“The Government Did Not Need a Warrant….” — In support of NIT’s

WOW, that is all I have to say up front. A federal Judge responding to motions filed in one of the Tor hidden service cases against users of the “Playpen” child pornography site found that the FBI did not need a warrant to use a Network Intrusion Tool (NIT). If you have not read Judge Henry Coke Morgan, Jr’s finding in the Playpen child pornography case you need to, find it here Judge Morgans Ruling.

After you read it come back and let’s chat….

Okay, now that you have done your light reading, let us review a few things.  First, I am a huge proponent of law enforcement use of “Policeware” (for full disclosure my company received a grant from the USDOJ Bureau of Justice Assistance to build a NIT for local law enforcement’s use).  Judge Morgan hpolicewareas done a fine job of recognizing and validating the use of these tools by law enforcement. He commented in his decision, “As noted in Levin, “NITs, while raising serious concerns, are legitimate law enforcement tools.” 2016 WL2596010, at *8.”.  Judge Morgan presents, in his 58-page opinion, several serious points of interest to law enforcement investigators. After reviewing numerous motions before the Court, he concluded “The Court finds that no Fourth Amendment violation occurred here because the Government did not need a warrant to capture Defendant’s IP address,”. This decision alone is significant in that the Court felt that no warrant was needed for the FBI to deploy their Network Intrusion Tool (NIT), even though they had originally obtained one for its use in this case. Partly it was because of the nature of the tools limited identification of information from the target computer. The Defense had said that the original warrant was not specific enough, but the Judge pointed out the FBI was only seeking 7 pieces of information and specified exactly what that information was that they sought.

Judge Morgan supported his opinions with well thought out reasoning. However, this does not mean that everyone agrees. The Judge’s decision has met with much consternation by those viewing this as an overreach by government and an invasion of privacy. Mark Rumold of the Electronic Freedom Foundation complained in a recent blog posting that the decision was “…a dangerously flawed decision …”. Rumold further commented “The implications for the decision, if upheld, are staggering: law enforcement would be free to remotely search and seize information from your computer, without a warrant, without probable cause, or without any suspicion at all.” Well, that is a little bit of an overreach of what the Judge said. In fact, I think the Judge succinctly put that based on the architecture of the Internet and how browsers work the targets of the investigation traveled to Virginia over the Internet. This then gave the Magistrate Judge the authority to issue a warrant because the target had traveled to Virginia to access the Tor Hidden Service.

As anyone knows on the law enforcement side, law enforcement is never free to search anything and this decision did not extend the reach of law enforcement. What it did do, was to help define what technology can be used in a cyber-investigation. It also helped to legitimize law enforcement’s deployment of NIT’s and make them Legitimate law enforcement tools… This is fantastic, it is about time that law enforcement can use the technology available to them in a meaningful way to fight crime online.  Although, the larger media and its audience will not recognize it, this decision is to cyber-crime investigators what the North Hollywood shootout was to patrol officers. Instead of crazies with machine guns and bulletproof vests being fought off by police officers with revolvers, this case has the chance to change cyber investigators still using Window XP into cyber-crime SWAT guys. Special Weapons and Tactics will take on a completely new meaning within the cyber-crime arena. The deployment of NIT’s will change how we collectively seek out those committing crimes on the Internet.

So what does this mean going forward? It means law enforcement can actually catch more bad guys committing crimes on the Internet. It means cyber-crime investigators can come Snip from orderout of the dark and become aggressive members of the law enforcement establishment.   According to Judge Morgan “The Government’s efforts to contain child pornographers, terrorists and the like cannot remain frozen in time; the Government must be allowed to utilize its own advanced technology to keep pace with our world’s ever-advancing technology and novel criminal methods.”

Thank you Judge Morgan for understanding the technology, and making sense of the Internet policing front line. Sadly, at this time this is only a single Judges ruling. We can only hope that our well-reasoned and intelligent Judiciary will understand the technology and come up with similar findings in other cases.

Advertisements

Hey Lets be “Friends”: Why Police Need to be Careful with Personal Cell Phones

Well it happened again. You know what we are talking about. A police officer either issues a ticket or arrests someone, and the suspect concludes it is a good idea to go to Facebook and make a threat against the officer.  This time it happened in Jackson County, MI, when Joey Jason Holliman allegedly posted a threatening message on Officer Michael Strickland’s timeline shortly after being ticketed Wednesday.

We don’t know how Holliman located Officer Strickland’s profile.  It may be that Officer Strickland didn’t set his privacy settings properly. For instance, he may have allowed search engines to index his profile, a feature that can be turned off rather easily.

