I NTE GRI TY Q UALIT Y S ER VIC E INFORMANTINFORMANT The magazine for professionals who support the prevention, investigation, and prosecution of economic and high-tech crime

VOL. 3, NO. 1, MARCH - JUNE 2007 Case Highlights: in Colorado Terrorism Occupational Crime in Ohio and Intelligence Inside: The Role of Computer Crime Investigators in Counter Terrorism and Intelligence Gathering

Arizona’s Enron: The Baptist Foundation of Arizona

www.nw3c.org NW3C’s Economic Crime Summit has a new name...

ormerly known as When and Where: NORTHEAST Newport Police Department, RI the Economic Crime Augusta Police Department, ME Rockport Police Department, MA October 24 - 26, 2007 Bath Police Department, ME Sutton Police Department, NH Summit, NW3C’s Global Bennington Police Department, VT Thomaston Police Department, CT F Hyatt Regency Crystal City Groton Town Police Department, CT U.S. Department of Homeland Security-U.S. Conference addresses the (205) Guilford Police Department, CT Citizenship and Immigration Services/ Maine Department of Corrections, ME Detection Unit, VT growing international issues Arlington, VA Milford Police Department, MA of white collar crime and how to combat them.

The Global Conference offers the same great opportunities as the Great Lakes Aberdeen Township Police Department, NJ (565) (518) Economic Crime Summit for learning from and networking with Baltimore City State’s Attorney’s Office, MD SOUTHEAST Bridgewater Township Police Department, NJ Canton Police Department, GA Carnegie Mellon University Police Department, PA those who fight against economic and high-tech crimes. Clarke County Sheriff’s Office, VA District of Columbia Office of the Inspector General, DC Hartford City Police Department, IN Florida Fish & Wildlife Conservation Indiana Department of Natural Resources Law Enforcement Commission/Special Operations Coordination, FL See the inside back cover to Division, IN Garden City Police Department, GA .org Indiana Gaming Commission, IN Gibsonville Police Department, NC 3c Kentwood Police Department, MI Hillsborough County Sheriff’s Office, FL learn more about w Mahwah Police Department, NJ Matthews Police Department, NC .n Monroe Township Police Department, NJ Pasco County Sheriff’s Office, FL ce New Rochelle Police Department, NY Prosecuting Attorneys’ Council of Georgia, GA n Northwest Regional Lancaster County Police Department, PA Salem Commonwealth’s Attorney’s Office, VA this year’s e Olmsted Township Police Department, OH Salem Police Department, VA Orrville Police Department, OH r Spotsylvania County Sheriff’s Office, VA e Warrington Township Police Department, PA U.S. Postal Inspection Service - Atlanta Division, GA f Wellsville Police Department, NY conference! n Woodbury Heights Police Department, NJ University of Central Florida Police Department, FL o University of South Florida Police Department, FL .c Upshur County Sheriff’s Department, WV Virginia Department of Accounts/Division of State Internal w Audit, VA w Waynesboro Police Department, TN Wetzel County Sheriff’s Office, WV w

Midwest Mountain Anoka County Sheriff’s Office, MN 18th Judicial District Probation Department, CO Upcoming Membership Events Arnolds Park Police Department, IA Castle Rock Police Department, CO Blanchardville Police Department, WI 2008 Board of Directors Elections (220) Fraser-Winter Park Police Department, CO (366) Cadott Police Department, WI Attention Agency Representatives! Hobbs Police Department, NM Chaska Police Department, MN Louisville Police Department, CO The 2008 Board of Directors’ elections for the Great Lakes, Mountain, South Central, Crow Wing County Sheriff’s Department, MN and West regions will be held this year. This process will begin in April to determine Pocatello Police Department, ID Deerfield Police Department, IL who is eligible to be nominated and it will end with the ballot count on August 27th. Sierra Vista Police Department, AZ Dickinson Police Department, ND As a voting member agency representative, you are encouraged to particpate in Grafton Police Department, IL the nomination process and the election to vote for one Director and one Alternate Grain Valley Police Department, MO Representative within your region. Greene County Sheriff’s Office, MO If your agency does not have a designated agency representative, please contact Iowa Falls Police Department, IA Barbara Shanes, Membership Supervisor, at 1-800-221-4424, ext. 336. Minnesota Financial Crimes Task Force, MN Newton Police Department, KS Global Conference on Economic & High-Tech Crime - Washington, DC Rice Lake Police Department, WI October 24-26, 2007 Saint Anthony Police Department, MN Please check the front and back inside covers of this issue of the Informant for details on this upcoming event (formerly known as the Economic Crime Summit), and the related member registration information available for attending this conference. U.S. Immigration and Customs Enforcement-SAC Chicago/Office of Investigations, IL U.S. Probation Office/Eastern District of Missouri, MO

(222) Have Membership Questions? Recent comments from our members... Contact Barbara Shanes, Membership Services Supervisor, at south central 1-800-221-4424, Ext. 336, or by e-mail at [email protected]. “Thank you for the good news. I Dadeville Police Department, AL have in the past had the opportunity West Durant Police Department, OK and pleasure of attending classes Battle Ground Police Department, WA San Antonio Police Department, TX sponsored by NW3C. I am glad Folsom Police Department, CA Smithville Police Department, TX we were approved membership Salinas Police Department, CA Watauga Department of Public Safety, TX Remembering Our Member Agencies’ and look forward to utilizing your West Feliciana Parish Sheriff’s Office, LA Heroes Killed in the Line of Duty* services to assist us and assist any member that requires our help.” October 16, 2006 - January 15, 2007: Sergeant Christopher Kurschner (237) Teaneck Police Department, NJ Officer Michael Briggs Deputy First Class William H. Beebe (14) Manchester Police Department, NH Harford County Sheriff’s Office, MD International “Thanks for hanging in there Office of the Special Prosecutor, Palau Reserve Deputy Lawrence Barnes, Sr. Deputy Sheriff Steven E. Cox with us! …thanks again for your Ross County Sheriff’s Office, OH King County Sheriff’s Office, WA assistance!” Patrick R. Yost, Deputy Chief Deputy Sheriff Margena Silvia Nunez Police Officer Ken Jordan Lee County Sheriff’s Office, FL Colorado Springs Police Department, Wauconda Police Department, IL CO Total Member Agencies as of January 25, 2007: 2,347 Police Officer II Landon Dorris “Logged on, everything works great! Officer Dwayne Freeto Los Angeles Police Department, CA Thanks for your quick response.” Fort Worth Police Department, TX Deputy Sheriff Jeffrey V. Mitchell Michael Jerichow, Director Trooper Jonathan K. Leonard Thank You to the Following Member Agencies for Sacramento County Sheriff’s Mexico Public Safety Department, MO Department, CA Kentucky State Police, KY Referring New Members: “Excellent. Thank you for all your Deputy Sheriff Brian Tephford Police Officer Bryan Tuvera Broward County Sheriff’s Office, FL San Francisco Police Department, CA help on this.” Referring Member Agency New Member Agency Detective Troy Lamont Chesley, Sr. Paul Bourget, Manager-Criminal Deputy Sheriff William (Joe) Hudnall Investigations Unit Denver Police Department, CO Castle Rock Police Department, CO Baltimore City Police Department, MD Savannah Chatham Metro Police Department, GA Garden City Police Department, GA Kern County Sheriff’s Department, CA Maine Revenue Services Menomonie Police Department, WI Rice Lake Police Department, WI Senior Trooper Robert A. Hill, Sr. Sergeant James H. Hardin Monmouth County Prosecutor’s Office, NJ Aberdeen Township Police Department, NJ Virginia State Police, VA Hope Mills Police Department, NC “…you guys (girls) are all so nice Clark County Prosecuting Attorney’s Office, WA Battle Ground Police Department, WA and helpful at NW3C...” Officer Steve Favela Sergeant Nicholas G. Sottile Maryland Department of State Police, MD Baltimore City State’s Attorney’s Office, MD Mary Ann Vallus, Securities Investigator Honolulu Police Department, HI Florida Highway Patrol, FL Pennsylvania Securities Commission Cherokee County Sheriff’s Office, GA Canton Police Department, GA Charlotte-Mecklenburg Police Department, NC Matthews Police Department, NC *Source: The Officer Down Memorial Page, Inc. Web site Roswell Police Department, GA Alpharetta Police Department, GA

2 From the Coalfields to Cyberspace: The National White Collar Crime Center Past, Present and Future By Mary-Ellen Kendall, NW3C General Counsel

or the past twenty-eight years, the National White Collar Crime Center (NW3C) has worked to support state and local law en- contents forcement efforts to prevent, investigate, and prosecute economic and cyber crimes. NW3C and its predecessor, the Leviticus NW3C Board 3 NW3C Members Corner FProject, are well known as innovators in facilitating cooperation and collaboration among law enforcement agencies across local, Feature Articles state, and national boundaries. of Directors 5 From the Coalfields to Cyberspace: The National White Collar Crime Center - Past, pg.24 NW3C has followed a long and challenging path in becoming the member-driven organization it is today. NW3C’s historical involve- Chairman Present, and Future ment with law enforcement has given NW3C a unique perspective on the changes that have occurred in law enforcement since the Glen B. Gainer III 1970’s. To understand exactly how far NW3C has come in the last three decades, let’s take a look back at some of the obstacles that 9 Instructor Spotlight: Joe Regali Terrorism and NW3C has faced and the initiatives that NW3C has pioneered. Vice Chairman 10 Training Course Descriptions and Schedule Brian Flood Intelligence IN THE BEGINNING white collar crimes, and joined with the that the benefits to be gained by the suc- 19 Behind the Scenes of NW3C’s “IDRA” W3C began its existence in 1978 more loosely organized fraternity of top- cess of a project like Leviticus were impor- Secretary Training Course as the Leviticus Project. The Proj- level swindlers. The apparent purpose of tant enough to justify the risk. Christopher Cotta pg.28 21 NW3C Provides Unique Department of Nect takes its name from the Bibli- the unified criminal pattern was the acquisi- cal verse Leviticus 19:13: “Thou shall not tion of coal mining companies, their leases, There were many challenges encountered Treasurer Homeland Security Training The Role of defraud thy neighbor, neither rob him; the equipment and other assets. in creating the Leviticus Project. Each state Paul Cordia 23 Arizona’s Enron: The Baptist Foundation of Computer Crime wages of him that is hired shall not abide in the Project was a separate sovereignty Arizona Investigators in with thee all night until the morning.” The increased use of computers by the whose political and economic interests criminal element was also noted as one of were not always compatible with those of 29 Case Investigation Highlights: Regions Counter Terrorism Member agencies may be surprised to the contributing factors for the increase in the other states. Each state faced different • Ponzi Scheme in Colorado Ends in 20- learn that the Leviticus Project was created criminal activities during this period. challenges in protecting public safety and, Great Lakes: Year Jail Sentence and over $500,000 and Intelligence to address organized criminal activity in the as a result, had different needs and expec- Philip Rosenthal in Restitution Ordered coal industry. Following the Arab oil embar- By late 1976, state and local law enforce- tations. The agencies also had to learn to • Travel Business Owner Pays Price for Gathering go in 1973, the decided to ment agencies throughout the Appalachian deal with the discomfort of relying upon Midwest: Occupational Fraud Committed in Ohio Paul Cordia increase production from its domestic coal coal mining region and other areas with the the efforts of an agency in another state 31 Workplace Security: Keeping Employees Honest reserves as a means of achieving energy same interests had uncovered a complex for the success of an investigation. Unlike Mountain: independence. One result was a boom pattern of organized criminal activity whose the standard procedure followed by many Kathleen Kempley 34 Crime Complaint Center (IC3) News in coal production. Another less expected main purpose seemed to be the takeover law enforcement agencies in the 1970’s, • Restructuring and New Services Make the Internet Crime Complaint result was a dramatic increase in crime af- of coal production companies and their as- agencies had to be willing to share their Northeast: Center a Better Resource for Law Enforcement fecting the coal industry. sets. For the next two years, the state and investigative information with others and Christopher Cotta • IC3 Alerts local law enforcement agencies that uncov- not restrict access to information only to • IC3 Welcomes a Visit from FBI Director Mueller By 1974, coal prices increased sharply, ered the problem shared information and the state that developed it. nearly quadrupling in one year. Foreign cooperated informally together on a case- South Central: 41 NW3C and IACIS: A History of Collaboration Brian Flood demand had increased dramatically and by-case basis. The Leviticus Project was created to con- electric utilities increased their coal sup- duct a formally structured and centrally Southeast: plies. Because of the increases, investment FORMATION OF THE LEVITICUS coordinated multi-state investigation of a Michael Brown incentives were created. PROJECT variety of crimes affecting the coal industry. The creation of the Leviticus Project in the The Project began as an unincorporated West: Two of the developments from this eco- autumn of 1978 heralded a new era in law association composed of member agen- Michael Stevenson nomic change, one involving securities reg- enforcement. The kind of collaborative cies from the states of Alabama, Georgia, ulation, and the other, tax incentives, had law enforcement effort proposed by the Indiana, Kentucky, New York, Pennsylvania, fateful consequences for the emergence Leviticus Project had never before been at- and Virginia. editorial staff of organized criminal activity in the coal in- tempted. Each agency in the Project had to contend with historical barriers and un- courtney tan • loreal bond • leslie layton • barbara shanes • april tillar • laura kenny • cam brandon dustry. deniable competitiveness between agen- This project was supported by Grant No. 2006-MU-MU-K002 awarded by the Bureau of Justice Assistance. The Bureau of Justice Assistance is a component Along with the economic change that oc- cies. Although, those agencies that joined of the Office of Justice Programs, which also includes the Bureau of Justice Statistics, the National Institute of Justice, the Office of Juvenile Justice and Delin- quency Prevention, and the Office for Victims of Crime. Points of view or opinions in this publication are those of the author and do not represent the official curred, was evolving to the Project understood that they were tak- position or policies of the United States Department of Justice. The National White Collar Crime Center (NW3C) is the copyright owner of the Informant. This exploit the changed economic landscape. ing certain risks by joining, each agency information may not be used or reproduced in any form without the express written permission of NW3C. This publication is also available for download in The La Cosa Nostra families had an appre- believed that the risks were outweighed PDF format at www.nw3c.org. For questions or additional information, please contact Courtney Tan in the Communications Department at [email protected]. ciation of the high profits and low risks as- by the significant dangers posed by a coal ©2007. NW3C, Inc. d/b/a the National White Collar Crime Center. All rights reserved. sociated with ambitious and sophisticated industry infiltrated by organized crime, and 5 CHARTER MEMBERS OF THE plemental grant was awarded to the Project provide NW3C with a vision for the future. Lawrence Cook of the Kansas Securities critical information and coordinating multi- of white collar crimes. NW3C began explor- LEVITICUS PROJECT by LEAA to support the development and Commission; Kelly Arnold of the Missouri state investigations, which, in 1993, were ing potential partnerships with the North There were 16 charter member agencies operation of the Leviticus Project’s Manage- At the last annual meeting of the Leviticus Securities Division; Robert Ortiz of the New essentially non-existent. American Securities Administrators Asso- from seven (7) states in the Leviticus Proj- ment and Information System. Project in November 1992 in Dallas, the Mexico Department of Public Safety; and ciation (NASAA) regarding mutual interests ect: Project adopted a reorganization plan that James Blair of the Pennsylvania Securities In order to maximize the impact that NW3C and services that NW3C might provide to In June 1986, the Project’s Criminal Intel- would: Commission. could have on white collar crime, three (3) NASAA. Many of the securities regulators ALABAMA ligence Database was relocated to the Vir- 1. Change the name of the organiza- new categories of membership were creat- investigated all forms of white collar crime Alabama Securities Commission ginia State Police. In October 1986, the The purpose of the new organization was ed for Voting, Associate, and Affiliate mem- and worked well with NW3C in developing tion from the Leviticus Project to a Alabama Department of Public Safety Leviticus Project Association was incorpo- changed as well. The National White Col- bers. On January 12, 1993, the Clearwater some of the training products and databas- name that suggested the new na- Birmingham, Alabama, Police Depart- rated in the Commonwealth of Virginia. lar Crime Center would serve as a means Florida Police Department was approved es, and in recruiting new members. NASAA tional identity. The Project’s name ment The administrative office was relocated to to link criminal justice agencies across ju- as the first NW3C Voting member agency, has always been and remains a close ally was legally changed to the National Richmond, Virginia to permit the Project’s risdictional borders. Additionally, NW3C and the National Fraud Information Center of NW3C. White Collar Crime Center, Inc. effec- GEORGIA grantee agency and the administrative of- was designed to bridge the gap between (part of the National Consumers League) tive November 30, 1992; Georgia Organized Crime Prevention fices to work more closely together, and to local and state criminal justice agency eco- was approved as the first Affiliate member. NW3C immediately pursued several cru- 2. Divide the membership into regions Council eliminate the time lost in mailing and trans- nomic crime-fighting capabilities, and the NW3C had 45 Voting members in June cial initiatives. It was imperative that white and replace the annual meeting Georgia Bureau of Investigation mitting correspondence between the two minimum threshold for federal investiga- 1993. collar crime training be developed for the with regional meetings where Board Georgia Secretary of State’s Office agencies. In 1988, the Bureau of Justice tion and intervention. NW3C would pro- public, law enforcement, and prosecutors. members would be elected; Assistance approved expansion of the Proj- vide support for the prevention, investiga- NW3C developed new methods to better NW3C also began fostering information 3. Expand the focus from organized INDIANA ect’s objectives to include investigations of tion, and prosecution of economic crime serve member agencies, such as providing sharing and making resources available to crime associated with the coal and Indiana Securities Commissioner the precious metals industry. through a combination of research, training, training videos, conducting nationwide tele- assist in multi-state investigations that oth- precious metals industries to other Indiana State Police and investigative support services. conferences, creating a Training Institute, erwise would have faltered due to a lack of areas of economic crime, and into By the end of 1990, the Leviticus Project adding applied research capabilities, con- local resources. To provide a mechanism computer-related crime arising from KENTUCKY Association had 31 member agencies in What began as a single-focus investigation ducting a nationwide survey in a multi-state for creating and ensure that training would criminals using the Internet; Kentucky Division of Securities 20 states. Member agencies were select- of crime in the Appalachian coal fields had task force investigation into suspected de- be developed, plans were undertaken to 4. Emphasize state-of-the-art, focused Kentucky Attorney General’s Office ed primarily from coal, oil, natural gas, and evolved into a centralized national under- frauding of investors, dividing the country create a national training institute for inves- training across the country, along precious metal states. Fifty-nine percent taking that targeted criminal activity ranging into seven regions, and beginning to oper- tigators and prosecutors. The new center with databases, and analytical sup- NEW YORK (59%) of the member agencies were se- from scams to multi-billion ate regionally across the United States. for creating white collar crime training was port; New York County District Attorney’s curities enforcement agencies and 31 per- dollar /schemes, by facilitat- called the Training and Research Institute 5. Limit case funding to clearly multi- Office cent (31%) were traditional law enforce- ing a unique partnership of federal govern- To increase participation and to secure rep- (TRI). state cases with national impact; ment agencies. ment agencies, state and local criminal jus- resentation for each of the new regions, 6. Open membership to all areas of PENNSYLVANIA tice agencies, and the private sector. Based NW3C created a new structure for the When funding for the proposed Training law enforcement; and Pennsylvania Crime Commission The year 1991 was one of uncertainty for on its new membership and mission, Board of Directors. Each region was au- and Research Institute was being pursued, 7. Establish a schedule for Board of NW3C. The Department of Justice almost NW3C began developing and implement- thorized by NW3C’s Bylaws to elect a rep- Congressman Alan B. Mollohan (D-WV) Directors’ meetings on Saturdays to VIRGINIA eliminated funding for the Leviticus Project. ing strategies to combat a rapidly emerg- resentative from a member agency to the was instrumental in securing the funding. reduce air travel costs. Virginia State Police Continued funding was conditioned upon ing and technically sophisticated body of Board of Directors. The Board meetings At his request, NW3C located TRI in Mor- Virginia Attorney General’s Office the Project making several major changes: crimes that threatened the economic pros- were changed to quarterly conference call gantown, West Virginia, where West Virginia The National White Collar Crime Center perity and future of the Untied States. or in-person meetings to allow the Board University (WVU) and the West Virginia was established as a non-stock Virginia cor- From 1980 through 1986, the administra- • Membership had to be expand- to shape the mission, High Technology Consortium were located. poration that has a 501(c)(3) non-profit tive offices of the Leviticus Project were lo- ed to include all traditional law Moving Forward into directions, and activi- WVU and the Consortium served as re- tax status on November 30, 1992. In or- cated at the Manhattan District Attorney’s enforcement agencies in all 50 Cyber Space ties of NW3C. sources to support TRI. der to cement the Project’s new identity, Office in New York City. Funding for the states; Led by the Board of Direc- NW3C adopted a new logo and mission Project was provided by the federal govern- • The Project had to institute fund- tors, NW3C made the com- A new Computer Crime Unit was estab- statement in early 1993. The initial Board ment through a central funding pool for the ing controls; and mitment to filling a huge R e c o g n i z i n g lished at NW3C in 1995. The first course of Directors included Donald Brackman of so-called “multi-state projects”, which are • The focus of the Project had to void in the fight against the continued NW3C developed was named “Cybercop the Indiana State Police; Darrel Stilwell of now known as the Regional Information shift from facilitating information- economic crime, and e x p a n s i o n 101.” It was a five-day training course, us- the Virginia State Police; Sharon Fox-Jenkins Sharing System (RISS). The Department sharing and meetings to provid- to provide quality of crimes ing mobile computer labs, with course work of the Arizona Corporation Commission; of Justice provided funding to the Virginia ing training, creating databases, support services for a c r o s s pertaining to basic data recovery and analy- Division of Justice and Crime Prevention and providing analytical services states facing white s t a t e sis from electronic media. Numerous eco- (DJCP), which served as the formal grantee to assist the membership. collar criminal ac- b o r - nomic crime and computer-related crime for the Leviticus Project. DJCP received all tivity beyond the d e r s , courses have been developed by NW3C grant funds awarded to the Leviticus Proj- capabilities of their N W 3 C since 1995. ect and disbursed them to the Project’s TRANSITION TO THE NATIONAL individual resourc- sought to member states. On February 20, 1980, WHITE COLLAR CRIME CENTER es. NW3C was de- bridge the In 1996, the Bureau of Justice Assistance the Leviticus Project was awarded a grant In August 1992, the Leviticus Board of signed to remedy the gap by of- of the Department of Justice selected the by the Law Enforcement Assistance Ad- Directors began to implement the strat- inadequate allocation of fering better West Virginia Office of the State Auditor as ministration (LEAA) to support the Project’s egy that would create the NW3C of to- resources for addressing support mecha- NW3C’s new grantee agency. principal investigative activities for a period day. The Leviticus Board hired Richard white collar crimes and to nisms for multi- of 12 months. On June 26, 1980, a sup- Johnston as Director in August 1992 to create systems for sharing state investigations By 1996, NW3C had three locations: Head-

