your primary hobby go away, your means for stable income are at serious risk. Think of every job you could hold with these restrictions and life does not look so pleasant. Even working at Taco Bell requires the use of computerized registers. Telemarketing and other menial tasks that once were viable methods of income also go away. Jobs that consist mostly of physical labor become about the only option left to you. Don’t forget, many companies will not hire convicted felons, even for physical labor.
Court ordered restitution will be a new world of difficulty. Many people fail to realize that not only are restitution amounts fairly significant, but they must be paid back in a timely fashion. Oh yeah, remember that you are not likely to hold a job that pays more than six bucks an hour. So how much is US$50,000 when it comes down to it? Consider that you might be able to earn US$25,000 a year if you are fortunate. Giving up your entire salary would allow you to pay it off in two years. If you can live off of US$15,000 (poverty level), you could then pay back the restitution in only five years. Five years of living at a poverty level.
Is defacing a web page and putting up a message “hackerX 0wnz j00” REALLY worth it?
After the previous article, many people wrote in to add more information regarding the various agencies that investigate computer crime. Using reader feedback and a little more searching, I have compiled a better profile of each agency that covers computer crime as well as their jurisdiction. Once again, please mail me if you have further information, or find error in the material below.
More information: http://www.fbi.gov/pressrm/congress/97archives/compcrm.htm
In February 1992, the FBI completed an assessment of the national computer crime problem and established the National Computer Crimes Squad (NCCS) in the Washington D.C. field office. The NCCS was staffed with Agents knowledgeable and competent in computer systems who were available to investigate computer crimes throughout the United States. In view of the fact that many computer crimes are international in scope, the FBI planned and hosted the first International Computer Crimes Conference in Charleston, S. C. , in May 1992, which was attended by investigators from seven countries.
Also in 1992, the FBI established the Computer Analysis and Response Team (CART). CART is a specialized group of forensic examiners with the technical expertise and resources to examine computers, networks, storage media and computer-related materials in support of FBI investigations.
The FBI is creating computer investigation teams in each of its 56 field offices that will respond to computer incidents within their geographical area of responsibility.
The FBI has established the Computer Investigations and Infrastructure Threat Assessment Center (CITAC) with the mission of managing computer investigations and infrastructure threat assessment matters. On July 15, 1996, President Clinton signed Executive Order 13010 establishing, on an interim basis, an Infrastructure Protection Task Force (IPTF) within the Department of Justice, chaired by the FBI. The IPTF includes representatives of the Department of Defense, National Security Agency and other agencies. A unit within CITAC performs analysis and manages the FBI’s coordinating role in the IPTF. The CITAC Watch Office proactively monitors threats to the U.S. Critical Infrastructures, provides front-end analysis of threats, and acts as a Crisis Action Team. CITAC manages the FBI’s computer-related investigations and provides advice and assistance to all investigations within the FBI that involve the computer as a tool for committing a crime.
Computer and Internet crimes are investigated by the FBI utilizing many criminal statutes under our jurisdiction. The Computer Fraud and Abuse statute was amended during the prior Congress and is a comprehensive tool to address computer crimes. Internet crimes conducted to defraud consumers are addressed with myriad statutes including Fraud By Wire, Mail Fraud, Interstate Transportation of Stolen Property, and Money Laundering to name only a few. Other computer related crimes involving Intellectual Property can be addressed utilizing Copyright laws and the recently enacted Economic Espionage statute.
More information: http://www.dodig.osd.mil/DCIS/mission.htm
The DCIS mission is to detect, investigate and prevent fraud waste and abuse committed against or within the Department of Defense, involving its programs, operations and assets, and to address other matters as directed.
More information: http://www.dodig.osd.mil/
The Department of Defense (DoD) Inspector General serves as an independent and objective official in DoD responsible for conducting, supervising, monitoring and initiating audits and investigations relating to the programs and operations of the DoD. The Inspector General provides leadership and coordination and recommends policies for activities designed to promote economy, efficiency, and effectiveness in the administration of, and to prevent and detect fraud and abuse in, such programs and operations. The Inspector General is also responsible for keeping the Secretary of Defense and the Congress fully and currently informed about problems and deficiencies relating to the administration of such programs and operations and the necessity for, and progress of, corrective action.
More information: http://www.hq.nasa.gov/office/oig/hq/mission.html
Public Law 95-452, known as the Inspector General Act of 1978, created independent audit and investigative units, called Offices of Inspector General (OIGs) at 61 Federal agencies.
The mission of the OIGs, as spelled out in the Act, is to:
- Conduct and supervise independent and objective audits and investigations relating to agency programs and operations.
- Promote economy, effectiveness and efficiency within the agency.
- Prevent and detect fraud, waste and abuse in agency programs and operations.
- Review and make recommendations regarding existing and proposed legislation and regulations relating to agency programs and operations.
- Keep the agency head and the Congress fully and currently informed of problems in agency programs and operations.
The NASA OIG serves as an independent and objective audit and investigative organization to assist NASA by performing audits and investigations. The OIG prevents and detects fraud, waste and abuse and assists NASA Management in promoting economy, efficiency, and effectiveness in its programs and operations. The OIG auditors and agents are located at NASA Headquarters and all NASA Centers.
