Computer Crime & Intellectual Property Section

NetworksNetworks andand thethe InternetInternet AA PrimerPrimer forfor ProsecutorsProsecutors andand InvestigatorsInvestigators

Michael J. Stawasz Senior Counsel Computer Crime and Intellectual Property Section (CCIPS) Criminal Division, U.S. Department of Justice USDOJ CCIPS GettingGetting There…There…

ƒ From networks to the Internet

ƒ Locating a place on the Internet

ƒ Applications that people use on the Internet

2 USDOJ CCIPS …to…to GetGet thethe EvidenceEvidence

ƒ What evidence does Internet use create?

ƒ Where is this evidence located?

ƒ How do we gather this evidence?

3 USDOJ CCIPS GettingGetting There…There…

ƒ From networks to the Internet

ƒ Locating a place on the Internet

ƒ Applications that let people use the Internet

4 USDOJ CCIPS WhatWhat isis aa network?network?

5 USDOJ CCIPS

WhatWhat isis anan inter-network?inter-network?

Node Router

6 USDOJ CCIPS

Network WhatWhat IsIs thethe IInternet?nternet?

7 USDOJ CCIPS AA DecentralizedDecentralized NetworkNetwork

ƒ No “center” ƒ No one is in charge ƒ No one knows exactly where all the components are located

8 USDOJ CCIPS HowHow dodo InternetInternet hostshosts exchangeexchange data?data?

WEB PAGE

MOVIE E-MAIL MESSAGE DATAPACKETS VOICE

SOFTWARE

9 USDOJ CCIPS ExchangingExchanging DataData

ƒ Information to be sent to another Internet host is divided into small DATA PACKETS

ƒ The data packets are sent over the network to the receiving host

ƒ The receiving host assembles the data packets into the complete communication

10 USDOJ CCIPS ExchangingExchanging DataData

11 USDOJ CCIPS InternetInternet ProtocolProtocol (IP)(IP) PacketsPackets

SOURCE 172.31.208.99 ADDRESS

213.160.116.205 DESTINATION ADDRESS 0111001010101011 1011011000100101 0100... DATA BEING SENT

12 USDOJ CCIPS GettingGetting There…There…

ƒ From networks to the Internet

ƒ Locating a place on the Internet

ƒ Applications that let people use the Internet

13 USDOJ CCIPS IPIP AddressesAddresses

213.160.116.205

14 USDOJ CCIPS AssigningAssigning IPIP AddressesAddresses

ƒ Public ƒ Dynamic

ƒ Private ƒ Static

Blocks of IP addresses registered to Internet service providers (ISP)

15 USDOJ CCIPS AssigningAssigning IPIP AddressesAddresses

INTERNETINTERNET

Computer Modem Internet Service Provider

149.101.1.120

149.101.1.120 assigned to Harry at 2:30 PM

16 USDOJ CCIPS ISPISP LoginLogin RecordsRecords

ƒ The ISP-equivalent of telephone company records

ƒ Records each time a user logs in (or tries and fails)

ƒ Logs show à Start time à Session duration à Account identifier à Assigned IP address

17 USDOJ CCIPS TheThe TracebackTraceback

ƒ We know the IP address used by the suspect

ƒ How do we find out who this person is?

149.101.1.120 → ????

18 USDOJ CCIPS StepStep 1:1: WhatWhat ISPISP hashas thatthat address?address?

ƒ Use the “IP whois” service to find out what ISP owned that IP address.

149.101.1.120 →

19 USDOJ CCIPS StepStep 2:2: WhatWhat useruser hadhad thatthat addressaddress atat thatthat time?time?

ƒ Subpoena the ISP to find out who had that address

ƒ Specify at least the address and the time and date with time zone.