6 I nformant : M A rch 2 0 0 7 - J une 2 0 0 7 www.nw3c.org 7 quarters in Richmond, Virginia; the Training and Associate member agencies. To better Southwest Region. We are also pursuing and Research Institute in Morgantown, West allocate resources, NW3C eliminated the a state or local member agency to act Virginia; and Computer Crime in Fairmont, Affiliate membership category. The Board as the pivotal law enforcement lead in West Virginia. NW3C sponsored its inaugu- also revised NW3C’s Mission Statement to furthering the alliance. ral Economic Crime Summit in Providence, reflect NW3C’s expanded mission: Rhode Island in May 1997. Indiana – NW3C staff began working To provide a nationwide support system with Purdue University and the Indiana In 1999, NW3C expanded its training ca- for agencies involved in the prevention, State Police on the development of edu- pabilities by creating state-of-the-art class- investigation, and prosecution of eco- cational materials, courses, tool develop- rooms and a mock courtroom at the Com- nomic and high-tech crime and to sup- ment in digital forensics, research, and puter Crime Office in Fairmont. NW3C and port and partner with other appropriate investigative support in cyber crime. An the Federal Bureau of Investigation signed entities in addressing homeland security early result of NW3C’s partnership with InstructorInstructor a Memorandum of Understanding estab- initiatives, as they relate to economic Purdue University was the one-day “E- lishing the Internet Fraud Complaint Center and high-tech crime. Mail Forensic Workshop” held on Oct. (IFCC) to serve as a clearinghouse for In- 28, 2004. NW3C staff is also working ternet fraud complaints. In May 2000, the Although the demand for training law en- with the Indiana Homeland Security Di- Attorney General, Janet Reno, and FBI As- forcement personnel continues to grow, rector regarding training opportunities at sistant Director, Ruben Garcia, announced state and local governments do not have a newly established Indiana Intelligence SpotlightSpotlightBy Dale Smith, NW3C Training Manager the formal start-up of the IFCC and the the resources to meet their training needs. Fusion Center. joint partnership of the FBI and NW3C in Recognizing that travel budgets had been “ It is always exciting to Regali’s dedication to the education Morgantown. By 2000, NW3C employed cut at many member agencies, NW3C be- West Virginia – NW3C has formalized and training of analysts throughout the 110 employees, had four offices, and had gan to focus on regional training efforts, in its long-standing working relationships meet fellow analysts United States is evidenced in his sup- a budget approaching $10 million. the form of two-day Regional Economic with the West Virginia State Police and port of the FIAT Training. Three of his Crime Summits and one-day Outreach West Virginia University to create the West in various parts of former students are also FIAT adjunct The Economic Crime Summit in 2000 re- Events that bring the training to NW3C’s Virginia Program Support Center, and to instructors. Regali believes that their ceived significant media coverage. Print member agencies, eliminating or reducing continue conducting joint research proj- the country but most involvement with the program “keeps

coverage alone reached an impressive members’ travel costs. ects, developing training and curricula in them well rounded and up to date with 15,457,500 people. Several NW3C Web computer science and information tech- importantly, teaching “ analytic methodologies”. He states that sites were now operational and the num- As part of the regional focus, NW3C cre- nology, and creating tools that can further is always a learning his staff enriches the course with their ber of students attending a variety of NW3C ated “Program Support Centers” that are the state of practice in digital crime inves- experience while they learn from other training classes had increased dramati- partnerships between NW3C, state/local tigation, financial crime investigation, and experience for me analysts who attend the FIAT course. cally. As the requests for training steadily law enforcement agencies, and academic intelligence analysis. increased, NW3C could not keep up with institutions in those areas. NW3C currently oseph E. Regali is an adjunct instructor for For the past eleven years, Regali has the demand. operates Program Support Centers in the Virginia - NW3C entered into an agree- served as the Manager of Analytic Ser- following locations: ment with the Virginia State Police and NW3C, teaching the Foundations of Intel- Joseph Regali ligence Analysis Training (FIAT). vices for the New England State Police When the terrorist attacks of September Virginia Commonwealth University to J NW3C Adjunct Instructor and Information Network (NESPIN). Regali 11, 2001 occurred, NW3C developed ad- Florida – NW3C staff has been closely create the Virginia Program Support Cen- The FIAT course was developed in 2003 Manager, Analytical Services came to NESPIN after a 20-year career ditional methods to help law enforcement working with the Florida Department of ter, and to collaborate on developing with the Maine State Police (sworn). respond. IFCC’s personnel and equipment Law Enforcement (FDLE) and Florida educational materials and courses, to meet a training need for beginning intel- New England State Police ligence analysts. The course provides an During that time he also served as an were quickly modified and became opera- State University developing digital fo- Information Network (NESPIN) intelligence analyst with the Maine Drug tional as the FBI Terrorist Reporting Web (FSU) on several rensics and computer introduction to intelligence analysis and ex- plores the thinking skills and methods required for the effective Enforcement Agency and the Maine site. Modifications were made to allow a initiatives, including investigation tools, State Police Intelligence Unit. Regali is a Lifetime Certified Crimi- direct relay of information to the FBI Op- the securing of a and conducting com- analysis of intelligence. Regali served as a subject matter expert (SME) during the development of the FIAT course, representing nal Analyst (CCA) and has spent several years training law en- erations Center in Washington, DC. NW3C mobile lab to sup- puter crime research. forcement officers at the Maine Criminal Justice Academy and the and the FBI began 24/7 operation and port training goals IN the Regional Information Sharing System (RISS), which was part WV VA Maine State Police Academy. He holds a Bachelor of Science staffing. This also challenged the manage- for FDLE and sup- In May 2005, Don- of the development consortium that also included NW3C, the In- ternational Association of Law Enforcement Analysts (IALEIA), and degree in Vocational Education and Master of Science degree in ment to keep operating, without loss of ser- port of the Florida ald J. Brackman, the Adult Education from the University of Southern Maine. vice to the membership, at a reduced bud- Cyber Security In- TX Chairman of the initial the Law Enforcement Intelligence Unit (LEIU). Regali has taught the FIAT course since its inception and has participated in instruc- get. By October, the IFCC had processed stitute. Also, an FL NW3C Board of Direc- In addition to teaching for NW3C, Regali has served as an adjunct 117,000 terrorist leads through its Web NW3C staff mem- tors in 1992, became tor development programs to prepare new instructors to teach the course. Regali also served as a Subject Matter Expert in the devel- instructor at Dean College teaching Analysis of Criminal Intelligence site. In 2003, the name of the IFCC was ber served as an the Director of NW3C. and Computer Use in the Analysis of Criminal Intelligence. He has changed to the Internet Crime Complaint adjunct professor of cyber crime courses In addition to his long-standing association opment of the Advanced Criminal Intelligence Analysis to Prevent Terrorism course. had articles published on training in the Journal of Police Science Center (IC3) and its focus was expanded at FSU. with NW3C, he has over 30 years of law and Education and Police Chief Magazine, and has contributed to to include a broader range of Internet-re- enforcement experience with the Indiana IALEIA’s Journal Notes. q lated crimes. Texas – NW3C staff is working with State Police. With regard to his teaching experience Regali states, “It is always the University of Texas at Dallas and the exciting to meet fellow analysts in various parts of the country In 2003, the Board of Directors renewed its Greater Dallas Crime Commission on In 2005, NW3C staff also developed a but most importantly, teaching is always a learning experience for If you are interested in becoming an adjunct instructor for commitment to focus on providing training, formalizing a partnership in the devel- member agency Web site that provides me.” Regali also has observed “the creativity and dedication of NW3C please contact Dale Smith, Training Manager, at 877- research, and analytical support to its Voting opment of cyber crime courses for the the analytic community” during his travels as an NW3C adjunct 628-7674, Ext. 262, or by e-mail at [email protected]. Continued on page 43 instructor.

8 I nformant : M A rch 2 0 0 7 - J une 2 0 0 7 www.nw3c.org 9 tures of three popular automated tools: ILook®, Encase® dents have completed previous training in Cybercop 101 and FTK (Forensic Tool Kit®). (BDRA) or the equivalent and have experience drawn from traininthe application ofg the techniques utilized in the Cybercop Course Descriptions This is a basic class dealing with common issues found in 101 (BDRA) training. CYBER CRIME COURSES processing computer-based evidence. One day is spent with each of the forensic tools in examining suspect systems. This New Course Available! course is not designed to produce “experts” in any one of CYBERCOP 202 - (ILook) ILook® Automated Forensic CYBERCOP 101 - (BDRA) Basic Data Recovery and the tools, but rather to allow one to get a feel for the tools to Application Acquisition assist in deciding which one closely fits their current needs. Introduction to Securing Law Cybercop 202 (ILook) is a 4 1/2-day course that serves as an Enforcement Networks (ISLEN) This 4-day entry level course is for those that are Students will be introduced to each application through an overview of the most used features of ILook® Investigator. just starting with computer investigations. If you are instructor-led, hands-on scenario. The student will then pro- It includes the IXImager to create a duplicate image of the This 3-day course is designed a criminal investigator, prosecutor, or support staff cess a total of three separate scenarios individually, with in- hard disk and the examination of several hard drive parti- to instruct participants in whose duties include the investigation and prosecu- structor assistance as needed. tions. The multiple aspects of this GUI-based forensic suite recognizing potential security tion of high-technology crimes and the seizure of elec- are presented with emphasis on imaging and processing of threats and how to safely tronic evidence, this course could be of benefit to you. Eligibility for attendance in the class requires that students seized media. and methodically administer It teaches the fundamentals of computer operations, have completed previous training such as Cybercop 101 law enforcement networks. hardware, and how to protect, preserve and image (BDRA) or the equivalent. The student will walk through a case from previewing to the Training includes instruction digital evidence. This class will introduce participants final reports and will be able to effectively conduct salvage, on network essentials, to the unique skills and methodologies necessary to file signature analysis, registry analysis, hash analysis, decon- communications, services, assist in the investigation and prosecution of computer CYBERCOP 201 - (IDRA) Intermediate Data Recovery struction, keyword searches and more, on seized evidence. risks/threat analysis and the crime. and Analysis It does not teach basic forensics, but rather how to use the need for a strong network tool to perform forensic examinations. Many of the built-in security model. Participants Cybercop 101 (BDRA) includes hands-on instruction This 4 1/2-day course is designed to be the “sequel” to the automated short cuts will be presented, which will assist in will get hands-on experience and discussion about such topics as evidence identifi- Cybercop 101 (BDRA) course. It covers the forensic exami- better case preparation and analysis. with security threats, security cation and extraction, hardware and software needed nation of Windows®-based operating systems on a FAT File tools, vulnerability assessment, to do a seizure, high-tech legal issues, and more. The System, and includes things such as processing the Recycle It is expected that the students already know forensic pro- network topology, and router configuration. Attendees online component must be taken and each student Bin, the swap file, the registry, long file names, date and time cessing issues. This course requires the applicant to have will learn how to analyze networks, assess security, must test out of it prior to being confirmed in the information and other Windows® features. completed previous training in Cybercop 101 (BDRA) or the neutralize vulnerabilities, reduce downtime and liability, course. equivalent and students MUST be employed by a law en- and develop policies and procedures to maintain secure Topical areas include LBA and hard drive access, partition forcement agency. environments. Students must: This course is designed for individuals who already table reconstruction, advanced imaging and restoration, re- w Have basic computer literacy possess a good understanding of computers and com- covering data from the registry, recovering Windows®-based w Be familiar with basic OS operations mon software applications. In addition, many of the passwords and processing the swap file, slack space and CYBERCOP 203 - (E-MAIL) Windows® Client E-mail Data w Be familiar with basic file system/user forensic computer applications used in the class are unallocated space, alternate media, print spool files, and ap- Structures operations (navigation, copy paste, etc.) executed from the DOS command line, making knowl- plication metadata. It also includes a comprehensive dis- w Possess basic networking skills (navigate, edge of basic DOS commands essential. cussion of how partition tables work, processing alternate This 4 1/2-day course outlines the protocols utilized in e- search, identify basic components, etc.) media such as memory cards, CDs and DVDs, and advanced mail delivery and retrieval, reviews e-mail headers, discusses w Be authorized to perform the implementation imaging issues. spoofing, and teaches the forensic examination of systems CYBERCOP 102 - (AFT) Introduction to Automated where specific e-mail clients have been used such as Micro- of the security measures taught in the course. Forensics Tools The class is scenario-based, with the students examining a soft Outlook®, Outlook Express®, AOL®, and several of the suspect’s hard drive through the course of the week, as well Web-based e-mail programs such as MSN Hotmail®. This Continue to check the Web site (www.nw3c.org) for this course schedule, coming soon! Cybercop 102 (AFT) is a 4-day course that serves as as additional pieces of evidence. course is designed to be an in-depth introduction to e-mail an introduction to Automated Processing applications. client forensics. This course does not cover e-mail recovery The course provides an overview of the use and fea- Eligibility for attendance in the class requires that the stu- from servers, only from the local computer.

