The Silk Road, Federal law enforcement and who’s watching the Undercover Agent!

The week’s arrests of former Federal Agents Carl Mark Force IV and Shaun Bridges is more than just an embarrassment to the agencies involved.  It is another indicator of the managers’ lack of understanding of their agents’ Internet investigations work.  Much to the chagrin of some of our book, Investigating Internet Crimes, readers, we devoted considerable space to discussing investigative policy. Gee, I wonder why? The Silk Road investigation has provided an example, and not a good one for law enforcement managers to have policy and understand what their investigators are doing online.

Several clear things have appeared in this case. Early on the lack of documentation exploded when the former FBI Agent Tarbell wrote in an affidavit that he failed to document his actions when he found the Silk Road server. I had previously defended the FBI and publically stating that we needed to wait until all the facts (and testimony) were in. Well at Ross Ulbricht’s trial it never came in and we have just found out why some things were never discussed. Agents Carl Mark Force IV and Shaun Bridges were under investigation and the defense was prevented from disclosing anything about their conduct.  Now, I am not an attorney and cannot discuss how those motions were or should have been handled, but I can discuss the disclosures recently made and how poorly it appears the Federal supervisors acted.

Supervising people undercover has been a long standing supervision intensive problem. Long ago working vice I remember a supervisor criticizing my performance after the fact. However, that supervisor was right there, listening to the wire and gave me immediate feedback. I would not be making that mistake again.  Internet investigations have changed what it means to be undercover (UC).  When we first started doing UC on the Internet in the late 1990’s to document what we did and the chat’s we had included a video camera over our shoulder. At that point there was not much else we could do.  As investigative techniques continued, law enforcement found tools to assist them in their documentation. Screen captures and video recordings were accomplished with tools like Techsmiths Snagit and Camtasia which were adopted for this new purpose. Later tools like WebCase were designed specifically for treating information on the Internet as evidence.

Collection of evidence from the Internet is a unique and specific problem which I wrote about years ago in a whitepaper Collecting Legally Defensible Online Evidence.  Not collecting Internet evidence properly is just the beginning of the Federal Managers supervision problems in this case. The next issue was the fact that they were not supervising their undercover agents. We do know that some recordings were made, but who looked at them.  Was anyone looking at the UC’s actions online? Was anyone review the recordings being made? Was anyone supervising the agents? Apparently not,  because the criminal investigation of the agents found the use of one of the unauthorized accounts in one of the UC recordings. No supervisor was looking or if they were they didn’t know what they were looking at. Agent  Gambaryan reviewed the case file of Force and found “…several DVDs of video taken with FORCE’s official DEA laptop with a screen-recording program…”.

Image one

Gambaryan found the reference to an account that Force used that was not mentioned in the reports. But it was in the undercover video’s. What supervisor was reviewing his actions.  Again,  apparently no one.

Another indicator  the supervisors should have seen with Agent Force as UC was the encrypted communication.  Everyone should have known he was using encrypted communications with DPR (Ross Ulbricht). In fact in Agent  Gambaryan’s affidavit he comments on the prosecutors continual mentioning of providing all of the encrypted communications.

Image two

Agent  Gambaryan also, although probably not intentionally, puts the issue of undercover Agent supervision squarely on the managers feet when he surmises Force’s failure to provide the encryption keys to his managers.

 Image three

If the supervisors/managers were, doing their job this would not have been an issue. They should have known and would have obtained the keys. But they didn’t.

Okay, back to our book. As a former law enforcement supervisor I have recognized for years that supervision, management of undercover officers and policy go hand in hand.  Previous to writing our book, I wrote the first published model policy on using social media by law enforcement because I saw the need. We included much of this in our book, including ethics discussions and these model policy’s for law enforcement conducting Internet investigations. We did so, because it has not been discussed and needs to be understood. Law enforcement managers at all levels (local, State and Federal) need to understand that undercover work on the Internet has just as many supervision issues as undercover work in the real world. Some of the issues are the same and some are different. But, supervision and management must still occur regardless of the case.

 

Advertisements

Just when you think, it cannot get any more bizarre

Okay, I am mystified here; in fact, I just want to scream, “Are you really that stupid?” Apparently, the two agents instrumental in the investigation of Ross Ulbricht and the original Silk Road Tor market place were. From Wired magazine today, “DEA special agent Carl Force and Secret Service special agent Shaun Bridges were arrested Monday and charged with wire fraud and money laundering. “ If you have not already read the Affidavit of Special Agent Tigran Gambaryan  in Support of the Criminal Complaint filed in the Northern District of California against them, I encourage you to do so. If for nothing else, you will get a good laugh.