But then again it might not have anything to do with the settings. Let us explain. About two weeks ago, I started seeing individuals appear in my suggested friends page that should not be there. For instance, offenders that I supervised and had sent to prison. Todd and I discussed how this might happen. We ruled out that I had searched for them with my profile or I had their telephone number in my personal address book.  I theorized that they may have searched for me. Even though they couldn’t find me as my privacy setting was locked down, Facebook, thought I might want to connect with them, so it suggested them as possible “friends.” How helpful! (We haven’t ruled that theory out yet.)

However, it appears there is another possibility that is even more troubling. If two Facebook users connect to Facebook from the same IP subnet or they are using Facebook on their cell phone from near-overlapping geocodes, the social networking site assumes the users are “friends” or potential “friends.” Yep, you guessed. It then populates the suggested “friends” to both users.  How nice!

In the ticket incident above, if both Holliman and Officer Stickland had cell phones on, with Facebook connecting to the Internet, they would have likely been using an overlapping geocode.  Even if Holliman’s didn’t remember Stickland’s name, Facebook would likely have suggested him as a potential “friend.”

Many of us carry our personal cell phones on our person in the field.  We also have them in our office.   But by allowing Facebook to connect to the Internet from our cell phones, we are exposing ourselves to “friend” suggestions from those we would prefer not know we even have a Facebook profile.  How many times do those of us in law enforcement go into high crime areas with criminals nearby with cell phones on their person? How many times do suspects have cell phones on their person in police waiting areas or outside courtrooms? Do we really want our Facebook profile offered up as a “friend” suggestion to EVERYONE?  Unfortunately, Facebook does not offer restrictions on appearing in “friend” suggestion lists.

It would seem the solution is to turn off one’s geolocation  (Suggestions can be found here). But, this would seem only to limit Facebook from sharing it with other users. This suggestion does not prevent Facebook from gathering your geolocation and using it for its own purposes, such as in suggesting “friends” in the same area.  The really only secure why to stop this is not have Facebook installed on your phone OR at a minimum limiting your cell phone/Internet usage. For instance, turning it on when needed and turning if off when not in use.  This way it is not consistently connected to the Internet, looking for “friends.”  Additionally, limit or eliminate your cell phone/Internet usage in “high “risk” areas, such as where you might run into someone you are going to arrest, are arresting, and/or did arrest. Finally, individuals involved in law enforcement must be continually vigilant to how their personal devices may be inadvertently “leaking” information to other devices in a way that poses a risk to them and their loved ones. Of course, that is really sound advice for all of us, regardless of our occupations. On that note I left a cigar lit somewhere.

Riddle Me this Batman: Doing Google Search Warrants

One of the unique aspects of my “job” is I get to see investigative reports on various cases and how they develop. Recently, I was looking at the investigative efforts of an agency on a child porn case. It was a simple case really. The suspect used a gmail account to send illegal images to a covert account, which also happened to be a gmail account. But I have my questions.

The investigative agency got a search warrant and served it on Google. However, for some reason the matter was not sealed. If one searches the gmail account name you can actually still find the case which references the search warrant, i.e., USA v. actual name of the gmail account.

Yeah, big problem Batman. And guess what? The suspect went missing for a year. First question, why was the search application not sealed in this day in age, particularly on a case seeking a search warrant an email account? I am just guessing but maybe this suspect did a Google search on his email or even had an alert set up to notify him when his email showed up on the web. Hence, the reason he was missing for a year.

Next few questions in this case revolve around the search warrant affidavit and what they were seeking. In this case they only asked for “the email account”, which apparently is all they got. They got email to and from the suspect and their attachments. This was the meat of the issue and showed he sent and received illegal images. However, why didn’t they seek and obtain other aspects of the Google account in their application?

Specifically, they interacted with this suspect via email from another gmail account. Why not have also interacted with him using Google chat function too? It is after all highly likely that this suspect also used Google’s chat service to trade child porn, if not worse. Additionally, what about asking for everything on the Google drive too? I mean, individuals don’t just store data on hard drives now. Why not also explain that law enforcement also needed data from this subject’s Google drive in the search application?

Additionally, individuals often times will search via Google while they are signed into their account. Guess what? Google will frequently have that history saved. Won’t it be good to also have that evidence that subject was searching for these images too?
These last two questions, concerning the Google drive and the search history, become particularly important when we consider that when they found this suspect his computer was long gone. Sure they have the emails messages and attachments sent back and forth. But is it possible that he still has images saved in his Google drive?

Additionally, this suspect initially claimed his account was “hacked.” One way to overcome the “hacked” defense is the person was doing other activity at the time they were looking for porn. For instance, one minute he is looking for an address for a job and the next he is surfing for porn followed by searching for a car part etc. Also, having the IP address from where the account was accessed during the email and browsing sessions would also have been helpful to defeat the hacker defense, particular as they didn’t have the suspect’s computer. Thankfully, he later admitted he was using the account to trade child porn and dropped the hacker defense.