10 I nformant : M A rch 2 0 0 7 - J une 2 0 0 7 www.nw3c.org 11 the course on our Web site for student registration and will provide all of the course materials, student roster, and traincertificates for the course. Continuedi updatesn to the cur- g Course Descriptions riculum will be provided to the ISEE Instructor. New Course Available!

Any individual interested in becoming an ISEE-IDP Instruc- Eligibility for attendance in the class requires that the stu- Topical areas include the recovery and examination of cook- tor will be able to register through NW3C’s Web site. Once Fast Cyberforensic Triage (FCFT) dents have completed previous training such as Cybercop ies, cache, history files, and auto-complete information sufficient applications have been received, the IDP course 101 (BDRA) or the equivalent and have experience drawn (passwords); Instant Messenger registry and file structure in- location will be selected and applicants within that area This 3-day course will from the application of the techniques utilized in the Cyber- formation; AOL Client/Communicator® stored-mail, buddy will be notified. introduce investigators cop 101 (BDRA) training. lists, address books and more. and first responders to the process known CYBER-INVESTIGATION 101 - (STOP) Secure Eligibility for attendance in this course requires the students as Fast Cyberforensic Techniques for Onsite Preview CYBERCOP 301 - (NTx) Windows NT® Operating Systems have completed previous training in Cybercop 101 (BDRA) Triage. Fast forensics and the NT File System and Cybercop 201 (IDRA), or the equivalent and experience is defined as “those Cyber-Investigation 101 is a 2-day course that is intended drawn from the application of the techniques utilized in the investigative processes for probation/parole, detectives, and officers conducting Cybercop 301 is a 4 1/2-day course that is designed to be Cybercop 101 (BDRA)/Cybercop 201 (IDRA) training. that are conducted “knock and talk” interviews or spot checks and home vis- an introduction to processing issues related to the Windows within the first few hours its. NT®, Windows 2000®, and Windows XP® operating sys- of an investigation, that tems. CYBER-INVESTIGATION 100 - (ISEE) Identifying and provide information This class utilizes a Linux-based bootable CD to preview Seizing Electronic Evidence used during the suspect a suspect’s computer system for potential evidence in a Topical areas include a detailed look at the New Technology interview phase. Due to the need for information to be forensically sound manner. The CD is based on the Linux File System (NTFS), the encrypting file system (EFS), dynam- Cyber-Investigation 100 (ISEE) is designed to instruct partici- obtained in a relatively short time frame, fast forensics pants in the basics of recognizing potential sources of elec- operating system, and it has the advantage of being able ic disks, directory junctions, volume mount points, and pro- usually involves an on-site/field analysis of the computer tronic evidence, preparing them to respond to an electronic to “read” other computer system’s files without writing to cessing issues such as recovering erased files, examination system in question.” of the page file, unallocated space and slack space, recover- crime scene, and to safely and methodically preserve and col- or altering the data on those systems. lect items of evidentiary value to be used in court proceed- ing information from the registry and methods of gaining ings. The course will utilize both presentation and hands-on operating system and file system access. training. The course content is based on practical, applied CYBER-INVESTIGATION 201 - (BOTS) Basic Online Consisting of six hours of instruction, this particular course investigative processes and stresses both knowledge Technical Skills Eligibility for attendance in the class requires that the stu- utilizes advanced adult learning skills. It takes the participants of the concepts and application of the knowledge to dents have completed previous training in Cybercop 101 through a process and methodology that can be presented ei- “real world” case scenarios. Students will learn to This 4 1/2-day course is designed for the officer who is (BDRA) and Cybercop 201 (IDRA), or the equivalent and ther in a basic recruit academy atmosphere or in an in-service quickly prioritize and recover time-sensitive digital new to on-line investigations, or for officers whose agen- experience drawn from the application of the techniques training situation. evidence, while observing forensically sound practices. cies are setting up an online investigation unit. The course utilized in the Cybercop 101 (BDRA)/Cybercop 201 (IDRA) Class participation and networking with colleagues are Cyber-Investigation 100 (ISEE) is an Instructor Development will teach the basic technical skills involved in setting up training. strongly emphasized. Upon completion of the course, Project (IDP) course. In an IDP course, participants are trained an under-cover account, how to conduct and document participants will receive a certificate of completion. to instruct the ISEE course. They are supplied with all of the real-time chats, instant messaging, and other on-line, course materials and training that will allow them to teach the CYBERCOP 302 - (INET) Windows® Internet Trace real-time evidence acquisition, logging, etc. course on their own, with support from NW3C. The course is To enroll in the course, students must have successfully Evidence completed NW3C’s BDRA course (or equivalent training designed to be taught by non-technical instructors. Instructors Cyber-Investigation 201 (BOTS) gives an overview of the with varying investigative backgrounds will be able to grasp from another agency), and have at least one year of investigative considerations, ISP clients, searching news- This 4-day course is designed to teach the recovery of “trace the concepts and materials necessary to teach the course. experience examining digital evidence. evidence” that is left on a computer system as a result of groups, peer-to-peer networking/e-mail and emerging the use of the Internet. It covers information about the use The ISEE-IDP training will consist of a 3-day training event techniques. Continue to check the Web site (www.nw3c.org) for this of Internet Explorer®, Netscape®, AOL®, and several of the presented at several locations across the country. After at- course schedule, coming soon! instant messaging tools like Yahoo®, AIM®, and MSN Mes- tending the IDP course, ISEE Instructors will determine when An online component must be taken and each stu- senger®. This is NOT an “Undercover Investigation” course! and where to sponsor a class in their area. NW3C will post dent must test out of it prior to being confirmed in the course. 1210 I nformant : M A rch 2 0 0 7 - J une 2 0 0 7 www.nw3c.org 1113 • Products of Intelligence This interactive, scenario-driven course presents: • Reports and Presentations • Investigative tools, techniques, and resources for inves- Coursetrai Descriptions nintigating identityg crimes. FIAT is intended for law enforcement and regulatory person- • The “criminal tools of the trade” so students can learn nel who have not received formal, basic intelligence analysis about and recognize the low-tech and high-tech para- FIAT (Foundations of Intelligence Analysis Training) training. phernalia used by criminals. ECONOMIC CRIME COURSES • The basics of identity theft for financial gain, as well as The need for well-trained intelligence analysts has become identity theft for concealment, such as for terrorism or Analyst’s Notebook® 6 by i2, Inc. more critical in recent times. Law enforcement, military, and avoidance of prosecution. FIPS (Financial Investigations Practical Skills) national security entities all require skilled analysts to inter- • Proactive and reactive approaches to identity theft that This introductory course provides hands-on training in this pret growing amounts of information. provide students with practical investigative experience. powerful analytical software tool. Analyst’s Notebook® 6 This course provides “hands-on” training designed specifically A proactive response is needed when ID theft indicators to address the particular interests and needs of white collar are uncovered during the investigation of other crimes by i2 gives law enforcement the ability to visualize and ana- To address this need, much work has been done in the past crime investigators. Working as part of a multi-agency task such as in drug raids; while the reactive response deals lyze large amounts of investigative data. This course lays the few years to develop effective training in the field of intelli- force, participants develop the practical skills, insights, and with complaints initiated by victims. foundations of the software capabilities and gives the user gence analysis. NW3C has capitalized on the lessons learned knowledge necessary to manage a successful financial investi- the skills to create basic link and timeline charts, allowing from previous training initiatives in its development of the gation from start to finish, including: identifying and address- investigators and analysts to bring clarity to complex investi- Foundations of Intelligence Analysis Training (FIAT). gations. ing complex criminal activities; organizing and documenting FREA (Financial Records Examination and Analysis) critical evidence; and presenting a case for prosecution. The 5-day, 40-hour training covers the following topics: In this 5-day training course, attendees will learn how the Financial investigations are becoming more complex, requiring This training will especially benefit investigators, auditors, law enforcement agencies to concentrate resources and skills software can help in revealing patterns and hidden connec- Introduction to Intelligence Analysis prosecutors, paralegals, financial analysts, and regulatory per- to resolve these crimes. A thorough investigation of financial tions in the available investigative information. Students will • History of Intelligence Analysis sonnel who are learning the fundamentals of conducting suc- records is imperative to determine and document whether or also learn how to create useful charts for presenting informa- • Purpose of Intelligence Analysis tion to others in an easily understandable form. cessful financial crime investigations. not suspected financial fraud is occurring between individuals • Intelligence Models and/or organizations. • Intelligence Cycle The 5-day, 40-hour training covers the following topics: • Legal Issues The course teaches investigators, analysts, examiners, audi- FCAS (Financial Crimes Against Seniors) • Resources Day 1: Overview of white collar crime, criminals, victims, and the investigation tors, prosecutors, and other legal professionals the latest tech- The FCAS training adds to students’ investigative skills and Days 2 and 3: Conducting a financial investigation niques in records analysis. This course is designed to develop Intelligence Analysis as a Thought Process the participants’ skills utilizing computers to examine and ana- interviewing techniques to prepare them to more successfully • Fundamentals of Logic Day 4: Packaging and presenting findings and evidence pursue cases of financial exploitation of seniors. Day 5: Mock trial lyze financial records, and present evidence in written reports, • Critical Thinking graphical depictions, and testimony in court. • Creative Thinking NW3C curriculum developers worked with experts in elder • Inference Development ID Theft Investigations Training FREA’s 5 Course Sessions: abuse and financial exploitation from many areas of the • Recommendations country to construct this 3-day class. • Introduction to Analysis • Development Identity theft exists in every strata of crime, from individual street • Financial Crimes crimes, such as purse snatching and mailbox robberies, to highly • Analysis of Financial Records Adult protective service investigators are also encouraged to Analysis Methods and Skills complex and organized criminal enterprises. attend this training, since the multi-agency approach to these • Presentation Techniques • Introduction to Methods and Skills • Courtroom Activity crimes has a proven record of success. • Crime Pattern Analysis This 3-day course is intended for law enforcement, criminal in- • Association Analysis telligence analysts and prosecutors who may be involved with The training helps begin the networking process that can con- identity theft cases. Students will acquire an increase in aware- • Flow Analysis WCCAT (White Collar Crime and Terrorism) tinue out of the classroom and into real cases, capitalizing on • Strategic Analysis ness of the “bigger picture” of identity theft. They will also learn to recognize ID theft indicators and the potential nexus to ter- the strengths of each type of agency. • Communication Analysis rorism and larger-scale criminal activity. The training promotes When state and local law enforcement and regulatory per- • Financial Analysis multi-agency and private-sector collaborations and teaches in- sonnel pursue the perpetrators of financial crimes, they can • Indicator Development vestigative best practices that lead to successful prosecutions. no longer be confident that the white collar crime criminal is

14 I nformant : M A rch 2 0 0 7 - J une 2 0 0 7 www.nw3c.org 15 training Course Descriptions Course Schedule

prompted by greed and has a goal of “the good life.” It is en- Collar Crime, Elder Fraud, Identity Theft, Disaster Fraud, and CYBER CRIME COURSES CYBERCOP 202 - (ILook) ILook® Automated Forensic tirely possible that what appears to be a commonplace, low- . Access the following classes with your Application CYBERCOP 101 - (BDRA) Basic Data Recovery and level economic crime is a small cog on a wheel of organized Username and Password on the NW3C “Members Only” Web Acquisition efforts to terrorize and harm America and Americans. site at: members.nw3c.org or ask your agency representa- Date Location tive for more information. Date Location April 2 - 6, 2007 Phoenix, AZ Law enforcement and criminal justice personnel must be pre- April 2 - 5, 2007 Richmond, VA June 11 - 15, 2007 Columbia, SC pared to identify these cases when they present themselves Introduction to White Collar Crime and then see them through to successful prosecution at the Familiarize yourself with the most common types of white April 16 - 19, 2007 Huntsville, TX state and local levels. These cases are no longer solely within collar crime. Learn about financial crime investigation and April 23 - 26, 2007 Neenah, WI the purview of the federal government. interview techniques. Find out where to go for important May 7 -10, 2007 New York, NY CYBERCOP 203 - (E-MAIL) Windows® Client free resources. E-mail Data Structures Introduced in 2005, this training is a mix of interactive exer- May 14 - 17, 2007 Jacksonville, FL cises or discussion sessions and lectures by experts in their May 14 - 17, 2007 Olympia, WA Date Location Elder Fraud fields. The major subjects addressed in this course aredo- To be determined To be determined Understand why seniors are targeted for financial crimes. May 21 - 24, 2007 Chicago, IL mestic and foreign terrorist groups, identity crimes (including Learn to recognize key indicators of their victimization. Re- theft), money laundering, securities violations, and prosecut- June 11 - 14, 2007 Center City, MN ceive tips on conducting investigations and interviews with ing cases using the state RICO-type laws. June 18 - 21, 2007 Thornton, CO elderly victims. CYBERCOP 301 - (NTx) Windows NT® Operating June 25 - 28, 2007 Helena, MT This course is intended for experienced investigators, ana- Systems and the NT File System lysts, auditors, prosecutors, paralegals, regulatory personnel, July 16 - 19, 2007 Miami, FL Identity Theft and all others involved in the investigation and prosecution September 17 - 20, 2007 Tampa, FL Date Location Understand the many faces of this crime and why everyone of financial crimes. The goal of the training program is to pro- May 21 - 25, 2007 Latham, NY is a potential victim. Receive tips on creative ways to inves- vide working professionals with training in the areas needed tigate these cases. Learn vital prevention techniques. to address this new twist to financial crime investigation and prosecution. CYBERCOP 102 - (AFT) Introduction to Automated CYBERCOP 302 - (INET) Windows® Internet Trace Disaster Fraud At the conclusion of training, participants will be able to: Forensics Tools Evidence Become familiar with the that often abound after • Identify identity crimes, securities violations, and money major disasters. Learn measures to minimize victimization laundering activities Date Location Date Location from disaster frauds. Receive materials to use in educating, • Employ investigative techniques to analyze financial To be determined To be determined To be determined To be determined alerting, and reminding consumers about frauds. evidence • Assist in an effective criminal prosecution of the case Money Laundering CYBERCOP 201 - (IDRA) Intermediate Data Recovery Learn how money laundering works and why it is important CYBER-INVESTIGATION 100 - (ISEE) Identifying and Economic Crime Foundation Series (ECFS) and Analysis that you know about it. Understand how local businesses Seizing Electronic Evidence NW3C’s first complete Online Distance Learning Program, The may support terrorist activities. Find out about state-level Date Location Date Location money laundering investigations. q Economic Crime Foundation Series (ECFS), consists of five May 21 - 25, 2007 Orem, UT April 23, 2007 Osage Beach, MO self-paced introductory level courses: Introduction to White October 22 -26, 2007 Phoenix, AZ May 31, 2007 Burlington, KY

