Nw3c Board of Directors

NW3C Bo a r d o f Di r e c t o r s Ch a i r m a n Di r e c t o r

Glen B. Gainer, III Don Brackman WV State Auditor’s Office NW3C

No r t h e a s t Mo u n t a i n

Christopher Cotta Kathleen Kempley Secretary Treasurer Rhode Island Office of the Attorney General Arizona Attorney General’s Office

Gr e a t La k e s So u t h Ce n t r a l

Larry Turner Denise Voigt Crawford T i Board Member Board Member Indiana State Police Texas State Securities Board

Mid-At l a n t i c So u t h e a s t

Michael Brown John Whitaker Board Member Board Member Bedford County Sheriff’s Office Georgia Bureau of Investigation

Mi d w e s t We s t

Paul Cordia Sean M. Rooney Vice Chairman Board Member

I Missouri State Highway Patrol California Department of Corporations 1 ? .1

The mission of the National White Collar Crime Center (NW3C) is to provide training, investigative support and research to agencies and entities involved in the prevention, investigation and prosecution of economic and high-tech crime. NW3C is a non-profit organization serving more than 3,100 member agencies in all 50 states, 4 U.S. Territories, and 14 Countries. Membership in NW3C is free. NW3C Executive Team Deputy Director: Ken Brooks Deputy Director: Mark Gage Deputy Director: Dave Cummings General Counsel: Mary-Ellen Kendall

NW3C has offices in Virginia and West Virginia Highwoods One Alan B. Mollohan Building 10900 Nuckols Road 1000 Technology Drive Suite 325 Suite 2130 M Glen Allen, VA 23060 Fairmont, WV 26554 NATIONA L 'A HITE COLLAR CRI IAE CENTER NW . ... . Bureau of Justice Assistance TEL: (800) 221-4424 TEL: (877) 628-7674 /wrua urrr Qu?rrrr 11 w u r su U.S. Department of Justice FAX: (804) 273-1234 FAX: (304) 366-9095

This project was supported by Grant No. 2008-CE-CX-0001awarded by the Bureau of Justice Assistance. The Bureau of Justice Assistance is a component of the Office of Justice Programs, which also includes the Bureau of Justice Statistics, the National Institute of Justice, the Office of Juvenile Justice and Delinquency Prevention, and the Office for Victims of Crime. Points of view or opinions in this document are those of the author and do not represent the official position or policies of the United States Department of Justice. The National White Collar Crime Center (NW3C) is the copyright owner of this magazine. This information may not be used or reproduced in any form without the express written permission of NW3C. This publication is also available for download in PDF format at www.nw3c.org. For questions or additional information, please contact Jeannette Toscano, Communications Manager, at [email protected]. ©2009. NW3C, Inc. d/b/a the National White Collar Crime Center. All rights reserved. Informant contents In This Issue:

8 Members’ Platform 18 Glen Gainer: Financial Watchdog 10 Instructor Spotlight John Dahlia

12 Fighting Internet Crime 20 iForensics NW3C Internet Fraud Analysts 22 Apples to Oranges: 13 Protecting Citizens from Comparing the Mac® OS X Identity Theft 26 Property List to the NW3C Internet Fraud Analysts Windows® Registry Capturing digital evidence is more than just “pulling the plug” on a computer. This article, Dennis Browning written by Al Lewis, Director of Forensic 14 Help! Is this Check Fake? Development & Services, MacForensicLab NW3C Internet Fraud Analysts Inc., will address the growing role of incident response at a digital crime scene. 32 Seven Deadly iPhone Sins: What Every Enterprise 15 CY-FI: The Future of Cyber Should Know Forensics Jonathan Zdziarski Dr. Marcus K. Rogers 34 TomTom® GPS Device u 16 Historic Partnership So nd Forensics

Ushers in New Era of E Ben LeMere y l x Cyber Forensics l a a m Craig Butterworth c i i 36 The Scareware Menace

Samantha McManus n n

a Ethan Arenson

o o n

17 NW3C Analysts F 38 Ponzi Schemes of a Macintosh Recognized for Helping Robert Holtfreter, Ph. D. Take Down Florida- Based ID Theft Ring 28 39 Member Success Stories Craig Butterworth Mac® operating systems are being encountered more by law enforcement. Read this article, by New York State Police Computer Crime Investigator Ryan Kubasiak to learn where to look for and extract evidence on the Macintosh® OS X.