Final question is they apparently never went back and got search warrants for the original Google account and additional email accounts after his admission over a year later. Do we really believe that he only traded child porn for a two month period? With his admission and the evidence already gathered it appears that there would be plenty of probable cause, which wasn’t stale, to get additional search warrants for these accounts. I get that they had plenty of evidence but shouldn’t they make sure they checked these accounts again. We don’t stop searching a building because we found drugs in one room. What if there were more than just additional images in those accounts, such as evidence that he was involved in molesting a child?

Granted I am playing arm chair detective here and they have the guy. My point to all this is we need to start looking at Google as more than just an email service. It is cloud storage provider and in many ways contains as much and maybe more pieces of electronic evidence than a traditional computer. So Batman, what you think? On that note, I left a cigar lit somewhere.

The Silk Road, Federal law enforcement and who’s watching the Undercover Agent!

The week’s arrests of former Federal Agents Carl Mark Force IV and Shaun Bridges is more than just an embarrassment to the agencies involved.  It is another indicator of the managers’ lack of understanding of their agents’ Internet investigations work.  Much to the chagrin of some of our book, Investigating Internet Crimes, readers, we devoted considerable space to discussing investigative policy. Gee, I wonder why? The Silk Road investigation has provided an example, and not a good one for law enforcement managers to have policy and understand what their investigators are doing online.

Several clear things have appeared in this case. Early on the lack of documentation exploded when the former FBI Agent Tarbell wrote in an affidavit that he failed to document his actions when he found the Silk Road server. I had previously defended the FBI and publically stating that we needed to wait until all the facts (and testimony) were in. Well at Ross Ulbricht’s trial it never came in and we have just found out why some things were never discussed. Agents Carl Mark Force IV and Shaun Bridges were under investigation and the defense was prevented from disclosing anything about their conduct.  Now, I am not an attorney and cannot discuss how those motions were or should have been handled, but I can discuss the disclosures recently made and how poorly it appears the Federal supervisors acted.

Supervising people undercover has been a long standing supervision intensive problem. Long ago working vice I remember a supervisor criticizing my performance after the fact. However, that supervisor was right there, listening to the wire and gave me immediate feedback. I would not be making that mistake again.  Internet investigations have changed what it means to be undercover (UC).  When we first started doing UC on the Internet in the late 1990’s to document what we did and the chat’s we had included a video camera over our shoulder. At that point there was not much else we could do.  As investigative techniques continued, law enforcement found tools to assist them in their documentation. Screen captures and video recordings were accomplished with tools like Techsmiths Snagit and Camtasia which were adopted for this new purpose. Later tools like WebCase were designed specifically for treating information on the Internet as evidence.

Collection of evidence from the Internet is a unique and specific problem which I wrote about years ago in a whitepaper Collecting Legally Defensible Online Evidence.  Not collecting Internet evidence properly is just the beginning of the Federal Managers supervision problems in this case. The next issue was the fact that they were not supervising their undercover agents. We do know that some recordings were made, but who looked at them.  Was anyone looking at the UC’s actions online? Was anyone review the recordings being made? Was anyone supervising the agents? Apparently not,  because the criminal investigation of the agents found the use of one of the unauthorized accounts in one of the UC recordings. No supervisor was looking or if they were they didn’t know what they were looking at. Agent  Gambaryan reviewed the case file of Force and found “…several DVDs of video taken with FORCE’s official DEA laptop with a screen-recording program…”.

Image one

Gambaryan found the reference to an account that Force used that was not mentioned in the reports. But it was in the undercover video’s. What supervisor was reviewing his actions.  Again,  apparently no one.

Another indicator  the supervisors should have seen with Agent Force as UC was the encrypted communication.  Everyone should have known he was using encrypted communications with DPR (Ross Ulbricht). In fact in Agent  Gambaryan’s affidavit he comments on the prosecutors continual mentioning of providing all of the encrypted communications.

Image two

Agent  Gambaryan also, although probably not intentionally, puts the issue of undercover Agent supervision squarely on the managers feet when he surmises Force’s failure to provide the encryption keys to his managers.

 Image three

If the supervisors/managers were, doing their job this would not have been an issue. They should have known and would have obtained the keys. But they didn’t.

Okay, back to our book. As a former law enforcement supervisor I have recognized for years that supervision, management of undercover officers and policy go hand in hand.  Previous to writing our book, I wrote the first published model policy on using social media by law enforcement because I saw the need. We included much of this in our book, including ethics discussions and these model policy’s for law enforcement conducting Internet investigations. We did so, because it has not been discussed and needs to be understood. Law enforcement managers at all levels (local, State and Federal) need to understand that undercover work on the Internet has just as many supervision issues as undercover work in the real world. Some of the issues are the same and some are different. But, supervision and management must still occur regardless of the case.