16 I nformant : M A rch 2 0 0 7 - J une 2 0 0 7 www.nw3c.org 17 Analyst’s Notebook® 6 by i2, Inc. Course Schedule Date Location CYBER-INVESTIGATION 101 - (STOP) Secure April 16 - 20, 2007 Phoenix, AZ Techniques for Onsite Preview June 18 - 22, 2007 Franklin, MA Date Location April 2 -3, 2007 Warrenton, VA FCAS (Financial Crimes Against Seniors) April 4 - 5, 2007 Warrenton, VA Date Location April 9 - 10, 2007 Latham, NY ou’ve successfully completed average of 20 classes per year for NW3C. Before joining NW3C May 16 - 18, 2007 Johnston, IA as an instructor, Scott worked with the Washington State Attorney April 11 - 12, 2007 Latham, NY YCybercop 101 - (BDRA), where General’s Office as a trainer, where one of his first classes contained April 16 - 17, 2007 Hutchinson, KS you learned basic skills to begin a 1,300 students. April 18 -19, 2007 Hutchinson, KS FIAT (Foundations of Intelligence Analysis Training) computer investigation, so what’s Scott commented on teaching the IDRA April 23 - 24, 2007 Orem, UT Date Location class, saying, “I enjoy teaching to a good April 23 - 24, 2007 Mesa, AZ April 30 - May 4, 2007 Portsmouth, RI next? group of people eager to learn. Students April 25 - 26, 2007 Orem, UT in the [IDRA] course usually have a better In December 2006, the Cybercop 201- Intermediate Data Recovery understanding of what they are doing, which April 25 - 26, 2007 Mesa, AZ and Acquisition (IDRA) class was hosted at NW3C’s training office makes it more enjoyable.” FIPS (Financial Investigations Practical Skills) April 30 - May 1, 2007 Little Rock, AR in Fairmont, West Virginia. Twenty-eight students from around the country attended the class, hoping to further their knowledge and May 2 - 3, 2007 Little Rock, AR Date Location In addition to the IDRA course, Scott also skills in the area of computer investigations and processing. April 9 - 13, 2007 Brighton, CO teaches NW3C’s BDRA, ILOOK® Automated May 7 - 8, 2007 Springfield, IL Forensic Application (ILOOK), and Secure Scott Pancoast May 9 - 10, 2007 Springfield, IL May 7 - 11, 2007 South Bend, IN The IDRA course is designed as the “sequel” to Cybercop 101- Techniques for Onsite Preview (STOP) Computer Crime Basic Data Recovery and Acquisition (BDRA), covering the Specialist May 14 - 15, 2007 Lakewood, CO courses. forensic examination of Windows®-based May 14 - 15, 2007 Oklahoma City, OK FREA (Financial Records Examination and Analysis) operating systems. The course takes Mel Joiner has taught with NW3C for seven May 16 - 17, 2007 Lakewood, CO computer investigations one step further years, and is currently the supervisor of Date Location by concentrating on processing various “IDRA is a very important May 16 - 17, 2007 Oklahoma City, OK NW3C’s Computer Crime Section. Prior May 7 - 11, 2007 Newport News, VA Windows files. Unlike its prerequisite, class... it is the stepping stone to joining NW3C, he taught with the May 21 - 22, 2007 Salem, OR May 21 - 25, 2007 Billings, MT BDRA, the IDRA course is scenario-based, for learning more complex Arizona Department of Public Safety. For May 23 - 24, 2007 Salem, OR with students examining a suspect’s hard Mel, the IDRA class is the most important drive, as well as additional pieces of computer investigative skills.” June 4 - 5, 2007 South Portland, ME course offered by NW3C. evidence, throughout the duration of the June 6 - 7, 2007 South Portland, ME IDTI (ID Theft Investigations Training) class. “IDRA is a very important class because it is the basis of other June 11 - 12, 2007 Boise, ID Date Location more complex courses. It is a stepping stone for learning more June 13 - 14, 2007 Boise, ID The 4 ½-day course is broken into blocks, allowing students to complex computer investigative skills,” Mel commented. June 6 - 8, 2007 Vancouver, WA learn and apply these complex skills as they walk through one case June 18 - 19, 2007 Johnston, IA throughout the entire class. Students become more involved in He describes the course as a “marriage between investigative and June 20 - 21, 2007 Johnston, IA the computer investigation process by learning how to search for technical.” Mel explains that the IDRA course emphasizes that the June 25 - 26, 2007 Fairbanks, AK WCCAT (White Collar Crime and Terrorism) and collect data within the complex files of the various Windows investigation of technical items such as computers, requires both applications, such as the recycle bin, swap file, the registry, long file specific skills and the “non-technical” June 27 - 28, 2007 Fairbanks, AK Date Location names, and date and time information. investigative knowledge learned by To be determined To be determined professionals. A few days before the class begins, instructors prepare by CYBER-INVESTIGATION 201 - (BOTS) Basic Online gathering and preparing sample cases and scenarios for students Technical Skills Other NW3C courses taught by to investigate. The IDRA classroom is equipped with a computer Mel include Identifying and Seizing Date Location For more information visit the training section of for each student. Each computer is tested, which can take from Electronic Evidence (ISEE), STOP, 45 minutes to two hours. BDRA, and ILOOK courses. He To be determined To be determined the NW3C Web site at www.nw3c.org, Mel Joiner teaches an average of 15 classes or call toll free at (877) 628 - 7674. Computer Crime Section each year. The Instructors Supervisor ECONOMIC CRIME COURSES For Cyber Crime Courses: The class in Fairmont was led by NW3C instructors Mel Joiner and Scott Pancoast. Both instructors have taught the IDRA course for ACIAPT (Advanced Criminal Intelligence Analysis to Damita Jones - Ext. 214, or The Students over five years and agree that IDRA is one of the most important Prevent Terrorism ) Tammy Deavers, Ext. 234 Students who benefit the most from the IDRA course tend to be courses offered by NW3C. They also agree that IDRA is one of the For Economic Crime Courses: involved in computer investigations on a regular basis and are Date Location most exciting courses to teach. Rose Dunigan - Ext. 267 usually familiar with network structures and processing, according To be determined To be detemined to IDRA instructors. For the past three and a half years, Scott Pancoast has taught an

18 I nformant : M A rch 2 0 0 7 - J une 2 0 0 7 www.nw3c.org 19 The IDRA class held in Fairmont, WV contained students from to assist with computer investigations. agencies across the country. Towards the conclusion of the class, students talked about their learning Jon Bowe, network administrator for the experience and how their newly “I could retake the class several Fairbanks Police Department, traveled learned skills are applicable to their to West Virginia from Fairbanks, Alaska jobs. times and still get something to attend the IDRA course. He chose to NW3C Provides Unique Department of out of it every time.” attend the IDRA course in order to further Danny Camden, a Lieutenant for the his education and skills in computer Homeland Security Training West Virginia Police Department, - Lt. Danny Camden, IDRA Student investigations. By Mark Gage, NW3C Deputy Director attended the IDRA course to refresh his investigative skills. Camden works “The things I’m learning from the course are n 2005, NW3C was awarded funding by the Office of Grants and West Point professor, and the FBI, among others. From the advice as a cyber crime and criminal investigator. He has participated in very helpful to me. It makes investigations a little easier because I Training, Preparedness Directorate, U.S. Department of Home- and assistance of this group, the course was developed. over five training courses offered through NW3C. know just where to go to find answers,” said Bowe. land Security (DHS) to develop and deliver three new training programs for state and local law enforcement. The classes are Law enforcement intelligence for counterterrorism requires a more Camden describes the difficulty of the class The most enjoyable aspect of the Iunique and invaluable for state and local agencies involved in the strategic and predictive approach to deal with both domestic and as “right where it needs to be.” He also course, according to Bowe, was the investigation of terrorism and the production of intelligence. international terrorist threats. This training helps law enforcement commended the course for incorporating instructors’ depth of knowledge. “I analysts become aware of intelligence processes used in the na- new and evolving technology. haven’t been able to stump them Specifically, this funding arises from the Office of Grants and Train- tional security arena, and state and local law enforcement’s role in yet,” he commented. ing (G&T) which is a component of the U.S. Department of Home- the intelligence community. “I could retake the class several times and land Security’s Preparedness Directorate. They are responsible for still get something out of it every time,” preparing the nation against terrorism by assisting states, local and This week-long program is a skills based class that covers ad- Lt. Danny Camden commented Camden. The IDRA course involves complex tribal jurisdictions, and regional authorities as they prevent, deter, vanced analytic methodology, such as “Analysis of Competing Hy- and techniques and investigative Jon Bowe and respond to terrorist acts. G&T provides a broad array of assis- pothesis” (ACH), and uses advanced teaching techniques, such as Criminal Investigator, Two other IDRA students, John Morrison skills that require participants to Network Administrator tance to America’s first responders through funding, coordinated the case study method. Extensive work in groups and hands-on West Virginia Police and Jimmy Daniels, came from the West possess a good understanding of Fairbanks (AK) Police training, exercises, equipment acquisition, and technical assistance. exercises occur. The goal is to provide the investigator/analyst with Virginia Department of Education. computers and common software Department Department Without this funding, state and local law enforcement would go an increased ability to be predictive or estimate terrorist and other applications. Eligibility for the class without this needed training. criminal actions. “We’ve seen an increase in the misuse of computers in the requires students to have completed previous training in Cybercop educational setting. It is necessary for us to be trained in how to 101- BDRA or the equivalent and have experience drawn from the NW3C staff has worked closely with DHS through the develop- The class is designed for law enforcement personnel who have look at and investigate it,” said Morrison. applications of the techniques utilized in the BDRA training. ment process and is beginning to roll out the classes with DHS successfully completed a basic level intelligence analysis training. approval. As class locations are scheduled, they will be posted on Morrison compares the IDRA course to its At the conclusion of the course, students are required to take a our Web site, www.nw3c.org. prequel (BDRA) as more challenging, with final exam that is pass/fail. Students who successfully complete Fast Cyberforensic Triage the materials going more in-depth with the the course and final examination, receive an IDRA completion NW3C is primarily funded by Congressional appropriation through With the proliferation of digital-based information, the need for investigation of files. He was specifically certificate in their name. the US Department of Justice, Office of Justice Programs, Bureau the timely identification, analysis, and interpretation of digital evi- interested in learning how to discover of Justice Assistance. Now with this independent DHS funding, dence is becoming crucial. In many instances critical information is hidden or erased information on computers. NW3C is in a unique position of providing benefit to state and local required while at the scene or within a short period of time - mea- Morrison explained why the IDRA course enforcement agencies by partnering with these diverse agencies. sured in minutes or hours as opposed to days or weeks. was necessary and how these new skills will be used in his job. The traditional cyberforensics approach is clearly inappropriate and John Morrison Advanced Criminal Intelligence Analysis to Prevent ineffective in circumstances where there is a time-sensitive ele- Investigator, “In the past we’ve Terrorism ment. The primary purpose of this course, developed in conjunc- West Virginia had teachers place In today’s information sharing environment, law enforcement ana- tion with Purdue University, is to provide law enforcement profes- Department of pornography on lysts and investigators have a need to better understand the basics sionals with the knowledge and skills necessary to prioritize, focus, Education school computers and of national security intelligence, and the role of state and local law and accelerate the recovery of digital evidence in a real-time envi- we need someone enforcement in the overall Homeland Security continuum. Addi- ronment, and communicate essential discoveries to an interview who is forensically trained and who can Fairmont IDRA Class Photo tionally, in order to more effectively analyze the large quantity of in- in progress. The program includes lectures, demonstrations, and properly investigate and deal with [this type formation available, state and local personnel need to understand practical exercises. of] evidence,” said Morrison. The IDRA course is taught in various cities across the country. advanced strategies and methods needed to produce intelligence Check the Training Schedule in this issue for upcoming classes in products that can be used successfully to counter terrorism. This accelerated approach confers several distinct advantages over Morrison also recommended the IDRA your area. the “traditional” cyberforensic examination: course to Jimmy Daniels, a computer To address this need, NW3C assembled a group of experts from programmer for the West Virginia Department Jimmy Daniels To find out more information about the IDRA course and other • The ability to collect actionable intelligence; Computer the intelligence community, including national security, military, • The ability to utilize time-critical and time-sensitive of Education. Daniels describes the course training classes offered by NW3C, visit our Web site at: and law enforcement intelligence agencies, to determine the spe- as challenging and enjoyable at the same Programmer, www.nw3c.org evidence; West Virginia cific training needs of this endeavor. The group of subject mat- • The ability to rapidly identify potential targets of time. Learning the complex investigative or contact Tammy Deavers, Cyber Crimes Program Coordinator, at ter experts included many senior state and local law enforcement Department of q terrorist plans; skills taught in the IDRA course, Daniels has 877-628-7674, ext. 234. intelligence professionals, a former Assistant Director of Central become a valuable resource for his agency Education • The ability to identify and investigate additional Intelligence for Analysis and Production (CIA), professors from the suspects and accessories prior to public knowledge Joint Military Intelligence College and Mercyhurst College, a former 20 I nformant : M A rch 2 0 0 7 - J une 2 0 0 7 www.nw3c.org 21 of the current investigation; and • The ability to identify and freeze or seize financial or other assets relating to terrorist activities.

This course has been designed for sworn law enforcement officers, probation/parole officers, prosecutors, and law enforcement or regulatory support staff whose duties include the investigation and athleen Kempley is a prosecution of crimes in which high technology and the examina- t has been called KSpecial Agent with the tion of electronic evidence are involved. Attendees should already one of the larg- Arizona Attorney General’s possess at least an introductory level understanding of basic cyber- est affinity frauds Office, and the NW3C Moun- forensic principles. Attendees should not expect to get in-depth and the largest tain Region Board Member. computer-forensic training from this course. That type of training non-profitI bankruptcy in She started her law enforce- may be found in other NW3C courses. United States history. Nearly 100 sepa- ment career in 1988 as a col- rate legal entities filed bankruptcy as part of its collapse. At the time of lege intern with the Arizona the bankruptcy, there were in excess of 11,000 investors located in every Corporation Commission, Introduction to Securing Law Enforcement Networks state in the United States and in several foreign countries. Investors Securities Division. She as- In a world of electronic communication, it is important to make were owed nearly $600,000,000 with less that $250,000,000 in identi- sisted with investigations sure that information transmitted is secure. This is especially true in into the sale of unregistered fied assets. It is the Baptist Foundation of Arizona (“BFA”). Kathleen Kempley a law enforcement environment. Many times paper information is securities by unregistered locked and protected, but when it becomes digital and goes from Special Agent, Arizona The remaining five individual defendants were sentenced in early Febru- salesmen and dealers. In Attorney General’s one computer to another, this security is lost. This is often due to ary 2007 for their roles in the BFA, bringing to a close a case that started May 1988, she received a Office, and the way many networks are configured and operated. Either no in Arizona in 1998. Following one of the longest criminal trials in Arizo- Bachelor of Science degree NW3C Mountain security policies are in place to prevent accidental loss of informa- na’s history, the principal defendants, Bill Crotts (“Crotts”), President, and in Justice Studies from Arizo- Region Board Member tion or the network is susceptible to easily being “hacked”. Should Thomas Grabinski (“Grabinski”), Vice President and General Counsel, na State University and was an intrusion occur, many agencies lack the ability and knowledge to were found guilty of conducting a fraudulent scheme and operating a hired full-time as an Investigator for the Securities determine the cause or to prevent further incidents. criminal enterprise, and were sentenced to eight and six years in prison, Division. In 1992, she was hired as a Special Agent respectively. The victims testified at Crotts’ and Grabinski’s sentencing with the Arizona Attorney General’s Office and be- This training course was also developed in conjunction with Purdue hearing about the impact their criminal acts had on their lives. Their came a certified police officer in 1993, after graduat- University and is designed to assist law enforcement and with a ba- testimony was some of the most compelling and heartbreaking state- ing from the police academy. sic knowledge of how to set up local area networks and to prevent ments the prosecution team had heard in their collective careers. The the most common types of intrusions and compromises. criminal and parallel civil cases involving Arthur Andersen, LLP (auditors At the Attorney General’s Office, she investigates all of BFA), and an outside law firm that represented BFA in its securities types of white-collar crime, including theft, fraud, and Introduction to Securing Law Enforcement Networks, ISLEN, con- offerings, took substantial human and financial resources to investigate securities fraud. She also investigates public corrup- sists of 24 hours of classroom instruction. The classroom instruc- and prosecute. The National White Collar Crime Center (“NW3C”) pro- tion and is “in-training” to assist with their computer tion includes instructor presentations and hands-on practical exer- vided financial assistance to agencies of the state of Arizona that assisted forensics needs. In addition, she is one of the fire- cises. The student will learn about recognizing potential security in reaching successful conclusions in all cases. arms instructors for her agency. threats and how to safely and methodically administer law enforce-

ment networks. Training includes instruction on network essen- After a year-long investigation conducted by the Arizona Office of the Ms. Kempley’s history with NW3C started back in tials, communications, services, risk/threat analysis, and the need Attorney General (“AG”) and the Arizona Corporation Commission-Se- 1988 when it was the Leviticus Project Association. for a strong network security model. Participants will get hands-on curities Division (“ACC”) (collectively, the “State”), a meeting was held in At the time, she was an investigator with the Ari- experience with security threats, security tools, vulnerability assess- July 1999 between representatives of the State and counsel and con- zona Corporation Commission, Securities Division. ment, network topology, and router configuration. Attendees will sulting experts representing the BFA and several related organizations, For several years, she handled most of the agency’s learn how to analyze networks, assess security, neutralize vulner- including Arizona Southern Baptist New Church Ventures, Inc. (“NCV”), investigations involving mining fraud (primarily gold abilities, reduce downtime and liability, and develop policies and Christian Financial Partners, Inc. (“CFPI”) and ALO, Inc. (“ALO”). During mining fraud). She was also involved in a joint proj- procedures to maintain secure environments. that meeting, State representatives provided evidence to BFA, NCV, CFPI, ect between the Leviticus Project and NASAA on and ALO representatives detailing specifically why the State believed that called MULES. To successfully complete the course, the student must attend the those organizations, operating through BFA senior management, Crotts, 24 hours of classroom training and successfully complete an end Grabinski, and assisted by others within and outside of BFA, were perpe- A few years after coming to the Attorney General’s of class computer-based multiple choice examination. trating a securities fraud on the investing public. No one in that meeting Office, she became the agency’s NW3C member could have imagined what was started that day. representative. Her involvement increased after re- This course has been designed for sworn law enforcement officers ceiving a telephone call from Tony Owens requesting and law enforcement or regulatory support staff engaged in oper- What State representatives described in that July 1999 meeting was a that she consider being appointed the second alter- ating or assisting in the operation of a computer network with 50 long running (in excess of 10 years) accounting fraud that concealed nate for the Mountain Region. or less users. Attendees should have a basic understanding of the the true financial condition of BFA, NCV, and CFPI from the investing workings of a computer network and should presently be maintain- public through use of off balance sheet companies, primarily ALO and Kempley’s agency has utilized NW3C on several cas- ing or assisting with the maintenance of their agencies’ networks. q its subsidiaries. In fact, the off balance sheet companies were controlled es. The most recent involves case funding to assist by senior management of BFA, including Crotts and Grabinski. The fi- the agency in two separate investigations. One of nancial statements of BFA, NCV, and CFPI were manipulated to present those cases was the Baptist Foundation of Arizona. Continued on page 42 22 I nformant : M A rch 2 0 0 7 - J une 2 0 0 7 www.nw3c.org 23 n today’s world, as concern over terrorism expands, so must the world of computer forensics. It is no longer enough just to investigate a case with only a criminal investigative state of mind. You, the com- puter forensic examiner, must develop a new mind-set that adds both real-time intelligence gathering and analysis into conducting a normal criminal investigation. In some cases, this may be the only link Ibetween the local agency and national intelligence.