We have talked about supporting the federal agencies involved in this case and waiting until the facts are in before determining guilt. Well, the facts are in, the charts laid out and the Bitcoins spent. These two idiots, who held themselves out as experts in online investigations, certainly had no idea how to be successful criminals.  Both of them need to go back to school on that topic. In reading the affidavit, it is clear that the two of them thought they were smarter than their counterparts. Special Agent Gambaryan does a masterful job laying out his investigation into former agents Force and Bridges trip through stupidcriminalville. Force and Bridges, like the person they arrested for Silk Road, failed to use some of the basic online security procedures. Neither apparently had worked any major international fraud cases (if they had they didn’t use anything they learned) because they had no idea how to hide and move large amounts of money without using their own names and bank accounts.

Okay, back to the basics here…If you are an undercover officer, don’t commit crimes while undercover. Oops, they must have been absent that day in the basic undercover agent course.

Operation Onymous- What it actually means for law enforcement and the Internet

By now most of the Internet has heard and is digesting the actions of law enforcement agents around the world taking down the infamous Silk Road 2 and other online Tor hidden markets. The question for all of us now is what does this mean in the future? We have been talking about the subject of Internet Investigations for more than two decades. The normal conversation is about how difficult it is and how law enforcement does not have the capacity to stay up with the online criminals. I think this week’s efforts will be game changer in the general investigative philosophy of law enforcers.

What this week has shown the community of law enforcement, as well as the for the criminals, is that law enforcement does have the ability to extend their reach into the darkest places of the Internet. The have the ability to find the criminals, identify them and handcuff them in the real world. Internet investigations have now been brought out into the light of day as a real and productive opportunity for policing in the 21st century. What the average law enforcement investigator needs to take away from this week is that they can go online, they can investigate internet crimes, and they can protect their communities from criminals hiding amongst them using anonymization.

Investigating crimes on the Internet does take some understanding of the technology and it does require training in the proper techniques and skills required to successfully conduct these investigations.

But, these crimes can be investigated…

Questionable Online Investigations: Missteps Outside the Classroom

Last week we discussed the problems that can occur when an uninformed college educator exposes criminal justice students to online undercover investigations without fully understanding the legal nuances of those operations. This generated a lot of feedback on links to the blog article. We did not mean to imply that these missteps only occur in the academic setting. Unfortunately, they happen whenever staff are not properly trained and are then directed to complete online investigations.

We are aware of law enforcement personal doing the same thing that criminal justice students were directed to do, ie, pulling images from the Internet for use in an online undercover profile. In some cases, law enforcement felt it was appropriate as long as they bought the “model’s” picture. This is an ill-advised practice because it exposes the real person to danger as well as the officer and their agency to civil liability if something goes wrong. Additionally, it can give away the profile as being a “fake,” defeating the purpose for its creation. Again, the real person might be identified. It may be true the model sold their picture but that does not mean they wanted it used for conducting undercover online investigations.

Missteps are not only being committed by law enforcement. We cite in our book several cases where attorneys either directly or through advice participated in legally questionable online undercover activities. In one case a prosecuting attorney impersonated a defendant’s friend online to obtain proof that a witness was lying during a criminal trial. In another an attorney gave the go ahead for an investigator to take over a minor friend’s social networking profile, to obtain access to the minor’s restricted pages in order to get evidence for a civil suit. None of these examples ended well for the attorneys involved.

We devoted Chapters 9, 10, and 11 to covering various aspects to initiating, conducting, maintaining, and managing undercover online investigations. But don’t take our word for how good our book is conducting Internet investigations. Take a look at the following comments from respected law enforcement professionals:

Larry D. Johnson, Current CEO at Castleworth Global LLC, Former Chief Security Officer at Genworth Financial and Special Agent in Charge, Criminal Investigative Division, USSS, Retired, noted:

“This book offers the most comprehensive, and understandable account of cybercrime currently available to all different skill levels of investigators. It is suitable for novices and instructors, across the full spectrum of digital investigations and will appeal to both advanced and new criminal investigators. It will no doubt become a must have text for any law enforcement or corporate investigator’s investigative library.”

Lieutenant Raymond E. Foster (Ret.) Los Angeles Police Department, author, and host of American Heroes Radio, observed:

“Another strength to this book is that is very easy to read and in my opinion it needs read not only by the guys who are going to be doing these investigations but I think supervisors and managers out there need to take a look. … It is written for many levels within an organization.” (The entire show is here American Heroes Radio)

Neal Ysart, Director First August Ltd, Information and Corporate Risk Services writes:

“At last….. Informed, pragmatic guidance from two highly experienced professionals who have actually spent time on the front line, not just the classroom. This book is relevant for practitioners working in both law enforcement and within business – every aspiring cyber investigator should have a copy.”