The Informant is produced twice a year in the Glen Allen office. The Informant has moved to an online format and is available at http://informant.nw3c.org. Editor-in-Chief: Jeannette Toscano Editorial Staff: Loreal Bond, Craig Butterworth, Cam Brandon Graphic Design: Lindsey Bousfield Special Contributor: by Dr. Marcus K. Rogers CISSP, CCCI, Cyber Forensics Program Department of Computer & Information Technology, Purdue University http://informant.nw3c.org 3 ri: 3

owl

In today’s world of cybersecurity,

you’ll need more than a firewall to keep00 at from getting burned. www.northropgrumman.com/cybersecurity

To really beat the bad guys, you need ?rfI" I-- people not just computer programs. "' And Northrop Grumman has the expertise

and the tools to keep your worst fears

from coming true. This is the world of

cybersecurity. A world we call home and

know better than any other company in

the industry. So when you’re ready to

talk to the experts about cybersecurity,

come talk to us at Northrop Grumman.

4 Informant: July 2009 - December 2009

McCann-Erickson Los Angeles McCANN BY DATE 5700 Wilshire Blvd. Ste. 225, Los Angeles, CA 90036 Creative Director CLIENT: NORTHROP GRUMMAN DATE: 7/15/09 Art Director JOB #: NGC MIS 6NG9 0162 AD DESC: Cybersecurity Copywriter AD #: G9162D Group Director Bleed: 9” x 11-1/2” ECD: S. Levit Acct. Supervisor Trim: 8-1/2” x 11” Art Director: K. Hastings Acct. Executive Live: 7-1/2” x 10” Copywriter: L. screen: 133/mag Print Mgr: T. Burland Print Production # Colors: 4/C Phone: 248-203-8824 Traffic Fonts: ITC Officina Sans Proofreader Pubs: NW3C INFORMANT MAGAZINE - September 2009 CLIENT

PUBLICATION NOTE: Guideline for general identification only. Do not use as insertion order. Material for this insertion is to be examined carefully upon receipt. If it is deficient or does not comply with your requirements, please contact: Print Production at 248-203-8824. Dl 4 " l K e 9 F NW3C Remembeq 4 rii s" RAOur Member Agencies’ -- HeTD ITIroesG Killed110 dL iIli n 1-11Athe LAFin[[ e oQDIl+f? D?IIIVIIuty*

January 1 - June 30, 2009

Lieutenant Stuart J. Alexander Officer James Manor Corpus Christi Police Department, TX Las Vegas Metropolitan Police Department, NV

Officer Cesar Arreola Officer Stephen James Mayhle El Paso County Sheriff’s Department, TX Pittsburgh Bureau of Police, PA

Detective Robert Eugene Beane Trooper Joshua D. Miller Beauregard Parish Sheriff’s Office, LA Pennsylvania State Police, PA 1 Captain Scott Bierwiler Sergeant Dulan Earl Murray, Jr. Hernando County Sheriff’s Office, FL Nags Head Police Department, NC

Officer Joshuah Patrick Broadway Officer James (Freddie) Norman Montgomery Police Department, AL Cobb County Police Department, GA

Officer Henry Canales Officer Mark Parker Houston Police Department, TX Orange County Sheriff’s Office, FL IL

Investigator Chadwick Alan Carr Officer John Pawlowski Greene County Sheriff’s Office, VA Philadelphia Police Department, PA

Captain Richard J. Cashin Sergeant Ervin Romans Massachusetts Executive Office of Public Safety & Security - Oakland Police Department, CA Department of State Police, MA Sergeant Daniel Sakai Officer Glen Ciano Oakland Police Department, CA Suffolk County Police Department, NY Officer Paul J. Sciullo, II Sergeant Mark Dunakin Pittsburgh Bureau of Police, PA Oakland Police Department, CA Officer Brandon Nykori Sigler Officer Omar J. Edwards Mobile Police Department, AL New York City Police Department, NY Senior Corporal Norman Smith Officer Giovanni Gonzalez Dallas Police Department, TX Miami-Dade Police Department, FL Sergeant Andrew (Andy) Tingwall Officer John Hege New Mexico Department of Public Safety - State Police, NM Oakland Police Department, CA Officer Alejandro (Alex) Valadez Officer Eric Guy Kelly Chicago Police Department, IL Pittsburgh Bureau of Police, PA Deputy Sheriff Warren (Skip) York Officer David R. Loeffler Okaloosa County Sheriff’s Office, FL Minneapolis Police Department, MN

