About two weeks ago we had another school shooting tragedy. Like so many in the past the suspect appears to have telegraphed online his evil madness prior to its eruption. The FBI was apparently notified of at least one of those posts prior to the act and acknowledged there was a breakdown of their response protocols. Unfortunately, one of the troubling aspects of these events is the occurrence of “copycats,” who either create similar evil posts or videos as “jokes” (NOT FUNNY) or worse as harbingers of their sinister destructive plans.

We were alerted by a concerned citizen to one of those copycat’s online rants almost immediately via our book’s Facebook page. They forwarded the troubling link seeking our assistance. (Important Note:  Neither our Facebook page or this blog suggestions we investigate online crimes or take such reports). We strive to empower individuals through knowledge. We will give suggestions on how citizens might obtain the authorities’ assistance on cyber-malfeasance. We gave the citizen such suggestions and we have decided to share this advice to others who maybe find troubling posts online and want to make sure the proper officials are notified.

First thing we suggest is follow the advice of the Department of Homeland Security (DHS). Specifically,

contact your local law enforcement agency. Describe specifically what you observed, including:

Who or what you saw; 

When you saw it; 

Where it occurred; and 

Why it’s suspicious

Who or What You Saw

IMPORTANT:  The below advice includes taking screen shots or copying the material. This is not applicable to every situation. When dealing with online child abuse images don’t commit your own crime by copying the images or screen shooting the image. You can copy the URL but do not print, copy, etc. the images or videos. Make handwritten notes about where it was found, when (date, time, time zone) and who the posters identity.  For more details on dealing with these kinds of material click on law enforcement.  Additionally, Internet Service Providers will also take such reports. Google for instance has as such a system for reporting offensive images appearing on its site. They will forward it on to law enforcement as well.  

What Did You See

Okay this is pretty self explanatory but as they say a picture is worth a 1,000 words. We suggest taking a screen shot of the troubling information (with the exception noted above).  (For instructions on taking screen shots see Windows, MacSmartphone or do a Google search for “your specific device + Screenshot”). The below example uses our Facebook Group The Cyber Safety Guys to give you important focus areas.  You likely will have to take several screen shots to make sure you get it all the information.  Be aware where the screen shots are being saved as you are going to need that information later. If you can’t take screen shots, consider printing the material out. You also might take digital pictures of the material.


When You Saw it

Okay, so you have taken screen shots, printed it out, or taking digital pictures. Maybe it includes the date and time but maybe not. You need to document it when you saw it, i.e., date, time, and your time zone.  If you have go “old school” do so and write it down.

Where It Occurred

Okay, DHS is talking about a place in the brick and mortar world.  Sometimes a post will include information that reflects where the author is located or maybe their intended target. If you can ascertain that from the post, document it.

When we are in cyberspace we also need to provide an “address” of where it was seen. In our above image it is clear from the screen shot that it viewed on Facebook, particular as it includes the URL.  However, don’t be happy with just saying Facebook. Get the entire address not just the domain name. Sometimes it is not so clear from the screen shot. Maybe it occurred in a chatroom or instant message.  You might have to actually write it down if you can’t get the location documented in the screen shot.  Again, be complete in your documentation. For instance, it was seen at date/time/time zone at this particularly cyber-location (specific complete URL, specific chat, specific instant message, etc.)

Why it’s Suspicious

We are dealing with posts, which might be a written, a picture, and/or video.  Be prepared to describe why you believe it warrants action beyond just providing the screen shots. For instance, you saw the video and the person talks about shooting up something and is standing with a weapon. Don’t just rely on the screen shots you took.  Provide an explanation of why you believe it is suspicious.

Reporting it

Okay, you have taken screen shots of everything. You have made notes of what you saw.  Now it is time to report.  Clearly if this is in your area and is an emergency, call 9–1–1.  Explain what you saw, saved and why you think it warrants attention. Be prepared to provide copies of you screen shots, printouts, pictures and documentation to law enforcement, either electronically via e-mail or via a storage device.

Now lets suppose it is not in your area. It is out of state. Can you determine the area it is at? If so, contact the local law enforcement in that area (Do a Google search).  Now don’t rely on communicating this kind of information via that local law enforcement’s social media site. Those sites aren’t always monitored. Don’t also rely on their e-mail or websites. Again, they might not be monitored 24-7. Call them.