In addition, it is no longer enough to simply examine a single hard drive associated with a specific Terrorism computer; now you must consider a multitude of additional devices in which evidence may be found. Some of the new devices which have materialized in recent years include: cell phones, assistants (PDA), smart phones, GPS devices, and a myriad of miniature storage media. The overwhelm- and Intelligence ing abundance of electronic media, and our ability to analyze it, establishes the need to move beyond Article by Jerry Jones, Adjunct Instructor, NW3C and Justin Wykes, Computer Crime Specialist, NW3C examining only the computer. We need to include other devices which may also be potential sources of evidence. While conducting a forensic examination of a suspect’s What is Terrorism? at the overthrow of a constituted government through the use computer, looking for proof of child pornography, you run ver since September 11, 2001, the word terrorism can be of subversion and armed conflict.” 1 Effectively, what makes an heard around-the-clock on television, radio, and around the insurgent a terrorist is their choice of target, and the legality of across what appear to be vacation photos of the Golden water cooler, but does anyone truly know what they are that choice. By attacking a legitimate military target, they will stay talking about? Certainly we all know a terrorist act when within the realm of an insurgency. When their attacks focus on the Gate bridge. You notice that while there are a lot of pictures Ewe see one: an explosion general public with the goal of creating fear, in a crowded mall, random they have crossed the line into the realm of of the bridge, with and without people in them, there are sniper shootings, or even terrorism. a plane being intentionally no other photos of San Francisco. Odd, but you continue flown into a building; but how do we know whether How Are Terrorist Groups Organized? your investigation. Later you find a document that contains this is a terrorist act, a tragic Terrorist groups are usually divided into cells. accident, or just another A terrorist cell can easily be thought of as a the specifications of the Golden Gate bridge: length, crime? small team of people, each with a specific skill set, who work together to achieve an opera- thickness, weight, etc. Why does your suspect have this kind Surprisingly, defining terror- tional goal. Often, one cell is unaware of the ism seems to be a more membership, or operational goals of another. of information on his computer? Maybe, while you were difficult task than one would This makes finding the “bigger fish” within the expect. Most definitions are organization considerably more difficult. trying to find evidence of child pornography, instead you biased, based upon the agency that came up with the definition. For example, the Department of Defense’s definition is focused Terrorist cells can be organized in either a networked or a hier- found evidence of intelligence gathering for a terrorist attack. heavily on the political nature of terrorism, whereas the FBI’s defi- archical pattern. The hierarchical pattern has a specific chain of nition focuses more on the illegal nature of the acts.1 For the command, whereas the networked pattern can be seen as several purpose of this article, we will combine several definitions and use teams with similar goals who work independently from each other. the following: Commonly, a group is organized into some combination of the two. The illegal use of threats or violence to create a state of fear, with the intention of bringing about a desired result. Could My Suspect Be a Terrorist? Typically, terrorism is focused around political or religious change, When serving a search warrant, you discover several explosive de- but can be as limited as the use of intimidation to convince a vices, and manifestos detailing how this individual’s group is going neighbor to move out of the neighborhood. In this article, our fo- to destroy America. Congratulations, you’ve found a terrorist, but cus will be on the larger view of terrorism; we will focus on groups are all terrorists the same? Do they all perform the same functions that have the aim of bringing about a political change. within an organization? The simple answer is no.

It is important to note that terrorism and insurgency are not the Terrorists are often described as falling into one of four basic levels: same thing. Insurgency is not inherently bad; for example, during leaders, cadre, active supporters, and passive supporters.1 The the American revolutionary war, those fighting for the freedom of levels can be thought of as a pyramid with leaders at the top, com- the colonies would also have been considered insurgents. The posing the least number of individuals, to passive supporters at NATO definition of insurgency is “an organized movement aimed the bottom. Due to the types of terrorists, and terrorist supporters, 4 I nformant : M A rch 2 0 0 7 - J une 2 0 0 7 www.nw3c.org 25 you must keep in mind that the evidence you will find will vary de- targets, phone numbers of collaborators, or reconnaissance Other removable devices would include: removable hard tigations. Not only must you be cognizant of evidence pending upon where in the pyramid a certain individual falls. videos may be found. With easily obtainable information from drives, USB thumb drives, CDs and DVDs; all of which of terrorism, but you must remain constantly vigilant in the phone, a story can be created as to the history of activi- can hold large amounts of information, but can be any case you investigate. Local law enforcement and Leaders provide direction, initiate policy, and approve the ties as well as where a phone was used on a specific date. small. A USB thumb, for example, can be as small national level intelligence need to work hand-in-hand, goals and objectives of an organization. They are the “big Sometimes overlooked in cell phone cases is the wealth of as a quarter, and easily be hidden in a suspect’s because often you will be the first indicator of a problem. fish” of the organization and normally filter up through information available outside of a normal cell phone exami- pocket. Remember, you are the first line of defense. q the group to the top, or will start their own organization nation. This is the information available from service pro- if their objectives vary from the group they may have viders, such as subscriber information, through the use These are only a fraction of the potential sources References: come from.1 of a subpoena or search warrant. This technique also of electronic evidence. It is imperative that you 1. US Army Training and Doctrine Command, (2005). A Military Guide to Ter- rorism in the Twenty-First Century. Available from http://www.fas.org/irp/threat/ applies to Internet service providers. stay up-to-date on the latest electronic media terrorism/guide.pdf; Internet; Accessed 8 Jan 2007. Cadres are the active members of a terrorist and devices. This will allow you to articulate them About the Authors group. This is the level in which our terrorist PDA’s and Smart Phones in search warrants, as well as know what to look for, both at the Jerry Jones is retired from the law enforcement community after almost above would have resided. Cadre members In addition to the above information that can be scene, and on the suspect. 31 years with the Portland Oregon Police Bureau and is currently an plan and conduct operations, as well as manage intelligence, fi- gleaned from a cell phone, a PDA will have a variety of ad- instructor for NW3C. For the past three years Jones has been a full time nances, logistics, and communication for their organization. 1 ditional data in electronic form. Most data found on a PDA is Remember to keep in mind that the type of evidence you are look- computer forensics examiner for the Detective Division of the Portland the same type of information that can be contained on a com- ing for, and where you might expect to find it, will vary depending Police Department and was assigned to the FBI Northwest Regional Active supporters operate in the political arena, fund raising, and puter hard drive. Examples include: graphics and images, on your suspect. Terrorists are organized into different levels, dif- Computer Forensics Lab. In this capacity, he has examined media in nu- information activities of the group. They will also provide safe Web browsing information and history, documents, spread- ferent groups, and can have completely different objectives. Don’t merous cases including computers, cell phones, PDAs, and other elec- havens, finances, medical attention and transportation to other sheets, e-mail, voice recordings and GPS routes. These types expect to find the same type of evidence in every case. Before you tronic media. Jones has significant experience in computer forensics, members of the organization. Active supporters are aware of their of files could be as important as: photos of potential targets, go out, think about what evidence you might expect to find, and investigations, and vehicular assault/fatal reconstruction. Jones has testi- fied in court as an expert witness in both accident reconstruction and connection to the organization, but do not directly participate in text messages and e-mail to associates, GPS routes and loca- where to look for it. In other words, be prepared. computer forensic matters. the violent aspects of an operation. tions of drops, Web purchases of contraband, voice recordings of terrorist leaders preaching to Jones received a BA in Administration of Justice from Portland State Uni- Passive supporters are the largest group within a terrorist organi- their followers, and the list goes Conclusion versity. In addition he is a certified FBI CART examiner, IACIS CFCE, and holds COMP-TIA A+ and NET+ certifications. Jones is also certified as zation, but are not necessarily aware of their connection to the on and on. A new approach to computer forensics must be adopted by all an examiner and has instructed Paraben’s Cell Seizure curriculum, PDA group. Typically, they are sympathetic to the goals of the group, of us. Just because the case file on your desk states that you are Seizure, Net Analysis, and P2 products. and provide the base population from which members are typi- “Smart phones” are also re- investigating a money laundering case, does not necessarily mean Justin Wykes is new to NW3C as a Computer Crime Specialist, teaching cally recruited. They also support organizations which then turn ferred to as hybrids since they that the true scope of the investigation could not be much larger. the STOP course. Wykes previously worked for the United States Army around and support terrorism, without the individual ever knowing perform the full functions of a in Cyber Counterintelligence Activity as a Special Agent doing computer that they have supported a terrorist organization. cell phone as well as those of It is simply not feasible to expect federal law enforcement to stop forensics. Wykes has a BS in Criminal Justice from Grand Valley State a PDA. When seizing a PDA or terrorism if you adopt a “that’s not my job” approach to your inves- University in Michigan. smart phone, an investigator Electronic Evidence Sources needs to ensure that all peripheral attachments are seized. Now that you have a better understanding of terrorism, where This is especially important in regard to the device’s power can you look for potential sources of electronic evidence of ter- charger, because it is possible for important data to be lost if rorism, or even additional locations of evidence for your criminal the device loses power. case? You know that you must be willing to look beyond only the suspect’s hard drive, but where else may you find information of GPS Devices either evidentiary or intelligence value? The following is a list of Do not overlook the potential evidence located on a GPS de- potential sources of evidence, and the type of evidence you may vice. Routes can be stored as well as a tracking of all the find there: places the GPS device had been used. Most log- ging on a GPS device will include dates and times. Cell Phones As with any electronic data device, this data may With the ever increasing technology in be recoverable. modern cell phones, the use of cell phones throughout the world has expanded expo- Removable Storage Media nentially. The cell phones of today have Storage media is worth mentioning since it can be come a long way since the “brick phones” very small, yet hold vast amounts of data. Most of of old which could only make and receive the devices mentioned above have the capability phone calls. Today’s cell phones have a of accepting a storage media of some type. wealth of information available in electron- ic form. This data includes sent and received text messages, These may be removable memory cards, such as: compact contact lists, calendar functions, a list of most recent num- flash cards, Storage Device (SD) media, or even the new mi- bers called and received, personal information, and - in most cro SD cards. Take the time to familiarize yourself with these phones today - images, photographs, or even videos. storage devices so they are not overlooked in a search of a suspect or location. The micro SD card, for example, can cur- Any investigator looking into a case concerning terrorism, white rently hold up to 2 gigabytes of data, but is as small as a collar, or financial crimes, can see how valuable this type of fingernail. information may be. As examples: photographs of potential