Subpoena +

20 USDOJ CCIPS AnotherAnother LocationLocation Method:Method: ProspectiveProspective EvidenceEvidence GatheringGathering

ƒ We know that our suspect was at a site and believe he’ll return

ƒ A pen/trap device installed at the Pen/Trap site’s server provides the suspect’s Order IP address when he returns

INTERNET

21 USDOJ CCIPS AA Twist:Twist: TheThe NATNAT

ƒ Several computers share one IP address

ƒ Outside world sees the same address regardless of which computer communicates

10.232.33.10 10.232.33.9

NAT INTERNET

10.232.33.8 149.101.1.120 22 USDOJ CCIPS AnotherAnother Twist:Twist: TheThe ProxyProxy

ƒ “Laundering” communications through someone else’s IP address

ƒ Outside world sees only the proxy’s IP address

PROXY

23 USDOJ CCIPS InfamousInfamous ProxiesProxies

ƒ America Online’s proxy cache

ƒ Proxy caches used by private companies

ƒ Bots

ƒ Anonymizers

24 USDOJ CCIPS DomainDomain NamesNames

ƒ How humans handle IP addresses

ƒ Every domain name has “whois” information à Owner, physical address, contact information à Almost always wrong if the domain name is registered by a criminal

ƒ Assume nothing about geography

thecommonwealth.org = 213.160.116.205

25 USDOJ CCIPS DomainDomain NameName QueriesQueries

213.160.116.205 Who is thecommonwealth.org?

DOMAIN NAME SYSTEM ISP

26 USDOJ CCIPS GettingGetting There…There…

ƒ From networks to the Internet

ƒ Locating a place on the Internet

ƒ Applications that let people use the Internet

27 USDOJ CCIPS HowHow PeoplePeople UseUse thethe InternetInternet

WEB PAGE

MOVIE E-MAIL MESSAGE DATAPACKETS VOICE

SOFTWARE APPLICATIONS 28 USDOJ CCIPS InternetInternet UseUse ApplicationsApplications

ƒ E-mail ƒ Web browser ƒ Peer-to-peer (P2P) ƒ Instant messaging (IM) ƒ Internet relay chat (IRC) ƒ File transfer protocol (FTP)

29 USDOJ CCIPS InternetInternet UseUse ApplicationsApplications

ƒ E-mail ƒ Web browser ƒ Peer-to-peer (P2P) ƒ Instant messaging (IM) ƒ Internet relay chat (IRC) ƒ File transfer protocol (FTP)

30 USDOJ CCIPS E-MailE-Mail BasicsBasics

ƒ E-mail travels from sender to recipient’s host, where it resides on a MAIL SERVER until the recipient retrieves it

RECIPIENT’S SENDER’S ISP ISP

INTERNETINTERNET

31 USDOJ CCIPS EvidenceEvidence ofof PastPast ActivityActivity –– Content Content

ƒ Copies of a previously sent e-mail message may be stored on the à sender’s system à recipient’s mail server (even after addressee has read it) à recipient’s own machine RECIPIENT’S SENDER’S ISP ISP

INTERNETINTERNET

32 USDOJ CCIPS EvidenceEvidence ofof PastPast ActivityActivity –– Traffic Traffic DataData

ƒ A record of the e-mail transmission (date, time, source, destination) usually resides in the MAIL LOGS of the à sender’s system à recipient’s mail server

RECIPIENT’S SENDER’S ISP ISP

INTERNETINTERNET

33 USDOJ CCIPS

ProspectiveProspective EvidenceEvidence –– Content Content

ƒ Interception, “wiretap” ƒ Creates a “cloned” account

SUBJECT’S SUBJECT’S ISP COMPUTER INTERNETINTERNET

LAW ENFORCEMENT Wiretap Order COMPUTER

34 USDOJ CCIPS ProspectiveProspective EvidenceEvidence –– Traffic Traffic DataData

ƒ Install a pen/trap at user’s ISP to find out the e-mail addresses the user corresponds with