Deputy Sheriff Burton (Burt) Lopez Okaloosa County Sheriff’s Office, FL

Source * www.odmp.org http://informant.nw3c.org 5 new*Nt. %' nw3c6N%3(. memberssNIFMBFR S total member agencies as of june 30, 2009: 3,146 The following agencies became members between January and June 2009 GREAT LAKES virginia Sturgeon Bay Police Department Peterborough Police Department Ocoee Police Department University of California Police Department- Bristol Sheriff’s Office Wisconsin Department of Administration - new jersey Pinellas Park Police Department Los Angeles indiana Norton Police Department Division of Gaming Eatontown Police Department U.S. Department of Veterans Affairs Police Yreka Police Department Butler Police Department Service - Tampa guam Smithfield Police Department MOUNTAIN Florham Park Police Department Greenfield Police Department west virginia Harrison Police Department Winter Garden Police Department Guam Office of the Attorney General Owen County Prosecutor’s Office Hurricane Police Department arizona Harrison Township Police Department Winter Springs Police Department idaho Peru Police Department Kanawha County Sheriff’s Office Oro Valley Police Department Mercer County Sheriff’s Office Zephyrhills Police Department Coeur d’Alene Police Department Porter Police Department Star City Police Department Prescott Valley Police Department Mount Laurel Police Department georgia oregon Vanderburgh County Prosecutor’s Office West Virginia State Fire Marshal’s Office Sedona Police Department Newark Police Department Catoosa County Sheriff’s Department Astoria Police Department michigan Wellton Police Department Roseland Police Department Cobb County Sheriff’s Office Turner Police Department Farmington Hills Police Department MIDWEST colorado Sparta Township Police Department Decatur County Sheriff’s Office washington Fruitport Township Police Department iowa Denver Adult Probation Department Warren Township Police Department Hapeville Police Department Cheney Police Department Marysville Police Department Greeley Police Department new york Houston County Sheriff’s Office Port Townsend Police Department New Buffalo Police Department Black Hawk County Sheriff’s Office North Liberty Police Department Telluride Marshal’s Department Port Washington Police District Milton Police Department Petoskey Public Safety Department Weld County Sheriff’s Office Rye Police Department north carolina INTERNATIONAL Three Rivers Police Department Waterloo Police Department illinois kansas Suffolk County Probation Department Cabarrus County Sheriff’s Office united kingdom West Bloomfield Police Department Brown County Sheriff’s Department Warwick Police Department Duck Police Department ohio Bradley Police Department Kent Police Department-Digital Forensics Cook County Office of the State’s Attorney Franklin County Sheriff’s Office rhode island Franklin County Sheriff’s Office Unit Delaware County Sheriff’s Office Graham County Sheriff’s Office Coventry Police Department Statesville Police Department Fairfax Police Department Forest Preserve District of Kane County Ireland Police Department Harvey County Sheriff’s Office vermont Union County Sheriff’s Office Northern Ireland Police Service - Crime Fairview Park Police Department Kansas University Medical Center Police Caledonia County Office of the State’s Attorney south carolina Fayette County Sheriff’s Office Galena Police Department Operations Department Itasca Police Department Department Goose Creek Police Department canada Goshen Township Police Department Mission Police Department SOUTH CENTRAL Green Springs Police Department Kenilworth Police Department Winnipeg Police Service Kewanee Police Department Wellington Police Department WEST Hamilton Township Police Department nebraska alabama Lincolnwood Village Police Department Calhoun County Sheriff’s Office california Moraine Police Department Nebraska Department of Motor Vehicles - Maryville Police Department Arcadia Police Department North Canton Police Department Motor Vehicle Fraud Unit arkansas McHenry County Sheriff’s Office Arroyo Grande Police Department Northwood Police Department south dakota Benton Police Department Prairie Grove Police Department Fort Smith Police Department California Business, Transportation & have questions about Ohio Department of Public Safety Aberdeen Police Department Richton Park Police Department Housing Agency - Highway Patrol Ohio Lottery Commission - Division of utah louisiana membership? Saint Clair County Sheriff’s Department Bossier City Marshal’s Office California Lottery - Security & Law Information Technology Network Administration Murray City Police Department Swansea Police Department Louisiana Office of State Inspector General Enforcement Division Contact Membership Services at Struthers Police Department South Jordan Police Department Trenton Police Department Tangipahoa Parish Sheriff’s Office Chino Police Department pennsylvania Springville Police Department 800-221-4424 ext. 3336, or Urbana Police Department Los Gatos - Monte Sereno Police Department Baldwin Borough Police Department wyoming oklahoma e-mail [email protected]. Vandalia Police Department Oklahoma County Sheriff’s Office Ontario Police Department Chambersburg Police Department Uinta County Sheriff’s Office East Fallowfield Township Police Department Wayne County Sheriff’s Department texas Pittsburg Police Department Eddystone Police Department Will County Office of the State’s Attorney NORTHEAST Anderson County Sheriff’s Office Placer County Sheriff’s Department National Cyber-Forensics & Training Alliance Winthrop Harbor Police Department Cameron County District Attorney’s Office Sutter County District Attorney’s Office connecticut Norristown Police Department minnesota Diboll Police Department Wolcott Police Department South Beaver Township Police Department New Brighton Department of Public Safety Ferris Police Department massachusetts Towamencin Township Police Department Rosemount Police Department Houston Independent School District Police montana Boxford Police Department Department Thank you to the following Member Agencies for MID-ATLANTIC Audrain County Sheriff’s Office Bristol County Sheriff’s Office Kaufman County Sheriff’s Department Burlington Police Department referring new members district of columbia Christian County Sheriff’s Office Port Arthur Police Department Medway Police Department Allegheny County Police Department, PA Federal Communications Commission - Ellington Police Department U.S. Department of Veterans Affairs - OIG - Raynham Police Department Clayton Police Department, MO Office of Inspector General Iron Mountain Lake Police Department Criminal Investigation Division-South Central Douglas County Sheriff’s Office, GA Rehoboth Police Department Kentucky Lebanon Police Department Field Office Granville Police Department, WV U.S. DHS - Immigration & Customs Flatwoods Police Department Newton County Sheriff’s Office Hancock Police Department, NH Enforcement - Federal Protective Service Henderson Police Department Pacific Police Department SOUTHEAST Knox County Sheriff’s Office, TN New England Region Kenton County Police Department Republic Police Department Lebanon Police Department, OH maine florida Pikeville Police Department Sullivan Police Department Mercer County Prosecutor’s Office, NJ Topsham Police Department Brevard County Sheriff’s Office Missouri State Highway Patrol, MO Wilmore Police Department wiscosin new hampshire Hallandale Beach Police Department Peabody Police Department, MA Tennessee Cedarburg Police Department Goffstown Police Department Highlands County Sheriff’s Office Santa Clara County District Attorney’s Office, CA Dayton Police Department La Crosse Police Department Milton Police Department Hanover Police Department Kenneth City Police Department West Virginia State Police, WV