26 I nformant : M A rch 2 0 0 7 - J une 2 0 0 7 Case Highlights Ponzi Scheme in Colorado Ends in 20-Year Jail Sentence and over $500,000 in Restitution Ordered A white collar securities fraud criminal is brought to justice due to the cooperative efforts of several NW3C agencies. The Role of Computer Crime By Chief Investigator Charles B. Reinhardt, Colorado Division of Securities t was a long and winding road, investigation of Mr. Weis’ violative criminal conduct. One bump Investigators in Counter Terrorism but numerous victims of se- along the investigative road was that both agencies, who are mem- curities fraud, theft, and orga- bers of NW3C, needed assistance in the analysis of voluminous and Intelligence Gathering nized crime activity finally felt amounts of bank records. NW3C stepped in to smooth the road. Isomewhat vindicated on October Two former NW3C analysts, Angela Bisland and Kelly Slazyk, were By Dr. Marcus Rogers, Department of Computer Information, Purdue University 19, 2006, when Jefferson County assigned to this project, and their analysis was outstanding. In ad- (“Jeffco”) Colorado District Judge dition to providing spread analysis of bank records, these analysts Brooke Jackson sentenced Andrew provided numerous demonstrative exhibits that were instrumen- P. Weis to serve 20 years in the tal in assisting the Prosecutor to draft a 34-count criminal com- Colorado Department of Correc- plaint against Weis. Another bump in the investigative road was he role of law enforcement has changed in recent years. The world, and more specifically, the pat- tions and to pay restitution to his smoothed when the North American Securities Administrators As- terns and nature of crime have become more complicated. We now live in a world where the lines victims that remained alive on the sociation provided travel money so investigators from Colorado between criminals, criminal organizations, and terrorists groups have become drastically altered, if date of sentencing in the amount and New Mexico were able to conduct joint in-person interviews of $569,800. of investors/victims who resided in both states. not altogether blurred, and in some cases non-existent. This convergence between these so-called T“classes” of criminals has been further accelerated by technology and the Internet. These criminals, and The road for some of the victims of Mr. Weis’ criminal behavior Colorado Division of Securities (“CDOS”) investigator Joe Burtness’ criminal organizations, are realizing the same benefits that technology has provided to society and busi- started as long as 10 to 15 years ago. In the early to mid 1990’s, expert investigative work assisted and complimented the highly nesses. Technology is no longer a tool solely used by white collar criminals or hackers to further their Mr. Weis spoke at retirement preparation seminars hosted by hos- professional work accomplished by Jeffco prosecutor Thomas criminal tradecraft. pitals in the Denver, Colorado area. When the Los Alamos Labo- Jackson in this case. The criminal complaint filed by Mr. Jackson ratory in Los Alamos, New Mexico was downsizing its work force, charged Weis with numerous counts of theft from at-risk adults, se- echnology is being used by terrorist rorists are using technology for counter-sur- tions, selling either their technical expertise Weis spoke to numerous individuals who took early retirement curities fraud, and with violations of the Colorado Organized Crime Tgroups and organized crime for recruit- veillance purposes. These individuals are and/or data obtained through their illegal from the lab. Weis would set up Investment Adviser arrangements Control Act. ing purposes, marketing and propaganda, setting up e-mail accounts and, rather than conduct to the highest bidder, whether that with individuals who attended these seminars and provide advice fund raising, communications, and intelli- sending the e-mail – which can then be bidder be a foreign power, outlaw gang, or on how to invest and stretch their investment nest egg. Weis’ After looking for gence gathering - to say nothing of its use tapped - they save the e-mail as a draft. eco-terrorist group, etc. clients were individuals who had spent a lifetime putting money Weis for more than as a weapon for targeting our computer They then share the account password away to live on in their golden years. But depending on invest- six months prior to systems and networks for attacks. Recent with their counterparts who simply log in The emergence of this use of technology ment advice from Weis proved to his clients there was no goose charges being filed, studies indicate that prior to 9-11, few, if and look at the draft. The message gets and these data or technology “brokers” that laid golden eggs. They later learned that they were victims of CDOS investiga- any, of the jihadist groups had Web sites delivered without ever actually leaving the underscores the need for more emphasis his criminally fraudulent activities. Weis’ criminal activities affected tor Burtness found (approximately 12). Today there are an computer system or server; this makes it on intelligence-led policing. The old adage 15 of his clients in Colorado, 18 of his clients in New Mexico, and Weis living in the estimated 4,500 cyber-jihadist Web sites very hard to intercept. These groups are that “knowledge is power“ has never been two of his clients in Texas, whose losses totaled approximately Phoenix, AZ area. supplying rhetoric, chat rooms, and infor- also using encryption technology like steg- more correct. In this information age, infor- $535,000. CDOS investigator mation for terrorists and their supporters anography to embed hidden messages, mation and data are vital. Efforts such as Burtness was able on potential targets, training videos, etc. In and new technology like encrypted Voice the FBI’s Joint Terrorism Task Force (JTTF) The arrangements between Weis and his clients - many of whom to obtain assistance Andrew Weis: Andrew Weis: most cases, these sites are attempting to over IP (VoIP) to make wire tapping of their are focused on bringing state, local, and were infirmed, widowed, on oxygen 24-hours per day, in wheel from the Phoenix, “Before” “After” enflame the passions of those sympathetic phone conversations much more difficult. tribal law enforcement agencies (SLE) into chairs and/or housebound for various medical conditions - went AZ Police Depart- to their cause. The Mujaheeden state, “The the “war on terrorism”. These initiatives smoothly for many years. However, by 2001, things began to ment’s (“Phoenix Internet is a battle space for jihad and it is The staggering rise in online fraud, , are centered on intelligence (“intel”) and change drastically. Weis left employment at a licensed brokerage PD”) fugitive detail with surveillance of Weis. On October 24, one of the primary outlets for jihadi propa- pharming, and identity theft has been tied the sharing of intelligence between these firm. He convinced many of his clients to invest in his company 2006, Officer Vanessa Warren, a patrol officer on the Phoenix PD, ganda and training.” Even the more tradi- directly to increased involvement by well entities. Today, SLEs are being asked to known as Total Financial Management, Inc. Weis had clients who called CDOS investigator Burtness to say she had arrested Weis tional terrorists groups such as the PLO and funded criminal organizations. It has also move from a criminal intelligence approach resided in both New Mexico and Colorado. He flavored his sales and that he had actively resisted arrest. ETA have Web sites dedicated to getting been theorized that many of these crimi- to a more generic intel approach that will pitch with numerous untrue statements and omissions of material their messages to the public (albeit these nal organizations have direct ties to terror- hopefully allow someone at some level to facts in violation of the anti-fraud provisions of the Colorado and Weis’ criminal activities touched the lives of at least 35 of his cli- sites existed prior to 9-11). ist groups, either foreign or domestic. The better connect the proverbial dots. Again, New Mexico Securities Acts. ents, not all of whom lived to see justice administered to Weis in limited research to date has speculated that the need for the reciprocal sharing of intel 2006, but the remaining victims expressed their gratitude to all There are documented cases in which there is a great deal of profit to be made by between all the levels of law enforcement Beginning in December 2002, investigators from the Colorado who persevered in bringing this man to justice. q criminals, criminal organizations, and ter- individual criminals and criminal organiza- is the key to success here. and New Mexico Securities Divisions began cooperating in a joint Continued on page 42 28 I nformant : M A rch 2 0 0 7 - J une 2 0 0 7 www.nw3c.org 29 tomer then paid by the cash, check, or money ecently companies have begun to order, and received the discount purported by Sheets. Sheets then took the remuneration shift their focus from physical se- and deposited the money into accounts for Rcurity to operational security. The personal use. He made the reservation for shift is not to discredit the importance the travel plans for the victim but never did of physical security, as it still plays pay for the trip. an important role in the workplace. When the day drew close for the victim to Rather, companies are beginning leave on vacation, Sheets then paid for the to understand the threats that are victim’s travel plans, using another traveler’s posed within their own walls. Physi- Travel Business Owner Commits Fraud in Ohio . During the investigation, Sheets By Mark A. Machan, Chief, City of Milford Police, OH claimed to have permission to use the credit cal security only serves to keep the cards, however the owners of those cards had undesired out. Operational security never granted permission. The victim then traveled, and discovered that they had yet to goes the extra step and attempts to ocial Scientist Edwin Sutherland coined the term white col- pay for their hotel or other charges. The other scenario that oc- keep insiders honest. lar crime in the 1940’s in his book called, “White Collar curred was when the victim returned home from traveling and Crime.” Sutherland defined white collar crime as “a crime discovered charges on their personal credit card, and the card that lthough different in nature, physical security and committed by a person of respectability and high social Sheets had used was being disputed by the original card holder. operational security possess some similarities, the Sstatus in the course of his occupation.”1 White collar crimes and A most common being their goals of deterrence and de- the violators do not always fit into Sutherland’s definition. White The second fraud occurred from those victims that would not “bite” tection. Of course, their methods differ in the ways they collar crime includes, by way of example, such acts as promul- on paying for the service with cash, check, or money order. The achieve these goals. For example, a company may install an gating false or misleading advertising, illegal exploitation of em- victim would decline the savings Sheets claimed and pay for their alarm system on the doors as a form of physical security. Un- ployees, mislabeling of goods, violation of weights and measures travel with their credit card. The victim would then notice charges authorized persons trying to seek entry will either be deterred statutes, conspiring to fix prices, evading corporate taxes, computer on their credit card invoice for other travel arrangements that they knowing the chances of being caught are greater at this company crimes, and so on. White collar crime is most distinctively defined had not made. The result of this fraud was that the victim would than at one without an alarm system, or they will attempt to break in in terms of attitudes toward those who commit it. These crimes then dispute any erroneous charges on the credit card. Victimiza- and be detected when the alarm sounds. are punishable by law. tion occurred for the credit card holder who would assume the loss. In some cases, the credit card company assumed the loss; in The same company may also implement a system of checks from White collar crime often goes unnoticed in our society due to an others, the airlines or hotels assumed the loss; and finally, in a few and balances as a form of operational security. An employee their place of em- apathetic nature toward crimes because, for the most part, they cases, the host company internalized the loss. may choose to be honest because he or she knows that there ployment, totaling mil- seem “victimless.” However, fraud like this costs U.S. organizations is a better chance of being caught when others are watching. If lions of dollars lost per annum. Additionally, it is estimated that more than $400 billion annually.2 This loss is substantially larger On December 22, 2004, David Sheets was indicted by a Clermont that employee chooses to be dishonest, chances are he or she twice as many people will steal if the chances of being caught than street crimes. In a small city, a significant economic loss to County, OH Grand Jury. After his arrest and bond was posted, will be caught soon thereafter. Two different methods of secu- are slim. If that were to happen, the losses would be crippling the community can be devastating. This was the case in the Travel Sheets continued to operate his travel business as before. David rity, yet both yield the same outcomes: deterrence and detec- to companies. The point is that you have to make certain that Center, Inc. investigation. Sheets’s advance swindle schemes took place between January tion. Evaluating what types of security a company needs can be employees know that theft will not go unnoticed. a difficult task. Companies need to first figure out what needs to On March 15, 2004, an incident was reported to the City of Milford Continued on page 41 be protected, and then try to determine the best way to protect The only way to know what you are missing is to know what you Police Department regarding the owner of a local travel business those items within their budgets. have, or are supposed to have. That is why it is best to have that was perpetrating a fraud with those that booked vacations We want to hear from you... someone assigned to audit what the company has on hand. with him. The original complainant stated that he booked a cruise The interesting part about operational security is that there are through the owner of Travel Center, Inc, in Milford, Ohio. The own- no limits. Physical security eventually has limits. You can install What you are probably thinking now is: what happens if the er of the company, David Sheets, would encourage customers to Send us your Story! just so many alarms, keypads, passwords, and biometric scan- auditor is among the one third who will steal from the com- pay for their travel plans by cash, check, or money order. He would Submit your successful white collar crime case to be ning devices before you have exhausted all options. Operation- pany? Major business activities (transactions, asset control, etc.) then book their travel plans using fraudulent credit cards. The initial al security, on the other hand, allows companies the flexibility to should never have just one employee assigned to those tasks. report indicates a loss of $40,000. published in a future Informant issue. We encourage successful case stories on any white collar crime subject. For use their resources in many ways; it is virtually open-ended. Be- A system of checks needs to be established. This accounts for consideration in the next issue (July - October 2007), submit cause there are so many options when it comes to operational the off chance that a dishonest employee has been assigned to All frauds involve a transaction, that is, an exchange between security, it is worthwhile to take a closer look at it, beginning with a major task. In such a case where a dishonest employee is in a 3 your completed article by May 25, 2007. the victim and the offender. In this case, the victim gives David typical threats and then moving on to some common ways to position where they can take advantage of the company, a sec- Sheets some money (cash, check, or money order) and David See our Web site: www.nw3c.org, for detect and deter those threats. ond employee will be assigned to “check” their work to make Sheets is supposed to make the travel arrangements for the victim. submission and author guidelines. sure it is done properly. It is important to remember that such a But what the victim gets in return is that he or she either has to Evaluating the Risks policy should be adopted for all activities so that its implementa- pay again for the same vacation, or after returning, finds additional Contact Us Today! For more information, contact The most common risks presented to companies of all sizes tion does not imply guilt on any employee. charges on his or her credit card. Courtney Tan, at [email protected], or Loreal Bond, at are embezzlement, asset theft, purchasing fraud, and falsified [email protected]. accounting records. This list does not exhaust all risk factors, but Aside from embezzlement, which refers mostly to the theft of David Sheets was initially contacted by customers to make travel focuses on those that most greatly affect all businesses today. money, a company must also be concerned with the theft of arrangements for them. Sheets then offers them an unbelievable We look forward to seeing your white collar crime case in the next Informant! Embezzlement is among the top concerns of businesses today. its physical assets. A physical asset refers mostly to inventory. travel price if they pay by cash, check, or money order. The cus- It is estimated that nearly one-third of all employees will steal Inventory consists of items that can be sold for profit, or items

30 I nformant : M A rch 2 0 0 7 - J une 2 0 0 7 www.nw3c.org 31 that were purchased and hold value for the company (computers, money for anything, and therefore the perpetrator can pocket the mission of a crime. A couple of the most common Before an employee is hired, office supplies, etc.). Similar to embezzlement, the best way to full amount of the purchase. red flags of employee fraud are a rise in the employ- a thorough background check prevent this loss is to know what you have on hand. Assign a cou- ee’s living standards and the employee becoming a should be performed. This ple of employees to take count of inventory, making note of who Hidden receipts can be uncovered by counting inventory and work-a-holic. gives a “heads-up” of what is in possession of certain items. A good example of this would be knowing the company’s operational capacity. If a company has to expect of a person before a company that issues laptops to its employees. When a laptop is five hundred products to sell at ten dollars per item, they should An employee who is committing fraud has more they even start. A background issued, make note of who it goes to. This way, if the laptop comes show a profit of five thousand dollars when the entire inventory money to work with in their personal life. The extra check allows a company to up missing, you know who to turn to for answers. has been sold off. If the entire inventory is gone, but the com- money allows for investments and other large pur- decide if a certain candidate pany is only showing a profit of three thousand dollars, then two chases. A lavish lifestyle that is out of the ordinary can be trusted as an employ- For companies with large supply rooms, it may be a good idea to conclusions can be drawn. Either inventory sales have not been can raise questions as to where the extra money is ee. If they cannot be trusted, set up surveillance cameras to capture what occurs in the inven- recorded (hiding receipts), or inventory has been stolen. coming from. and are not an honest can- tory room. If surveillance is conducted, make sure to notify all didate, it would be desirable employees of the cameras so that nobody feels as though their Payroll fraud is another concern of some companies. A payroll This red flag is sometimes termed “living beyond not to hire that person. Hiring privacy has been violated. Another risk can be associated with a manager has the ability to pay all workers. They also have the one’s means,” and refers to someone who is spend- a dishonest person is opening company’s purchases. Purchasing fraud occurs when a purchas- ability to create people to pay that really are not employed by the ing more money than he/she can justify having the door to future problems. ing manager makes a connection with a specific supplier. The two company at all. The fictitious employee that is created is actually based on his/her income. Performing a net worth On the administrative end, parties enter into an agreement that all products will be purchased the payroll manager, who will not only cut a check to this fictitious calculation is the best way to determine if someone the company should estab- through this particular supplier, who turns out to be a friend of person, but will cash in on it as well. The check goes through the is living beyond their means. lish clear operating policies. sorts. This friend overcharges for the products sold and pockets pay cycle without raising any eyebrows because it appears to be These policies let employees the difference, giving a cut of the money to the purchasing man- going to a legitimate employee. The problem is the payroll man- Calculating net worth is a five step process. The know what is expected of ager as an incentive for doing business. ager is getting paid twice without anybody knowing it. first step is separating a person’s assets from their them, as well as what is not liabilities. Two totals are generated: total assets and expected of them. A com- The best way to prevent this is to have several employees look When it comes to falsified accounting records, the best way to pre- total liabilities. The two are then subtracted from each other to pany should never assume that an employee knows the policies into various vendors that offer the same supplies. Once a fair price vent and detect such activities is to closely monitor all transactions. determine a net worth. The next step is subtracting the previous coming into the job. Setting a good tone from the top down is the for goods is established, it will become evident if the company is Have more than one person recording receipts. That way, if one year’s net worth from the current year’s net worth, leaving the most effective way to strengthen the established policies. If the overpaying for goods. The investigation can establish itself from person sees something out of the ordinary taking place, they can change in net worth. executive staff does not adhere to the policies then it sets a bad this point. report it. All work should be approved example for the rest of the company, which could lead to many by someone else. Also, keep track of From there, you add in total living expenses and subtract total in- problems down the road. Falsified accounting records your operational capacity. If you do not come. This leaves the income from concealed sources. Depend- are probably one of the biggest “ know what you have, then you certainly ing on the amount of income from concealed sources, you can The final and most obvious way to prevent fraud is to make it hard threats to a corporation. This ...the most common red will not be able to detect what you are determine if there is cause to believe a fraud has occurred. for an employee to commit fraud. The first way to do this is to is due to the fact that there are missing. establish positions so that two people do the same job. If there so many ways to perpetrate flags of employee fraud are Work-a-holic is a term given to people who spend the majority are two people doing the same job, they are constantly keeping this scheme. Some of the a rise in the employee’s Fraud Detection of their time at work. They are the type that are the first in, and an eye on each other’s work; making it hard to commit a fraud common ways to initiate this An employee has committed a fraud, the last out. They never take vacations, and even come in to without being caught.

scheme are hiding or forging living standards and the and knowing that the company has work when sick. Work-a-holics live for work and never miss a day. receipts, stealing petty cash, no structure in place to catch a fraud Some companies would see this as a dedicated worker. However, To take that a step further, establish a system of checks. When and creating fictitious employ- employee becoming a “ in progress, the perpetrator knows that it can be a cause for concern. work is completed, have a manager check it over. Not only is this ees for payroll. as soon as the money is out the door a good way to catch mistakes, but it eliminates the opportunity for work-a-holic. he/she will never be caught. On the When an employee is at work he/she can see everything that employees to conspire for the purpose of committing a fraud. Forging a receipt occurs when other hand, the company suspects they happens, and more importantly they make sure nobody sees what a receipt is recorded at a lower have been defrauded by an employee he/she is doing. A person trying to hide a fraud will not want any- Finally, rotate positions within a company. If an employee is try- amount than what the cus- and figures that there is no way to de- one to see what he/she is doing for fear that the scheme will be ing to hide something it will certainly surface when someone else tomer paid. This allows the perpetrator to pocket the difference termine if their hunch is true because they failed to setup a struc- uncovered. The only way to keep someone away is to show up steps in to do their job. A lesser form of this method would be to between the actual amount and the recorded amount. On the ture to catch fraud. The company gives up, and the perpetrator every day all the time. Missing a day would mean that someone mandate vacation time. When an employee is out on vacation, books everything looks kosher; the company receives the amount gets away with the crime. else would have to step in and do the job. someone else takes their spot. If something is out of order, it will that the receipt shows was due. However, unbeknownst to the certainly be caught at this point. company, the receipt is incorrect. In the criminal’s mind, this would be the perfect world. In most Be cautious of work-a-holics because, although they may seem to cases, this is what happens, unfortunately. The truth is that a com- be dedicated workers, they may also be trying to hide something. Although large companies are more often the victims of dishonest The biggest clue of a forged receipt is a photocopied receipt. A pany should not give up on a fraud investigation. Although opera- Remember that things are not always as good as they may seem. employees, small companies are affected more by each individual photocopy can hide any alterations that would have been made tional security was foregone, there are still options once the fraud crime. The reason big companies are victims more often is be- on the original amount. Anytime a photocopied receipt is found, it has occurred. The key is to be discreet when investigating an indi- Fraud Prevention cause it is easier to steal a few thousand dollars from a multi- is wise to inquire about the original receipt and its whereabouts. vidual suspected of fraud because if it turns out that a fraud did not The key to fraud prevention is remembering that increasing the million dollar company than it is from a company that does not occur, you do not want to get sued for defamation of character. risk over the reward will help deter employees from committing have nearly the same amount of assets. The reason why small Hiding a receipt takes this scheme to the next level. Instead of an offense. The higher the risk presented, the more honest an em- companies are more greatly affected is because they do not have altering the receipt to show a lower amount, the receipt just does To help determine if a fraud has occurred, you need to identify ployee will be. However, it is not always about making and main- as many resources to recoup the losses. As a matter of fact, some not appear. As a result, the company does not expect to see some red flags. A red flag is anything that would suggest the com- taining honest employees. It is about hiring honest employees. companies can never recover from such financial crimes. q