Okay, you can’t determine where the post is from. What now? Contact the FBI.  Okay, again, call them.  They allow cybercrime to be reported online, but we are dealing with someone posting information about threats, harms, etc. This warrants a call. The FBI link above provided above will give you the telephone numbers to local FBI offices, which is the one you should call.  They will forward up the chain to where it might go. Explain the situation and that you have screen shots, etc. to provide them.

Okay, you have attempted to notify law enforcement. Maybe you left a message or the line was busy or something.  (The beauty of calling them is you know if your message got through. Posting via a website or email doesn’t mean a real person has got the information).  What now?  Look for information about the location where you saw the troubling information.  For instance, in the above example it was Facebook. They have a security division and will take action on the post.   Just because it is on their site doesn’t mean they are aware of it. Tell them about it.  Be prepared to provide them copies of the screen shots and your information. They will document information on their side (which by the way is a lot more than what you are seeing. If they believe it apparent that there is a danger they also will directly contact the appropriate law enforcement  agency foe their action. They also will likely remove the troubling post.

Cyberspace has made the world much smaller, making us all netizens with one another. Being good netizens requires us to take notice of smoking amiss, particularly if it means the potential of harm in the real world. So, if you see it report it! Take care and be safe out there.



“The Government Did Not Need a Warrant….” — In support of NIT’s

WOW, that is all I have to say up front. A federal Judge responding to motions filed in one of the Tor hidden service cases against users of the “Playpen” child pornography site found that the FBI did not need a warrant to use a Network Intrusion Tool (NIT). If you have not read Judge Henry Coke Morgan, Jr’s finding in the Playpen child pornography case you need to, find it here Judge Morgans Ruling.

After you read it come back and let’s chat….

Okay, now that you have done your light reading, let us review a few things.  First, I am a huge proponent of law enforcement use of “Policeware” (for full disclosure my company received a grant from the USDOJ Bureau of Justice Assistance to build a NIT for local law enforcement’s use).  Judge Morgan hpolicewareas done a fine job of recognizing and validating the use of these tools by law enforcement. He commented in his decision, “As noted in Levin, “NITs, while raising serious concerns, are legitimate law enforcement tools.” 2016 WL2596010, at *8.”.  Judge Morgan presents, in his 58-page opinion, several serious points of interest to law enforcement investigators. After reviewing numerous motions before the Court, he concluded “The Court finds that no Fourth Amendment violation occurred here because the Government did not need a warrant to capture Defendant’s IP address,”. This decision alone is significant in that the Court felt that no warrant was needed for the FBI to deploy their Network Intrusion Tool (NIT), even though they had originally obtained one for its use in this case. Partly it was because of the nature of the tools limited identification of information from the target computer. The Defense had said that the original warrant was not specific enough, but the Judge pointed out the FBI was only seeking 7 pieces of information and specified exactly what that information was that they sought.

Judge Morgan supported his opinions with well thought out reasoning. However, this does not mean that everyone agrees. The Judge’s decision has met with much consternation by those viewing this as an overreach by government and an invasion of privacy. Mark Rumold of the Electronic Freedom Foundation complained in a recent blog posting that the decision was “…a dangerously flawed decision …”. Rumold further commented “The implications for the decision, if upheld, are staggering: law enforcement would be free to remotely search and seize information from your computer, without a warrant, without probable cause, or without any suspicion at all.” Well, that is a little bit of an overreach of what the Judge said. In fact, I think the Judge succinctly put that based on the architecture of the Internet and how browsers work the targets of the investigation traveled to Virginia over the Internet. This then gave the Magistrate Judge the authority to issue a warrant because the target had traveled to Virginia to access the Tor Hidden Service.

As anyone knows on the law enforcement side, law enforcement is never free to search anything and this decision did not extend the reach of law enforcement. What it did do, was to help define what technology can be used in a cyber-investigation. It also helped to legitimize law enforcement’s deployment of NIT’s and make them Legitimate law enforcement tools… This is fantastic, it is about time that law enforcement can use the technology available to them in a meaningful way to fight crime online.  Although, the larger media and its audience will not recognize it, this decision is to cyber-crime investigators what the North Hollywood shootout was to patrol officers. Instead of crazies with machine guns and bulletproof vests being fought off by police officers with revolvers, this case has the chance to change cyber investigators still using Window XP into cyber-crime SWAT guys. Special Weapons and Tactics will take on a completely new meaning within the cyber-crime arena. The deployment of NIT’s will change how we collectively seek out those committing crimes on the Internet.