6 Informant: July 2009 - December 2009 http://informant.nw3c.org 7 Members’

Representatives from NW3C Member Agencies share their stories, experiences and comments about NW3C services. Alaska Department of Public Safety-State Trooper Division, Anchorage, AK (Members Since 1992) Agency Representative - Derek DeGraaf, Sergeant t approximately 2/3 the size of the Lower 48, Alaska is Athe largest of the 50 United States. Alaska encompasses more than 570,000 square miles of terrain and contains about a million lakes and rivers. The Alaska State Troopers are charged with the difficult task of maintaining order and justice in the vast state. The area from Kotzebue, a community north of the Arctic Circle, to Ketchikan, near British Columbia, to the Aleutian chain, is patrolled by

The size of Alaska is approximately 300 troopers. Alaska also possesses more equivalent to the entire Eastern seaboard spanding coastline than the rest of the country combined. Some of north to south from Maine Alaska is 586,400 square miles to Florida and west to the trooper “patrol areas” do not have a large road system over twice the size of Texas. Tennesse. and some are larger than other states in the union. Many troopers are stationed in locations where their nearest back-up is a couple hundred miles away. Alaska does not of time is also spent conducting undercover peer-to-peer have counties, or for that matter, any Sheriff’s offices to investigations for child exploitation images on-line. The assist with the duties taken on by troopers. Troopers must strategies and skills to do these tasks were largely learned overcome the incredible logistical challenges brought on through NW3C training. by the vast distance and extreme weather conditions in the Over the past five years, the Alaska State Troopers sent at “Last Frontier” on a regular basis with little help from other least a half dozen investigators to various NW3C courses, agencies. These challenges mean that it is not uncommon including Secure Techniques for Onsite Preview (STOP), for a trooper to use a snow machine, four-wheeler, boat or Cybercop 101 and Financial Investigations Practical Skills airplane during the course of the day. (FIPS). Most classes our investigators attended required The Alaska Bureau of Investigation (ABI) is one of the travel to the Lower 48. However, NW3C has sent trainers to four bureaus within the Alaska State Troopers Division. It Anchorage on a few occasions. is comprised of roughly 30 investigators that deal with The Alaska State Troopers Division has partnered with NW3C complicated felony offenses throughout the state. The for many years. Working with NW3C has been very beneficial Computer and Financial Crime Unit (CFCU) is a dedicated due to the fact that both agencies share similar goals—assist group of investigators based in Anchorage within ABI. The others with investigations, financial crime training, and analysis CFCU investigates complex computer and/or financial crime involving both computer forensics and financial records. In throughout the state. This unit is also an extension of the fact, these are more than just goals for CFCU, these elements Internet Crimes Against Children (ICAC) make up our core mission. The training provided to trooper Task Force, which works closely with investigators by NW3C proved to be the best in the nation. It the Department of Homeland Security made an incredible impact in that it has greatly contributed to catch child predators and to the numerous successes of the Unit. q rescue children. The CFCU is also responsible for processing electronic evidence for the Division as a whole, as well as processing electronic Want to share how your agency benefits from NW3C Membership? evidence for most other police Send your story and comments to [email protected]. departments within the state. Investigators spend many hours a week conducting analyses of computers, personal data devices platfor and mobile phones. A great deal M

8 Informant: July 2009 - December 2009 Members’

Representatives from NW3C Member Agencies share their stories, experiences and comments about NW3C services.

Ohio Bureau of Workers Compensation – Special Investigations, Columbus, OH (Member Since 1999) Agency Representative - Douglas J. Fisher, Special Agent-in-Charge

he Ohio Bureau of Workers’ Compensation (BWC) Recovery class was instrumental in supporting these types of Tis one of the world’s largest single-line insurance investigations. This Unit imaged and analyzed more than 150 carriers. Annually, BWC processes approximately 160,000 computers in FY2008, which consisted of more than nine claims and pays more than $1.2 billion in lost time and terabytes of data, while also monitoring and investigating $840 million in health care benefits for the employers and more than 50 internal issues per year. The information employees of the State of Ohio. obtained through NW3C’s databases, records, publications and training has been an invaluable asset in enhancing case The Special Investigations Department (SID) is the intelligence and developing the staff’s knowledge. q investigative arm of the BWC, responsible for detecting, investigating and prosecuting those individuals or entities who commit crimes against the state insurance fund. SID has a staff of 128 located throughout the state, dedicated to investigations of crimes committed against the state insurance fund. The majority of the staff is comprised of 57 Special Agents and 25 Fraud Analysts. These agents and analysts are assigned to t o the following specialized units within SID: Health Care Provider, Employer Fraud and Claimant Fraud. SID also has support units: Internal Investigations, Cyber Crime, Security Operations, Safety Violations and Automated Detection and Intelligence. With the additional support SID receives from NW3C resources, the Department closed 2,965 cases during fiscal year 2008. SID referred 314 subjects for criminal prosecution, obtained 102 indictments, and 119 convictions.

The SID Cyber Crime Unit is responsible for the imaging and computer forensic analysis of all computers and electronic data obtained via search warrant or voluntary consent. Recently, SID has seen an increase in the number of o f Pictured in photo from left to right: Back row: Jason Cook, Special Agent-in- investigations involving multiple suspects. The investigation Charge; Scott Fitzgerald, Assistant Director; Patrick Williams, Special Agent; into these suspects involves the review and analysis of and Josh Grappy, Cyber Crime Analyst. Front row: Scott Lape, Assistant large amounts of billing data and financial records which Special Agent-in-Charge; Jeff Adams, Special Agent; David Bentley, Special is generated and stored on office computers. The Unit has Agent; Deneen Day, Special Agent; and John Kenney, Special Agent. seen a dramatic increase in seized electronic data as a result of these investigations. Some of our employees have found that the knowledge they obtained at NW3C’s Basic Data and Send your agency’s story to [email protected]. platforM