32 I nformant : M A rch 2 0 0 7 - J une 2 0 0 7 www.nw3c.org 33 Restructuring and New Services Make the Internet Crime Complaint Center a Better Resource for Law Enforcement IC3 ALERTS By Greg Donewar, IC3 Manager, NW3C

nitially launched in 2000 ficiency in allocation of resources and minimizing the imple- as the Internet Fraud Com- mentation timeline. NEW TWIST CONCERNING THREAT AND EXTORTION worm or virus is unique in the quickness in which it is spreading. plaint Center, the Internet E-MAILS Upon infection, a machine will download and install a number Crime Complaint Center Five key objectives were identified in order to achieve the de- January 9, 2007 -- There is a new twist to the IC3 Alert posted of executables. Once the executables have been installed, an I(IC3) has evolved tremendous- fined goal for IC3. They are: on December 7, 2006 regarding e-mails claiming that the sender infected machine will begin conducting Domain Name Service ly. Founded in a period when 1. Improved Data Management System the Internet was gaining its 2. Implement Data Analysis Tools has been paid to kill the recipient and will cancel the contract on (DNS) queries to look for open mail proxies. The infected machine greatest momentum as a global 3. New Analysis Procedure the recipient’s life if the recipient pays a large sum of money. Now then begins mail containing a social engineering attack communication tool1, the num- 4. Law Enforcement Training and Outreach e-mails are surfacing that claim to be from the Federal Bureau along with a Stration trojan downloader attachment. ber of complaints received by 5. Marketing Plan of Investigation in London. These e-mails note the following IC3 grew proportionately to the information: E-MAILS CONTAINING THREATS AND EXTORTION number of host sites and associated users of this new resource, Improved data management and case management systems are • An individual was recently arrested for the murders of December 7, 2006 -- The Internet Crime Complaint Center (IC3) reflecting not only the great value of the Internet but its inherent the first priority with a tentative timeline for implementation being dangers as well. 12-18 months. As these systems are created, installed, and test- several United States and United Kingdom citizens in has recently received information concerning spam e-mails from ed, process re-engineering will occur with the intent to automate relation to this matter. [email protected] threatening to assassinate the recipient Faced with exponential growth totaling more than one million many manual processes creating more available resources to im- • The recipient’s information was found on the subject unless the recipient pays several thousand dollars to the sender of complaints being processed through IC3, it is clear that crimes prove the content of information delivered to member agencies as identifying the recipient as the next victim. the e-mail. The subject claims to have been following the victim involving the Internet will continue to evolve and grow well as offering technical • The recipient is requested to contact the FBI in London for some time and is supposedly hired to kill the victim by a friend with time. support in case manage- to assist with the investigation. of the victim. The subject threatens to carry out the assassination if ment and case analysis. Tasked with “managing the Internet Crime Complaint the victim goes to the police and requests that the victim respond Center (IC3) as the national and international hub for Once the first three - ob It is not uncommon for an Internet fraud scheme to have the same quickly and provide their telephone number. Internet-related crimes,” the National White Collar Crime jectives have solidified, overall intent but be transmitted containing variations in the e-mail Center (NW3C), parent organization to IC3, initiated and new training programs content, e.g., different names, e-mail addresses, and/or agencies WARNING! Please note: providing any personal information can adopted a new strategic plan in 2006 in order to enhance will be developed and reportedly involved. compromise your identify and open you to identity theft. existing capabilities and most effectively deal with the an aggressive outreach growing problem of Internet crime. effort launched to intro- duce the new capabilities Due to the threat of violence inherent in these extortion e-mails, if SPAM E-MAIL CONFIRMING THE PURCHASE OF A The new plan included input from member agencies and, specific of IC3 and to improve investigative methods for law enforcement. an individual receives an e-mail that contains personally identifiable COMPUTER to IC3, input from three focus groups conducted across the United These activities will be integrated into a marketing plan aimed at information that might differentiate their e-mail from the general November 8, 2006 -- IC3 has received the following information States. This was done with the purpose of providing guidance the following: e-mail spam campaign, IC3 encourages the recipient of the e-mail concerning multiple e-mail confirming the recipient’s for re-engineering IC3 methods to improve its capability (with a to contact the police. purchase of a computer: 465% increase in workload) and also to ultimately improve the • Increasing member agencies; quality and content of its product for state and local law enforce- • Educating consumers; ment and other end users. • Improving services and product delivery; and NEW VIRUS IDENTIFIED: WAREZOV/STRATION WORM The first e-mail claims the recipient made the purchase • Soliciting support from other agencies involved December 15, 2006 -- The FBI has become aware of a worm through an online service provider. The e-mail contains a link if the NW3C Research Manager (and then acting IC3 Manager) John in the criminal justice system. identified as Warezov/Stration Worm circulating as a spam e-mail recipient wishes to dispute the charges to their account. Once the Kane put the collective talent of his staff to task and compiled a quickly and effectively across the Internet. The spam e-mail claims link is selected, the recipient is requested to provide their account comprehensive summary of the guiding principles learned from The end result of these changes will be a much higher quality of the e-mail recipient’s computer/IP address has been identified for information. the focus group efforts. This reference work, coupled with plan- the value of information provided to end users as well as the ability malicious activity online. An attachment to the e-mail is purportedly ning meetings involving members of NW3C administration, the for agencies to use the resources from NW3C and IC3 to prepare new IC3 Manager Greg Donewar, members of the FBI IC3 team, real-time reports, analyze statistical trends, and participate in an a software used to clean the recipient’s machine. This attached The second e-mail hoax includes a PDF attachment claiming to be and IC3 staff, all contributed to the development of an implemen- information sharing network for law enforcement that is without executable is the Trojan downloader portion of the worm itself. the order summary. The attachment contains a virus which will tation plan. peer. q infect your computer. A worm is identified as a program that duplicates itself over a References The implementation plan involves consideration of addressing computer network and typically performs malicious actions. This See next page for IC3 Alert Tips on how to protect critical issues in technology and use of resources with objectives 1. Obtained from Wikipedia, The Free Encyclopedia, (2007). http:// yourself from these and similar threats. q en.wikipedia.org/wiki/History_of_the_Internet progressing both consecutively and concurrently to maximize ef- 34 I nformant : M A rch 2 0 0 7 - J une 2 0 0 7 www.nw3c.org 35 IC3 Alert Tips Be cautious when responding to requests or special offers delivered through unsolicited e-mail: IC3 Welcomes a Visit from FBI Director Mueller • If you know someone who is involved with By Courtney Tan, NW3C Communications Specialist based resources which may assist in confirm- this type of correspondence, encourage them ing the existence of the organization, as well to contact their local FBI. as its non-profit status. • Do not respond to any unsolicited (SPAM) in- • Be skeptical of e-mails appearing to be from coming e-mails. reputable institutions you recognize or have accounts with that have minor mis-spellings • Guard your account information carefully. or slightly incorrect grammar (similar to the way that someone who does not speak Eng- • Keep a list of all your credit cards and account lish as their native language would speak or he Internet Crime Complaint Center information, along with the card issuer’s con- write). tact information; if your monthly statement (IC3) and the National White Collar looks suspicious or you lose your card(s), con- • Do not be led astray by your emotional de- tact the issuer immediately. Crime Center (NW3C) in West Virginia sires for companionship. • Be skeptical of individuals representing them- recently welcomed a visit from the • Be leery of e-mails claiming to show pictures selves as members of well known charitable of disaster areas in attached files, as the files TFederal Bureau of Investigation’s (FBI) organizations asking for your monetary aid. may contain viruses; only open attachments from known senders. Director, Robert S. Mueller, III. • To ensure contributions to U.S. based non- profit organizations are received and used • Be skeptical of individuals representing them- for intended purposes, go directly to the rec- irector Mueller, along with his executive staff, took time out of their already selves as Nigerian or foreign government of- From Left: FBI Director Robert S. Mueller, III, ognized charities and aid organizations’ Web full day of planned meetings on January 12th to tour the IC3 facility for the ficials asking for your help in placing large D and NW3C Director Don Brackman sites, as opposed to following links provided first time. sums of money. in e-mails. IC3 is a co-managed, joint partnership between the FBI and NW3C. IC3’s mission is to serve as a vehicle for receiving, developing, • Do not believe the promise of large sums of • Attempt to verify the legitimacy of non-profit money for your cooperation. q and referring criminal complaints in the arena of cyber crime. IC3 gives victims of cyber crime a convenient and easy-to-use reporting organizations by utilizing various Internet- mechanism that alerts authorities of suspected criminal or civil violations. For law enforcement and regulatory agencies at the federal, state, local, and international level, IC3 provides a central referral mechanism for complaints involving Internet related crimes.

During Director Mueller’s visit, Unit Chief John Hambrick briefed Mueller and his team on the IC3 operation, its composition, accom- Learn more about an IP Address, Email plishments, and challenges. NW3C Director Don Internet Investigation Tools Address, Domain Name, Website, or URL Brackman spoke briefly on IC3 during the visit as well. NetScanTools Pro Two Versions Available Director Mueller’s comments throughout the visit Advanced tools for both the investigator and network technician. CDROM/Full Download version intended were very supportive and encouraging of the IC3 for installation on a hard drive. mission and its staff, as well as the operation’s Automated Research of an IP potential for growth. Staff also commented on Address, Email Address, Host how they felt very honored to have the opportu- or Domain name, or web URL. nity to meet Director Mueller and share with him the results of their work. q Investigative tools that get information quickly.

 IP/Domain ownership New! USB Flash Drive Version intended  Upstream ISP identification for fully portable computing. Installation is not  IP to Country mapping required, simply plug the USB drive into the  Email blacklist status computer and use the software.  Email address validation  Packet Capture, passive and active network discovery tools.  Many Network Technician tools are also included. Above: Group photo of IC3, NW3C A demo is available upon request at our website. and FBI staff with Director Mueller NetScanTools Pro is used in training by the Protocol Analysis Institute and several US Government Agencies. At Left: Presentation by Unit Chief John Hambrick and discussion during For more information go to www.netscantools.com/nw3c When ordering mention IC3 visit or call toll-free 866.882.3389 or 360.683.9888 Code 3C2Q07 for a discount. At Right: Director Don Brackman speaking to visitors and staff NetScanTools Pro, because you need to know what’s out there  ...since 1995 Northwest Performance Software, Inc. www.nw3c.org 37 NW3C’s Outreach Seminar is NW3C Research News over 30 white collar and corporate crime held in Las Vegas, Nevada ith the new year underway, the scholars and practitioners in attendance. research section has been busy The event also served as the formal an- Wwith a variety of projects at NW3C. nouncement of the WCCRC’s incoming The 2006 Internet Crime Complaint Cen- president Michael Benson (University of ter (IC3) Annual Report is currently being Cincinnati) and newly elected vice presi- Harris Ordered to Pay Increase, Inc. (PNI); some citizens invested Department of Investigation (DOI) Com- analyzed and prepared for release. Over dent Kip Schlegel (Indiana University). The Almost one Million as much as $100,000. If you were an in- missioner Rose Gill Hearn said, “In a twist research section is already preparing for vestor in PNI and have further questions, 207,000 complaints were received by IC3 Dollars in Restitution on government-subsidized housing, these last year, making the total for 2006 the sec- the Academy of Criminal Justice Sciences please contact the District Attorney’s office scammers have found themselves confined ond highest total since the organization’s annual meeting in Seattle to host the first to Victims for securities in Mobile County or the Alabama Securities to home or living in a new home, behind inception in 2001. WCCRC luncheon of 2007; while in Seattle, fraud Commission. bars. I am pleased with the serious nature the research section will also be presenting October 30, 2006 of these sentences because they under- In January, the research section also sub- original research pertaining to the 2005 Na- The Director of the Alabama Securities score the fact that DOI will not allow un- mitted a grant proposal to the National tional Public Survey on White Collar Crime MONTGOMERY, AL – The Alabama Securi- Commission (ASC) cautions potential in- scrupulous Section 8 tenants or landlords Institute of Justice for Social Science Re- as well as data from IC3. ties Commission announced today that An- vestors to thoroughly check out any invest- to steal much-needed housing subsidies.” search on Terrorism. Pending approval, the thony Darrell Harris appeared before Mobile ment opportunity prior to investing. Contact For additional information concerning the County Circuit Judge Thomas, October 11, the ASC for inquiries regarding securities, W3C hosted a successful “Electronic research team will partner with the Arizona A DOI investigation led to the 2005 in- 2006 for a restitution hearing. As a result broker-dealers, agents, investment advi- Law Enforcement” Outreach Counterterrorism Information Center (AC- WCCRC, including membership materials, dictment of Raquel, 40, and Andino, 41, of this hearing an order was issued on Oc- sors, investment advisors representatives, Seminar on January 23rd at the TIC). The primary goal of the project is to go to: http://www.nw3c.org/research/ of Staten Island, for theft of public mon- N identify successful practices regarding coor- white_collar_crime_consortium.cfm. For tober 24, 2006, for Harris to pay securities financial planners, the registration status of ies. That investigation revealed that the Suncoast Hotel and Casino in Las Vegas, fraud victims or their estates $979,084. securities, to report suspected fraud, or ob- NV. Over 140 law enforcement officials dination, cooperation, and communication questions on NW3C Research initiatives D’Saronnos had concealed from NYCHA among agencies and across jurisdictions please contact NW3C Research Manager, tain consumer information. q their marriage and that they had been living attended the Outreach. The event featured Restitution payments will begin when Har- presentations on the subjects of Identity responding to terrorism. Through criminal John Kane, at 877-628-7674, ext. 200. q together since July 1998 at a single-family case studies and interviews with the mem- ris is released from custody at a rate per home in Midland Beach, Staten Island that Theft, Phishing, and Tools, Tricks, and month as directed by his probation officer. Techniques used by Criminals. bers of ACTIC, NW3C will report on the best MARRIED COUPLE SENTENCED Andino owned and for which he served as practices that can be incorporated by local, NW3C Welcomes the Following The Court Clerk will monitor a list of victim’s a Section 8 landlord. Raquel, a Section 8 New Managers... names and addresses and the amounts FOR STEALING OVER Opening remarks state, and national law enforcement agen- recipient since 1990, cies to combat terrorism on all fronts. The due each victim and set up a plan to fairly $49K IN HOUSING moved to the Mid- for the Outreach distribute restitution payments. were presented research section expects to receive feed- SUBSIDIES land Beach property by Mike McClary, back regarding the awarding of the grant October 25, 2006 in June 1998 and Greg Donewar Anthony Darrell Harris pled guilty on Oc- Assistant Sheriff, within six months. told NYCHA she was IC3 Manager tober 23, 2006 to two counts of Fraud in NEW YORK CITY, NY -- Today renting this single Las Vegas Metro- connection with the sale of securities, and politan Police De- In addition to conducting regular evalua- in Manhattan Federal Court family home from tions of NW3C’s training courses, the re- one count of selling securities without be- former Section 8 recipient Andino for herself partment. Other ing properly registered as a securities agent. speakers and presenters included Don search section is also continuing work on Raquel Arocho D’Saronno and her children. She Leslie Layton Mobile County Circuit Judge Thomas sen- Brackman, Director, NW3C; Chris Nelson, implementing course post-evaluations and was sentenced to 10 months continued to use her Communications tenced Harris to serve 30 years, split, be- Senior Investi- supervisor evaluations for all financial and imprisonment and three maiden name, ‘Aro- Manager ginning with 18 months on September 22, gator, Jefferson computer crime courses. The additional years supervised release for cho,’ after she mar- evaluations should prove as valuable tools 2006. This case was brought before the defrauding the New York City ried Andino a month County Sheriff’s Grand Jury by the Enforcement Division of Office (Golden, to capture the practical impact NW3C train- Housing Authority (NYCHA) later. Neither Raquel Dale Smith the Alabama Securities Commission and CO); Charles Co- ings have on the daily conduct in the inves- of $49,184 in Section 8 hous- nor Andino disclosed tigation and prosecution of economic and Training Manager the Mobile County District Attorney’s office. ing subsidies. Her husband, their marriage or liv- hen, First Ser- Harris was indicted by the August 2005 ses- geant, Indiana high tech crime. a former Section 8 landlord, ing arrangement to sion of the Mobile Grand Jury on 60 counts Andino D’Saronno was sen- NYCHA. Such disclo- State Police; and citing 1st Degree Theft by Deception; Sale Mark Gage, Deputy Director, NW3C. NW3C also recently hosted a luncheon for tenced on October 13, 2006 to five years sure would have made Raquel ineligible the White Collar Crime Research Consor- Jim Foley of Unregistered Securities; Sale of Securi- of probation and six months of home con- to receive Section 8 rental subsidies and Curriculum ties by an Unregistered Agent and Fraud NW3C’s next Outreach Seminar will be held tium (WCCRC) last November in conjunc- finement. Both have been held jointly and D’Saronno ineligible to maintain his status tion with the American Society of Criminol- Development Manager in Connection with the Sale of Securities. severally liable to pay full restitution in the as a Section 8 landlord. As a result, NYCHA in Tarrytown, New York on April 18th. For Harris called his company Positive News more information or to register online, visit ogy (ASC) meeting in Los Angeles. The amount of $49,184. paid Andino rental subsidies ranging from www.nw3c.org/outreach. q biannual luncheon was well received with 38 I nformant : M A rch 2 0 0 7 - J une 2 0 0 7 www.nw3c.org 39 $638 to $772 a month to which he was has sentenced a River Forest man to seven NW3C and IACIS: not entitled from June 1998 through Janu- and one-half years in prison for charges A History of Collaboration ary 2004. In total, NYCHA overpaid Andino related to a scheme involving the sale of By Robert W. Spitler, II, CFCE, IACIS Board of Directors Treasurer and Loudoun $49,184. liability insurance to more than 200 enter- County Sheriff’s Office (VA) Computer Forensics Investigator tainment providers in Illinois and across the Not only did Raquel and Andino conceal country. n the late 1980’s, a group of law enforcement officers de- the ranks of IACIS members including founding members and that they were husband and wife, rather termined the need to address a lack of training in the area board members. NW3C encouraged their new staff, who were than landlord and tenant, but Raquel con- Cook County Circuit Court Judge David A. Iof computer forensics, an unheard of term in that era. This not IACIS members, to join membership, attend the IACIS train- cealed her assets and income including real Skryd yesterday sentenced Richard Brooks, group began coming together to learn and pass on informa- ing, and obtain their CFCE certification. estate the couple jointly purchased in Flori- of River Forest, to seven and one-half years tion and in 1990 incorporated through the state of Oregon as da in 2001, and the home they purchased in the Illinois Department of Corrections The International Association of Computer Investigative Special- In 1994, and prior to NW3C taking an active role in Comput- for $559,935 in 2003 at 326 Eltingville (IDOC). Brooks pled guilty to nine counts of ists (IACIS). IACIS was incorporated with the core mandate to er Forensics Training, the IACIS basic class was being held in Boulevard, Staten Island. Theft over $100,000, Class 1 felonies and train law enforcement in the field of computer forensics. IACIS, McLean, VA. Dick Johnston, then the director of NW3C, did one count of Mail Fraud, a Class X felony. which is an all-volunteer organization, grew from a few cops a short presentation about NW3C. Since then, NW3C trainers After learning that Raquel and Andino were throughout the US to a network of 1800+ members worldwide. have not only come from IACIS membership, they have also re- in the process of selling their Staten Island The charges stem from Brooks’ purported With members and directors from around the globe, IACIS is turned as instructors at the yearly conferences. They have also residence, DOI investigators filed on Octo- sales of commercial general liability insur- established as a true International Association. helped as coaches through the certification process and have ber 17, 2006, a Notice of Pendency against ance offered by Lloyds of London to en- served on the Board of Directors for IACIS. the couple and their Eltingville property. tertainment providers, including circuses, IACIS training began as small meetings and eventually was es- That document notified the property’s buy- circus acts, a mime troupe in San Francisco, tablished as a yearly training conference in Orlando, FL. IACIS Although this is a very brief description of the collaboration of ers and sellers that $49,184 in forfeiture owners of mechanical bulls, owners of ar- now presents their basic forensics class, the Certified Forensic the two organizations, it should stand as an example that co- would be sought from Andino. That forfei- tificial rock climbing walls and a company Computer Examiner course, the last week of April through the operation leads to the development of solid standards and the ture will reimburse NYCHA for the stolen that offered bungee jumping rides. first week of May each year. This class is the beginning of an best and most recognized computer forensics training available subsidies. extensive certification process. Members successfully complet- in the world. IACIS and NW3C have continued to solidify their Brooks also ing the process earn the certification of “Certified Forensic Com- working relationship, both encouraging members and students puter Examiner” (CFCE). The CFCE has become a worldwide to attend the others’ training as a mutual process for building Commissioner Rose Gill purported to recognized certification process in law enforcement agencies, computer forensics competency. Hearn thanked NYCHA’s sell automo- as well as having become an accredited process in collegiate Leased Housing Depart- bile liability academics. IACIS further offers various advanced class topics For more information on the International Association of Com- ment for their assistance in insurance of- each year for returning members. puter Investigative Specialists, its upcoming and future training, the investigation and federal fered by Fire as well as the certification process, please visit www.cops.org. prosecutors from the South- and Casu- Before NW3C was nationally established in 1992, there was The next Certified Forensic Computer Examiner Course will be ern District of New York for alty Insurance not much focus on cybercrime. In 1996, NW3C membership held April 23 through May 4, 2007, in Orlando, FL. Additionally, handling the prosecution. Company of pressed for the development of computer forensics training. advanced class topics will include Large Disk Acquisition & Net- Connecticut Three trainers were hired that year. From that time forward work Monitoring, Macintosh Forensics, as well as Mobile Phone The investigation was con- to some of trainers and administrative staff of the program, then known as Forensics & DataLifter Forensics. q ducted by NYCHA’s Office the entertain- the National Cybercrime Training Partnership, have come from of the Inspector General, ment provid- including Deputy Inspector ers. General Bergia Telesford, Occupational Fraud in Ohio nal intent is concerned. The offense itself may be disguised in a Assistant Inspector General Brooks never Continued from page 30 maze of legitimate transactions, which are quite proper if viewed James Hylton, Special Inves- had author- in isolation, however, the cumulative effect is the commission of 2004 and December 2005. Investigators from the City of Mil- tigator Emily Bizzarro and ity to sell in- a criminal offense. From the standpoint of the criminal, the ideal ford Police Department continued to take reports of losses totaling Deputy Counsel Laureen surance for white collar crime is one that will never be recognized or detected $407,507. In February of 2006, David Sheets pled guilty to Aggra- Hintz. The office of Michael Lloyds of Lon- as a criminal act, which is what David Sheets wanted to claim. vated Theft, a felony of the third degree in the State of Ohio, and J. Garcia, U.S. Attorney for the Southern don nor Fire and Casualty Insurance Com- was sentenced in March of 2006. Sheets received four years of District of New York, prosecuted the cases. pany of Connecticut. Brooks has not been The Travel Center, Inc. investigation can be described as an occu- confinement to the Ohio Department of Rehabilitation and Cor- Assistant U.S. Attorney Lisa Zornberg was in licensed to act as an insurance producer in pational crime. Occupational crime refers to illegal acts committed rection. charge of the prosecutions. q Illinois since 1997 and never obtained the by an individual or group of individuals for personal gain in the insurance he purported to sell to the enter- course of their occupations.3 No matter how you define the crime White collar crime can create greater havoc in a small community. tainment providers. or the criminal, the economic loss caused by Sheets to his victims COOK COUNTY MAN This is especially true when the elderly of our communities are and the community is devastating. q victimized, as they have little or no hope of re-establishing them- SENTENCED to seven and a The case was jointly investigated by Madi- selves in financial terms. White collar criminals are thieves, and REFERENCES half years ON THEFT AND gan’s office and the United States Postal the methods used to conceal their offenses are both artful and 1. Shover, Neal and Wright, John Paul, Editors. Crimes of Privilege: Readings in MAIL FRAUD CHARGES Inspection Service. Assistant Attorney Gen- White-Collar Crime. New York: Oxford University Press (2001). ingenious. Concealment of the crime is always an objective of January 3, 2006 eral Edward Carter prosecuted the case for 2. Geis, Gilbert. From Deuteronomy to Deniability: A Historical Perlustration the offender, and it becomes an element of the crime itself. As is Madigan’s office. q on White-Collar Crime. Justice Quarterly, Vol.5, No.1, Academy of Criminal seen in the Travel Center, Inc. investigation, this type of fraud is an Justice Sciences, (March 1988). CHICAGO, IL – Attorney General Lisa Madi- artful form of deceit which can be skillfully disguised, often making 3. Benson, Michael L. Lecture Notes, Seminar in White Collar Crime, Univer- gan announced that a Cook County judge the investigation itself long and laborious as far as proving crimi- sity of Cincinnati (2006).