Jim Deal, United States Secret Service (Ret.) and original Supervisor of the San Francisco USSS Electronic Crimes Task Force notes:

“Cyber-crime, internet fraud, online predators…we think they’re being addressed until we become the victims. Today’s law enforcement is ill-prepared to address against national security, let alone against our law-abiding citizens. Todd Shipley and Art Bowker are able to communicate what law enforcement responders need to know before they get the call – the information in this book must become a mandatory reference for law enforcement agencies everywhere.”

Collecting Electronically Stored Information (ESI): Traditional Computer Forensics vs. Online Captures

Modern investigators and litigators are no stranger to computer investigations. Electronically stored information (ESI) is becoming more and more a part of both criminal and civil cases. Often the first question asked is, “What incriminating piece of information was found by the computer forensics examiner?” But ESI is more that just data found on a computer. It can and does involve a growing number of cases in which data was collected off the Internet. What is the difference between the two? To consider that question we first need to define ESI. A good definition is:

Any information created, stored, or utilized with digital technology. Examples include, but are not limited to, word-processing files, e-mail and text messages (including attachments); voicemail; information accessed via the Internet, including social networking sites; information stored on cell phones; information stored on computers, computer systems, thumb drives, flash drives, CDs, tapes, and other digital media.” (Department of Justice (DOJ) and Administrative Office of the U.S. Courts (AO) Joint Working Group on Electronic Technology in the Criminal Justice System (JETWG), 2012, pg. 12)

Notice this definition includes “information accessed via the Internet, including social networking sites.” Lets refer to this type as online ESI and data collected from computers, cell phone or other storage devices as digital ESI. We started this discussion assuming that online ESI was different from digital ESI. But are they really? They both can contain metadata and can be quite voluminous. The difference between the two involves the dissimilar manner in which they are collected as well as how each are susceptible to modification in a different manner.

The computer forensics benchmark for years has been to avoid acquiring data from a live machine and to never examine original data. In recent years this gold standard has been relaxed but not eliminated. We are starting to see some acquisitions and even examinations of computers that are “on”. Additionally, the computer forensics examiner, even in remote data acquisitions, has control over the target system. Online ESI acquisitions are quite different. They are always “live.” The investigator has no control over the original media that hosts the online data. The original data is on a server, which might not even be in the same jurisdiction, let alone the same state, province, or country, as the investigator.

Both digital evidence and online evidence are susceptible to modification. However, digital ESI found on a hard drive or electronic media can be seized and maintained. Even in a civil setting, once pertinent digital ESI is identified, it is secured until it can be provided to opposing parties, with potential penalties for spoliation. Seizing digital ESI is either done by an on scene computer forensic examiner or by “pulling the plug” and providing the device to an expert for later acquisition and examination. As long as chain of custody and proper procedures are in place there is little chance the data will be altered and/or done so without detection.

Contrast this to online ESI collection, which is merely a snapshot on a particular date and time, of a website, social networking site, etc. The online ESI may also only exist temporarily, such as in the case of instant messaging or chat session, and could be gone unless it is captured in some manner. The best computer forensic examiner might not retrieve the entire chat or instant message communication. A website or social networking site might change minutes after it was first captured. Online ESI can be changed remotely, such as with a mobile device, because the media containing the data has not been secured. Even if there were enough computer forensics examiners available, investigators can’t wait for them because online ESI is subject to change at any moment. If it not captured when it is discovered it might not be there again.

Both Todd and I believe investigators can be trained in the proper methods and procedures to not only collect online ESI but do so in a manner that it can be used as evidence in any legal proceeding. Online ESI can be preserved after its capture and “hashed” to answer any questions about it possibly being later altered. We discuss these methods and procedures and tools to accomplish this important investigative task in our book. On that thought, I am going to lite up a cigar and contemplate my next blog entry.

References

U.S. Department of Justice (DOJ) and Administrative Office of the U.S. Courts (AO) (Joint Working Group on Electronic Technology in the Criminal Justice System (JETWG)). Recommendations for Electronically Stored Information (ESI) Discovery Production in Federal Criminal Cases. (2012). Washington, D.C. Retrieved from http://www.fd.org/docs/litigation-support/final-esi-protocol.pdf

Former Special Agent in Charge, Criminal Division, USSS Loves Our Book!

“This book offers the most comprehensive, and understandable account of cybercrime currently available to all different skill levels of investigators. It is suitable for novices and instructors, across the full spectrum of digital investigations and will appeal to both advanced and new criminal investigators. It will no doubt become a must have text for any law enforcement or corporate investigator’s investigative library.” (Full Foreword Below)

Larry D. Johnson, Current CEO at Castleworth Global LLC, Former Chief Security Officer at Genworth Financial and Special Agent in Charge, Criminal Investigative Division, USSS, Retired.

Foreword