Air Force Office of Special Investigations (AFOSI)
Jurisdiction: Computer crime occuring against Air Force computers
The United States Air Force Office of Special Investigations is a field operating agency with headquarters at Bolling Air Force Base, Washington, D.C. It has been the Air Force’s major investigative service since August 1, 1948.
The primary responsibilities of the Air Force Office of Special Investigations are criminal investigative and counterintelligence services. The organization seeks to identify, investigate and neutralize espionage, terrorism, fraud and other major criminal activities that may threaten Air Force and Department of Defense resources. AFOSI provides professional investigative service to commanders of all Air Force activities.
Personnel and Resources
AFOSI has about 2,000 personnel, of whom two-thirds are special agents. Eighty-eight percent of the special agents are military and 12 percent are civilian. AFOSI consists of seven regional offices, seven overseas squadrons and more than 160 detachments using a worldwide network of agents at all major Air Force installations and a variety of special operating locations.
The Naval Criminal Investigative Service (NCIS) is a worldwide organization responsible for conducting criminal investigations and counterintelligence for the Department of the Navy and for managing naval security programs.
More information: http://www.ncis.navy.mil/about.htm
Like all other elements of the Department of Defense (DoD) and the Department of the Navy (DoN), NCIS has had to bear its share of personnel and budget cuts, too. For example, in 1991, NCIS had 2,281 total personnel including 1,167 special agents assigned to more than 200 offices worldwide. Today, NCIS has 1,603 personnel of whom 877 are civilian special agents assigned to 150 offices worldwide. In addition, 51 military agents, mostly from the Marine Corps, are assigned to NCIS.
Despite these and other changes, however, the NCIS mission remains the same — “To Protect and Serve” the men and women of the Navy and Marine Corps, their families and DoN civilian employees by conducting felony criminal investigations and counterintelligence for the Department of the Navy, and managing Navy security programs.
U.S. Army Criminal Investigation Command (USACIDC)
Jurisdiction: Computer crime occuring against Army computers
As the Army’s primary criminal investigative organization, the “CID” is responsible for the conduct of criminal investigations in which the Army is, or may be, a party of interest. Headquartered at Fort Belvoir, Virginia and operating throughout the world, the CID conducts criminal investigations that range from death to fraud, on and off military reservations, and, when appropriate, with local, state and other federal investigative agencies. We support the Army through the deployment, in peace and conflict, of highly trained soldier and government service special agents and support personnel, the operation of a certified forensic laboratory, a protective services unit, computer crimes specialists, polygraph services, criminal intelligence collection and analysis, and a variety of other services normally associated with law enforcement activities.
More information: http://www.lewis.army.mil/6thcid/cidhist1.htm
The U.S. Army Criminal Investigation Command (USACIDC) was organized as a major command of the Army to provide investigative services to all levels of the Army. Using modern investigative techniques, equipment and systems, USACIDC concerns itself with every level of the Army throughout the world in which criminal activity can or has occurred. Unrestricted, CID searches out the full facts of a situation, organizes the facts into a logical summary of investigative data, and presents this data to the responsible command or a United States attorney as appropriate. The responsible command or the U.S. attorney then determines what action will be taken. Ultimately, the commander of USACIDC answers only to the Chief of Staff of the Army and the Secretary of the Army.
The Royal Canadian Mounted Police (RCMP) works with communities to ensure the safety of all Canadians. It enforces federal laws, provides contract policing to most provinces, many municipalities and First Nations communities. The RCMP participates in peacekeeping efforts and supplies world-leading expertise in areas like forensics and criminal intelligence to Canadian and international police.
More information: http://www.rcmp-grc.gc.ca/html/cpu-cri.htm
There are RCMP Commercial Crime Sections is every major city in Canada. Each one of these units has at least one investigator who has received specialized training in the investigation of computer crimes. These investigators are supported by the RCMP Computer Investigative Support Unit (CISU) located at RCMP Headquarters in Ottawa. CISU can provide technical guidance and expertise to all Canadian police departments and federal government agencies in relation to computer and telecommunication crime investigation.
The Criminal Code of Canada and the Copyright Act contain provisions that deal with computer and telecommunication crime.
- Criminal Code: Section 342.1 – Section 430(1.1) – Section 326
- Copyright Act: Section 42
Defense Computer Forensic Laboratory (DCFL)
Jurisdiction: Forensic/Technical support for DOD computer crime investigation
The Department of Defense Computer Forensics Laboratory provides digital and analog evidence processing (analysis and diagnostics) for DoD counterintelligence, criminal, fraud investigations, operations and programs. The DCFL sets DoD standards in digital and analog forensic analysis. The Lab develops and manages DoD forensic media analysis research and development projects. Also, conducts liaison with counterpart law enforcement, computer security and intelligence agencies.
[See attrition.org copy for appendices.]
Special thanks to:
- the many people who wrote in with positive feedback on the first article
- cyberdiva (cyberdiva@MailAndNews.com)
- the AFOSI agent who mailed in with additional (public) information
- travis and mark w/ DCIS