 

United States Attorney’s Office – 1/Ross Ulbricht – 0

Ross Ulbricht, 30, was found guilty by a Manhattan federal jury on all seven counts in the indictment he was charged.  He was convicted as the mastermind behind the original version of the Tor Hidden Service known as the Silk Road. The pundits have already begun to take apart the prosecution’s case saying it was unfair. The maligning of Judge Forrest’s handling of the case before and during the trial has begun in earnest. Even Ulbricht’s attorney, Joshua Dratel, is being questioned publically for his apparent lack of a real defense.  Some explaining he simply set the stage for the inevitable appeal.

silk_road01 Guilty

So what happens next?  Well Ross still has a pending indictment for the murder-for-hire plot in the Maryland District. Whether or not he will go to trial on that charge is unknown at this time. But, a betting man might consider that will be a slam dunk too based on the evidence presented in New York.

So how was Ross convicted when he wasn’t guilty according to his defense? What I have said before is exactly what the U.S. Attorney’s office presented; they put on a typical drug trial. Ross Ulbricht was convicted because of the drug case not because of his inventive method of using Tor as a “Social Experiment”. The Tor Hidden Service was only the vehicle by which the drug conspiracy was conducted. The Assistant United States Attorney (AUSA) Serrin Turner put the pieces together one by one and connected the face of Ross Ulbricht to the online persona Dread Pirate Roberts (DPR). They moved the evidence collected from the real world through the medium of communication, which just happened to be Tor. The AUSA used cooperating witnesses to explain the drug trade and like in any good drug trial followed the money straight back to Ross Ulbricht. Never mind that the money was in what the jury probably thought was some obscure online money trading system. Money for drugs is just that, money for drugs.  Ross Ulbricht is now, not just a famous drug King pin, but a convicted one.

Wow, the FBI can’t investigate Cybercrime: What do We do now?

The tech headlines since September have included how the FBI is so incompetent that it can’t investigate Cyber crime. Many articles have even insisted that they have lied about how they investigated certain cyber crimes. Some online are saying the Silk Road 1 arrest of Ross Ulbricht, whose trial starts this week, could not have happened without a grand conspiracy with the CIA. The investigation of the attack on Sony did not happen the way the FBI said because, well, apparently they are too slow to know how it was done The tech headlines since September have concluded the FBI is incompetent and can’t investigate cyber crime properly. The  “FBI Lied About How it Obtained Silk Road Server Location Says Security Expert” and “The FBI May Have Made An Embarrassing Mistake While Investigating The Sony Hack” or “Some Experts Still Aren’t Convinced That North Korea Hacked Sony

I guess the FBI’s work  and arrest of Blake Benthall during the Silk Road 2 investigation was not real nor was the malware arrest under operation Blackshades. What I think is happening to the FBI is a broader reactionary response to law enforcement by some.  The current tech industry attitude being espoused concerning the FBI is a similar distrustful reaction that some are having towards U.S. law enforcement in general after the recent police shootings.

In the Tech industry it appears that every so called “Cyber Security” firm that wants its fifteen minutes of fame has come out saying the FBI is wrong. At this point, the problem is no one outside of these investigations has any idea what the evidence is or is not in these cases.  Sony brought in Mandiant to assist in their investigation.  Even Kevin Mandia, CEO of Mandiant, in a letter to Sony’s Michael Lynton states that the attack was unprecedented.

2015-01-05_12-56-22

Now this certainly does not say that the attack was done as the FBI claim by the North Koreans, but it certainly does support the fact that there is much we have yet to understand about the case.

I understand the FBI’s position and that external criticism is part of law enforcement. What I do not understand is the huge amount of discord without knowing the facts.  Okay, maybe the FBI is wrong, but the only people that know the facts are the FBI, the victims and the perpetrators. External analysis is always good in a free society, but let us be careful when we call the ones we enlist to help us liars without the benefit of all the facts.

FBI 2 – Silk Road 0

2014-11-06_12-25-53

Its early in the reporting, but the FBI has announced that they have arrested the new mastermind behind Silk Road 2.0, a BLAKE BENTHALL, a/k/a “Defcon,”. The early reports online are also stating that other sites including Cloud 9, Cannabis Roads Forums and Hydra have been taken down also. The FBI and Homeland Security have been busy. The great part of this, according to the reports, is that the undercover investigator had infiltrated Benthall’s organization and had early on had access to the administrative side of the website.

I am sure there will be more to follow on this case. If you are interested in the escapades of those behind the original Silk Road and the investigation you should check out  Deep Web the Movie.  Author, and digital forensic expert, Todd G. Shipley is working with the production staff on the movie.