So what does this mean going forward? It means law enforcement can actually catch more bad guys committing crimes on the Internet. It means cyber-crime investigators can come Snip from orderout of the dark and become aggressive members of the law enforcement establishment.   According to Judge Morgan “The Government’s efforts to contain child pornographers, terrorists and the like cannot remain frozen in time; the Government must be allowed to utilize its own advanced technology to keep pace with our world’s ever-advancing technology and novel criminal methods.”

Thank you Judge Morgan for understanding the technology, and making sense of the Internet policing front line. Sadly, at this time this is only a single Judges ruling. We can only hope that our well-reasoned and intelligent Judiciary will understand the technology and come up with similar findings in other cases.

Hey Lets be “Friends”: Why Police Need to be Careful with Personal Cell Phones

Well it happened again. You know what we are talking about. A police officer either issues a ticket or arrests someone, and the suspect concludes it is a good idea to go to Facebook and make a threat against the officer.  This time it happened in Jackson County, MI, when Joey Jason Holliman allegedly posted a threatening message on Officer Michael Strickland’s timeline shortly after being ticketed Wednesday.

We don’t know how Holliman located Officer Strickland’s profile.  It may be that Officer Strickland didn’t set his privacy settings properly. For instance, he may have allowed search engines to index his profile, a feature that can be turned off rather easily.

But then again it might not have anything to do with the settings. Let us explain. About two weeks ago, I started seeing individuals appear in my suggested friends page that should not be there. For instance, offenders that I supervised and had sent to prison. Todd and I discussed how this might happen. We ruled out that I had searched for them with my profile or I had their telephone number in my personal address book.  I theorized that they may have searched for me. Even though they couldn’t find me as my privacy setting was locked down, Facebook, thought I might want to connect with them, so it suggested them as possible “friends.” How helpful! (We haven’t ruled that theory out yet.)

However, it appears there is another possibility that is even more troubling. If two Facebook users connect to Facebook from the same IP subnet or they are using Facebook on their cell phone from near-overlapping geocodes, the social networking site assumes the users are “friends” or potential “friends.” Yep, you guessed. It then populates the suggested “friends” to both users.  How nice!

In the ticket incident above, if both Holliman and Officer Stickland had cell phones on, with Facebook connecting to the Internet, they would have likely been using an overlapping geocode.  Even if Holliman’s didn’t remember Stickland’s name, Facebook would likely have suggested him as a potential “friend.”

Many of us carry our personal cell phones on our person in the field.  We also have them in our office.   But by allowing Facebook to connect to the Internet from our cell phones, we are exposing ourselves to “friend” suggestions from those we would prefer not know we even have a Facebook profile.  How many times do those of us in law enforcement go into high crime areas with criminals nearby with cell phones on their person? How many times do suspects have cell phones on their person in police waiting areas or outside courtrooms? Do we really want our Facebook profile offered up as a “friend” suggestion to EVERYONE?  Unfortunately, Facebook does not offer restrictions on appearing in “friend” suggestion lists.

It would seem the solution is to turn off one’s geolocation  (Suggestions can be found here). But, this would seem only to limit Facebook from sharing it with other users. This suggestion does not prevent Facebook from gathering your geolocation and using it for its own purposes, such as in suggesting “friends” in the same area.  The really only secure why to stop this is not have Facebook installed on your phone OR at a minimum limiting your cell phone/Internet usage. For instance, turning it on when needed and turning if off when not in use.  This way it is not consistently connected to the Internet, looking for “friends.”  Additionally, limit or eliminate your cell phone/Internet usage in “high “risk” areas, such as where you might run into someone you are going to arrest, are arresting, and/or did arrest. Finally, individuals involved in law enforcement must be continually vigilant to how their personal devices may be inadvertently “leaking” information to other devices in a way that poses a risk to them and their loved ones. Of course, that is really sound advice for all of us, regardless of our occupations. On that note I left a cigar lit somewhere.

Riddle Me this Batman: Doing Google Search Warrants

One of the unique aspects of my “job” is I get to see investigative reports on various cases and how they develop. Recently, I was looking at the investigative efforts of an agency on a child porn case. It was a simple case really. The suspect used a gmail account to send illegal images to a covert account, which also happened to be a gmail account. But I have my questions.

The investigative agency got a search warrant and served it on Google. However, for some reason the matter was not sealed. If one searches the gmail account name you can actually still find the case which references the search warrant, i.e., USA v. actual name of the gmail account.