SUBJECT’S SUBJECT’S ISP COMPUTER INTERNETINTERNET

Pen/Trap Order

LAW ENFORCEMENT

35 USDOJ CCIPS InternetInternet UseUse ApplicationsApplications

ƒ E-mail ƒ Web browser ƒ Peer-to-peer (P2P) ƒ Instant messaging (IM) ƒ Internet relay chat (IRC) ƒ File transfer protocol (FTP)

36 USDOJ CCIPS WhatWhat isis aa webweb site?site?

ƒ Three components à Domain name (or other address) à A web hosting server à Files sitting on the web hosting server

eac.inteac.int

37 USDOJ CCIPS AA Twist:Twist: VirtualVirtual HostingHosting

ƒ One server hosts hundreds of web sites

ƒ All web sites share a single IP address

ƒ Think carefully before you seize or search an entire server

38 USDOJ CCIPS WebWeb AddressesAddresses

ƒ Uniform Resource Locators (URL)

http://www.thecommonwealth.org/Internal/163207/151537/148540/podcast/

Computer File

http://www.eac.int/index.php/secretariat.html

Computer File

39 USDOJ CCIPS BrowsingBrowsing thethe Web:Web: Client-ServerClient-Server InteractionInteraction ƒ User types a URL or clicks on link ƒ User’s computer looks up IP address

www.eac.int 41.220.130.18 DOMAIN NAME INTERNET SYSTEM

USER ISP 40 USDOJ CCIPS BrowsingBrowsing thethe Web:Web: Client-ServerClient-Server InteractionInteraction ƒ User’s CLIENT PROGRAM sends a request to the WEB SERVER at the specified IP address ƒ The web server transmits a copy of the requested document (the web page) to the user’s computer 41.220.130.18

INTERNET

USER ISP WEB SERVER 41 USDOJ CCIPS BrowsingBrowsing thethe Web:Web: Client-ServerClient-Server InteractionInteraction ƒ The client program displays the transmitted document on the user’s screen

42 USDOJ CCIPS EvidenceEvidence ofof WebWeb Query:Query: OnOn User’sUser’s ComputerComputer ƒ Cache directory à Copies of recently viewed web pages ƒ History file à List of recently visited pages

INTERNET

USER ISP WEB SERVER

43 USDOJ CCIPS EvidenceEvidence ofof WebWeb Query:Query: OnOn WebWeb ServerServer ƒ Detailed logs of each request for any page à Date, time à Number of bytes à IP address of the system that requested the data

INTERNET

USER ISP WEB SERVER

44 USDOJ CCIPS ExampleExample WebWeb ServerServer LogLog

10.143.28.198 - - [11/Feb/2007:22:45:17 -0500] "GET /tank.htm HTTP/1.1" 401 - "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.1) Gecko/20061204 Firefox/2.0.0.1“ 10.143.28.198 - visitor [11/Feb/2007:22:45:23 -0500] "GET /images/lolita.png" 200 3788 "http://www.eruditorium.org/" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.1) Gecko/20061204 Firefox/2.0.0.1“ 10.143.28.198 - visitor [11/Feb/2007:22:46:11 -0500] "POST /dynamic/ HTTP/1.1" 200 413 "http://www.eruditorium.org/" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.1) Gecko/20061204 Firefox/2.0.0.1"

45 USDOJ CCIPS SeeSee aa theme?theme?

ƒ To do anything on the Internet, a computer communicates with another computer using an IP address ƒ Hopefully, that other computer will log what the suspect has done ƒ With that in mind…

46 USDOJ CCIPS OtherOther InternetInternet UseUse ApplicationsApplications

ƒ Peer-to-peer (P2P) ƒ Instant messaging (IM) ƒ Internet relay chat (IRC) ƒ File transfer protocol (FTP)

47 USDOJ CCIPS InIn Closing…Closing…

ƒ The Internet is a packet-switched network

ƒ Systems keep many records about their interactions with the rest of the network

ƒ Those records often help us locate and identify criminal actors, or at least to bolster the other evidence against them

48 USDOJ CCIPS

Michael J. Stawasz Senior Counsel, CCIPS

[email protected] (202) 514-1026

49