40 I nformant : M A rch 2 0 0 7 - J une 2 0 0 7 www.nw3c.org 41 The Role of Computer Crime Investigators BFA to recognize apparent income on its financial statements In addition to Crotts and Grabinski, six others in Counter Terrorism and Intelligence through purported sales of real property at a profit. Bottom line: were indicted in September 2002 for their Past, Present and Future Continued from page 28 Crotts, Grabinski and others were operating a complex variation of roles in the BFA scheme. The final five of Continued from page 8 Since NW3C was established in 1992, a Ponzi scheme. them were recently sentenced by the Honor- there has been phenomenal growth in With this shift in direction, SLEs cannot overlook a very vital source able Kenneth Fields on February 2, 2007 as instant access to NW3C products and ser- the number of members, programs, staff, of intelligence, namely computer forensic investigators. Recent Senior management was able to keep the fraud going by rais- follows: vices, including research papers, reports, and the products and services provided surveys have indicated that a large majority of SLEs do not have a ing ever increasing amounts of money from investors, primarily CDs, DVDs, training class schedules, and by NW3C. The challenges were great, distinct criminal intelligence division. This is not surprising when members of the Southern Baptist religious community in Arizona Donald Dale Deardoff, 49. member contact information. This state- but not insurmountable, and the rewards we consider that 75% of SLEs have less than 24 sworn officers. In and elsewhere. Former foundation CFO/Treasurer. of-the-art Web site has greatly enhanced were great as well. In order to accomplish fact SLEs are more likely to have a dedicated computer crime divi- Two counts: facilitating fraudulent schemes NW3C’s ability to serve its members by NW3C’s goals, management recruited sion/investigator than a criminal intelligence division/officer. This The pitch was “do good by doing good.” BFA emphasized “Stew- and artifices providing them with electronic access to dedicated, innovative professionals who fact, combined with the realization that, contrary to popular belief, ardship Investing.” BFA represented that Stewardship Investing • Four years’ prison NW3C materials. Members regularly ac- were committed to providing outstanding it is actually harder to cover your tracks when using technology (as- was a concept that gives Christian stewards the opportunity to • $159 million restitution cess and download the information on the customer service. The management and suming those looking know where to look) makes the computer not only earn a handsome rate of return on the money they in- Quoted as saying, “Words cannot express member Web site. For example, member Board of Directors worked diligently to en- crime investigator a key factor. These investigators are trained to vested with BFA, but also to make that money work for the Lord. the regret for what I did.” agencies electronically downloaded NW3C sure that NW3C met its goals and objec- look for digital evidence and understand the technology that is be- BFA represented that it invested in a diversified portfolio includ- research papers and reports 19,314 times tives, developed sound business practices, ing used by the criminals. ing notes, real estate, and real estate-secured third party obliga- Jalma W. Hunsinger, 70. in 2005. and served the membership to the greatest tions. These investments purportedly made a profit which went Former board member and purported degree of professionalism possible. Many While the motivation may be different between terrorists and white to further Christian ministries such as Christian education, care for President of NCV and ALO, and most of its first-of-a-kind programs were instituted that collar/technology criminals, the underlying technology and tools are children and senior adults, missions, and new church starts. BFA subsidiaries. In recent years, NW3C has greatly expand- brought together the private sector with the the same. E-mail is e-mail, and computer log files and server event represented to potential investors that the investment therefore Three counts: facilitation of illegally con- ed training offerings and the analytical sup- public sector, partnered state and local law logs are what they are. The same methodology (identification, col- actually touched the lives of countless numbers of people while ducting an enterprise. port services provided to our members. enforcement with federal agencies, broke lection, examination, analysis, interpretation, and report) and skills earning a very attractive interest rate for the investor. To a large ex- • Three years supervised probation To illustrate NW3C’s growth, let’s look at down barriers and borders, and provided that make the computer investigator proficient at tracking online tent the assets of BFA were illusionary as the majority represented • $150,000 restitution some statistics from NW3C’s 2005-2006 the best - and often the only - nationwide pedophiles, hackers, identity thieves, etc., can be repurposed for notes receivable from the off balance sheet entities which had no Quoted as saying, “I do feel bad about fiscal year. NW3C publishes theInformant programs to law enforcement. collecting intelligence, tracking cyber-jihadists, or any counter terror- ability to repay the notes. those who have been hurt.” magazine at no cost to subscribers, and it ism purpose. What is required is really only a slight shift in focus, is sent tri-annually to over 18,000 law en- None of this would have occurred with- based on the context of the investigation. In August 1999, BFA, NCV, and CFPI consented to the issuance Edgar Alan Kuhn, 62. forcement professionals and the public. out the assistance of the member agency by the ACC of a cease and desist order which ordered BFA, NCV, Former officer of NCV and ALO and most NW3C sponsored two Economic Crime representatives who foresaw the potential Only a minimal amount of training is typically required in order to and CFPI to cease selling securities to the public in violation of the of its subsidiaries. Summits and two Outreach Events in 2005 of NW3C. There have been many people facilitate the shift from computer crime investigations to a broader law. As with any Ponzi type scheme, once the flow of investor Three counts: facilitating fraudulent that were attended by over 900 law en- instrumental in helping NW3C to achieve scope of intelligence gathering or counter terrorism. Agencies such funds ceased, BFA could no longer meet its obligations and was schemes and artifices forcement personnel across the country. success, ranging from the staff, to mem- as NW3C, and educational institutions such as Purdue, the Univer- forced in November 1999 to file what has been called the largest • Three years’ supervised probation IC3 processed 196,576 complaints. bers of Congress, member agencies, the sity of Central Florida, and the University of Tulsa, have education non-profit bankruptcy in United States history. Many of the credi- • $25,000 restitution Board of Directors, friends in the private and training programs that provide assistance to SLEs in this area. tor/investors were retired persons who had invested individual Quoted as saying, “I acted too much on As of January 25, 2007, NW3C had a to- sector, BJA, the FBI, the Department of Jus- retirement accounts funds through NCV and CFPI. trust without information.” tal of 2,347 agency members, including tice, and others. As law enforcement struggles to keep pace with the changing na- 2,156 voting members, and 191 associate ture of crime and terrorism, the need for effective and efficient The ACC and AG’s Office sought financial assistance from NW3C in Harold DeWayne Friend, 73. members. NW3C also has 105 employees Economic, cyber, and terrorism-related real-time intelligence gathering and analysis is imperative. Gone order to investigate and pursue the cases against BFA insiders, as Former foundation director and officer of working in Virginia, West Virginia, Florida, crimes are increasingly recognized as im- are the days of reactive policing and traditional definitions of crime well those professionals that aided and abetted the fraud. NW3C various ALO entities. Colorado, and Indiana. NW3C operates portant problems for national and interna- and criminal investigations. Intelligence-led policing is a reality to- saw fit to provide funding to assist in the on-going investigations. One count: attempting to assist a criminal three offices: one in Richmond, Virginia, tional citizens and businesses. NW3C has day and will continue to grow in importance into the foreseeable Funds provided by NW3C were used to hire accounting experts syndicate. and two in Fairmont, West Virginia. progressively strengthened its commitment future. The increasing demands on SLEs to be more active in as well as to pay temporary staff to control and input hundreds • Three years’ supervised probation to its members and its mission over the last non-traditional criminal investigations, such as computer crime and of thousands of documents into a database. The difficulty of a • $240,000 restitution 28 years. NW3C’s efforts to continually white-collar technology crime, places them in a good position to state agency investigating and prosecuting large document cases Quoted as saying, “This zeal that I had Moving into the Future improve its training, investigative support, adapt some of the capacities they have already developed, allow- is obvious, and therefore, the assistance of an organization such overcame my good business judgment.” From its inception in the early 1970’s, the and research services ensure its continuing ing them to evolve to meet the policing needs of the 21st Century. as NW3C is invaluable to the states. Leviticus Project was motivated by a desire ability to effectively support law enforce- The current and increasing role of computer crime investigators in Richard Lee Rolfes, 50. to serve law enforcement and to provide ment agencies in their fight against white counter terrorism and intelligence gathering is but one example of Before Arthur Andersen imploded as result of its involvement with Former Executive Secretary and financial law enforcement agencies with a means of collar crime. NW3C management and staff the successful transition in modern policing that is so desperately Enron, Arthur Andersen and the outside law firm settled cases consultant of NCV sharing information and resources to more look forward to serving state and local law needed. q with the State and other plaintiffs which resulted in $238,000,000 One count: facilitating fraudulent schemes effectively fight economic crime. NW3C’s enforcement for many years to come. q being made available to investors as additional restitution. Ulti- and artifices current success in assessing the needs of mately, investors received almost 70 cents on the dollar (which is • Three year’s supervised probation law enforcement agencies and developing usually unheard of in a Ponzi scheme). In addition to the mon- • $25,000 restitution support systems is based upon the solid Continued from page 23 etary portion of the Arthur Andersen settlement, the partner and Quoted as saying, “I am very sorry that this foundation for cooperation established by manager on the BFA audit engagement relinquished their CPA has all happened; it’s been very difficult for the Leviticus Project. a false favorable financial picture to investors by hiding large losses licenses. me and my family to go through this.” q on the books of ALO and its subsidiaries. Crotts and Grabinski also created complex financial transactions utilizing ALO that allowed

42 I nformant : M A rch 2 0 0 7 - J une 2 0 0 7 www.nw3c.org 43 Absolutely outstanding and professional conference! Don’t delay Worth every penny and then some. I am so glad I attended. in taking advantage of your — Jarrett Roberts, CFE, CPA, CIA, CISA Senior Internal Auditor, Nordstrom Membership* discount… If your agency is already a member and you do not have a user name This year’s Global Conference on and password to access our Members Web site, please contact your agency’s Economic and High-Tech Crime will NW3C representative and request an account NOW so you will be able to focus on the topics of: apply your membership discount when registration opens. If your agency • International Banking Fraud ©Disney needs to appoint a new NW3C Member Agency Representative, • Global Criminal Use of Social Networking this process may take up to 4 weeks Sites to Carry Out Crimes Against Children, for approval. ID Theft and If your agency is not a member and is interested in membership with NW3C, • Cross Border and Global ID Theft please visit our Web site at: www.nw3c.org • Global Online Auction Fraud to request membership information. Join more than 2,000 professionals • Global Digital Media Theft and Piracy To be considered for membership and to Involving Music, Movies, and Other Valuable and attend the largest-ever anti-fraud event in the world be eligible for the membership discount — the 18th Annual ACFE Fraud Conference & Exhibition, Copyrighted Material prior to the conference, your agency’s July 15-20 in Orlando, FL. completed application must be received • Evidence Gathering Challenges Involving no later than Friday, July 20, 2007. Wireless Devices (such as Blackberries®, Keynote speakers *Membership is not required to attend the conference. PDA’s, and Smartphones) Paul sarbanes Chris swecker Former Senator Director, and Co-Author of Corporate ww the Sarbanes- Security, w. Oxley Act Bank of America co nfe re Dr. Robert Hare and more! n Author of Check www.FraudConference.com c “Snakes in for regularly updated information. e Suits: When . Psychopaths n Go to Work” w RegisteR online at 3 www.FraudConference.com c or visit often for regularly . updated information. o r g

18th Annual.indd 1 2/22/07 12:52:35 PM non-profit org. u.s. postage paid RICHMOND, va permit no. 571