Yeah, big problem Batman. And guess what? The suspect went missing for a year. First question, why was the search application not sealed in this day in age, particularly on a case seeking a search warrant an email account? I am just guessing but maybe this suspect did a Google search on his email or even had an alert set up to notify him when his email showed up on the web. Hence, the reason he was missing for a year.

Next few questions in this case revolve around the search warrant affidavit and what they were seeking. In this case they only asked for “the email account”, which apparently is all they got. They got email to and from the suspect and their attachments. This was the meat of the issue and showed he sent and received illegal images. However, why didn’t they seek and obtain other aspects of the Google account in their application?

Specifically, they interacted with this suspect via email from another gmail account. Why not have also interacted with him using Google chat function too? It is after all highly likely that this suspect also used Google’s chat service to trade child porn, if not worse. Additionally, what about asking for everything on the Google drive too? I mean, individuals don’t just store data on hard drives now. Why not also explain that law enforcement also needed data from this subject’s Google drive in the search application?

Additionally, individuals often times will search via Google while they are signed into their account. Guess what? Google will frequently have that history saved. Won’t it be good to also have that evidence that subject was searching for these images too?
These last two questions, concerning the Google drive and the search history, become particularly important when we consider that when they found this suspect his computer was long gone. Sure they have the emails messages and attachments sent back and forth. But is it possible that he still has images saved in his Google drive?

Additionally, this suspect initially claimed his account was “hacked.” One way to overcome the “hacked” defense is the person was doing other activity at the time they were looking for porn. For instance, one minute he is looking for an address for a job and the next he is surfing for porn followed by searching for a car part etc. Also, having the IP address from where the account was accessed during the email and browsing sessions would also have been helpful to defeat the hacker defense, particular as they didn’t have the suspect’s computer. Thankfully, he later admitted he was using the account to trade child porn and dropped the hacker defense.

Final question is they apparently never went back and got search warrants for the original Google account and additional email accounts after his admission over a year later. Do we really believe that he only traded child porn for a two month period? With his admission and the evidence already gathered it appears that there would be plenty of probable cause, which wasn’t stale, to get additional search warrants for these accounts. I get that they had plenty of evidence but shouldn’t they make sure they checked these accounts again. We don’t stop searching a building because we found drugs in one room. What if there were more than just additional images in those accounts, such as evidence that he was involved in molesting a child?

Granted I am playing arm chair detective here and they have the guy. My point to all this is we need to start looking at Google as more than just an email service. It is cloud storage provider and in many ways contains as much and maybe more pieces of electronic evidence than a traditional computer. So Batman, what you think? On that note, I left a cigar lit somewhere.

Silk Road Reload – 3.0 is already up and running

The new main page of what purports to be the reboot of Silk Road says “This is no place for men without souls. We rise again Silk Road 3.0.” Check it out, the new site address is at http://qxvfcavhse45ckpw.onion.

2014-11-07_14-42-08 Redo


Who knows if this is a reboot by the 2.0 staff or a total take over of the name and concept by new people. Whatever it is the store is open.

2014-11-07_14-48-10 for sale


No doubt that someone is interested in the millions of dollars in Bitcoin possible in the name, The site appears to have reopened with in just two days of the FBI’s take down of the Silk Road 2.0 and many of its competitors. From a business model having all your competitors eliminated in one large law enforcement take down is pretty helpful.

At least the new Dread Pirate Roberts is polite….

2014-11-07_14-45-43 DPR Message

How long until the next hand off to a new DPR….FBI, the ball is in your court.


Operation Onymous- What it actually means for law enforcement and the Internet

By now most of the Internet has heard and is digesting the actions of law enforcement agents around the world taking down the infamous Silk Road 2 and other online Tor hidden markets. The question for all of us now is what does this mean in the future? We have been talking about the subject of Internet Investigations for more than two decades. The normal conversation is about how difficult it is and how law enforcement does not have the capacity to stay up with the online criminals. I think this week’s efforts will be game changer in the general investigative philosophy of law enforcers.

What this week has shown the community of law enforcement, as well as the for the criminals, is that law enforcement does have the ability to extend their reach into the darkest places of the Internet. The have the ability to find the criminals, identify them and handcuff them in the real world. Internet investigations have now been brought out into the light of day as a real and productive opportunity for policing in the 21st century. What the average law enforcement investigator needs to take away from this week is that they can go online, they can investigate internet crimes, and they can protect their communities from criminals hiding amongst them using anonymization.

Investigating crimes on the Internet does take some understanding of the technology and it does require training in the proper techniques and skills required to successfully conduct these investigations.

But, these crimes can be investigated…