http://informant.nw3c.org 9 Instructor Spotlight Anthony Frangipane Criminal Intelligence Analyst Supervisor, Arizona Department of Public Safety Profile Profile Specialty – Intelligence Analysis Specialty – Computer Crime Classes Taught – Advanced Criminal Intelligence to Prevent Terrorism Classes Taught – Identifying and Seizing Electronic Evidence (ACIAPT), Foundations in Intelligence Analysis (FIAT) (ISEE), Secure Techniques for Onsite Preview (STOP), Basic Data Recovery and Acquisition (BDRA), Intermediate Data Recovery and Acquisition nthony “Tony” Frangipane is a Criminal Intelligence Tony earned his B.S. in Organizational Sociology from Grand (IDRA) and Linux File Systems for Computer Forensic Examiners (LINUXFS) AAnalyst Supervisor for the Arizona Department of Public Canyon University and is an Arizona P.O.S.T. certified General Safety (AZ DPS). Assigned to the Arizona Counter Terrorism Instructor. He is also certified to instruct sworn law enforcement Information Center (ACTIC) since it opened in October of officers in California, Idaho, Indiana, Utah, Nevada, New Mexico 2004, his areas of expertise include southwest border issues, and Maine. He taught the RMIN Basic Criminal Intelligence domestic extremism and international terrorism, geographic Analysis Course, is an adjunct faculty member for the NW3C information systems, critical infrastructure and force Foundations in Intelligence Analysis Training Course, and the protection. Tony currently supervises four strategic analysts in NW3C Advanced Criminal Intelligence to Prevent Terrorism the Criminal Intelligence Strategic Analysis Unit, two tactical Course. He is currently the Arizona representative to the Federal analysts assigned to the ACTIC Intelligence Squads and six Homeland Security State and Local Intelligence Community intelligence research specialists from the Criminal Intelligence of Interest (HSIN SLIC). He is a member of the International Research Unit (CIRU). He also ensures quality control for Association of Law Enforcement Intelligence Analysts. eight additional tactical analysts from other agencies assigned to ACTIC investigative squads. Before this assignment, he Tony has spoken at national conferences including the National was a Criminal Intelligence Analyst at the Rocky Mountain Sheriffs’ Association Annual Meeting (2008) and National Fusion Information Network (RMIN), one of the six Regional Center Conference 2008 and 2009. He has had articles published Information Sharing System project sites. He has been with AZ in the monthly RMIN Bulletin, on the RMIN member Web site DPS for 10 years and has previously worked in the AZ DPS and had a special report on international terrorism published CIRU and Operational Communications Sections. for RMIN/RISS member agencies after the 9/11 tragedy. He has received several departmental honors including: 2000 AZ Prior to his employment with AZ DPS, Tony served for 15 years DPS Dispatcher of the Year, 2004 RMIN Analyst of the Year and in the United States Coast Guard as a Telecommunications 2007 AZ DPS/FOP Civilian of the Year, 2007 AZ DPS Specialist/Radioman. He briefly served in Texas and the Gulf Director’s Unit Citation (supervisor) and the 2008 of Mexico before spending the majority of his career in AZ DPS Criminal Investigations Squad of the the San Francisco Bay area. While in the Coast Guard, Year (supervisor). he helped prosecute approximately 1,000 search and rescue cases and coordinated hundreds of law Tony has been married to his wife Barbara enforcement boardings resulting in the seizure of for 23 years; they have adopted six children, several vessels for various illegal activities, including three girls and three boys aged five to fisheries violations, pollution, illegal immigration 16. He coaches youth sports (basketball, and narcotics smuggling. His responsibilities have softball, baseball, football). He is also included acting as unit liaison between federal, state a Cub Scout den leader, and Cub Scout and local law enforcement entities as well as classified Pack Cubmaster.  material and publications control duties. Tony has also served as unit computer systems manager and data systems security officer. He received several decorations including Meritorious Service Awards and the Commandant’s Letter of Commendation.

10 Informant: July 2009 - December 2009 Instructor Spotlight Instructor Spotlight Anthony Frangipane Herb Scott Computer Crimes Specialist, NW3C Profile Specialty – Computer Crime Classes Taught – Identifying and Seizing Electronic Evidence (ISEE), Secure Techniques for Onsite Preview (STOP), Basic Data Recovery and Acquisition (BDRA), Intermediate Data Recovery and Acquisition (IDRA) and Linux File Systems for Computer Forensic Examiners (LINUXFS)

erb Scott joined the NW3C staff on April 1, 2004, Center. Following that course, Herb became the local Hbringing with him over 34 years of law enforcement computer forensics specialist and worked cases involving experience and over two years of computer forensic child molestation, child pornography and fraud. experience. He worked cases for his department and other departments in the same county, as well as a Herb began his investigative career with the Army Georgia Bureau of Investigation Special Agent Security Agency in 1963, branching out into assigned to Coastal Georgia. Cases he worked assignments with other Intelligence agencies. He involved multiple state as well as Federal was trained as a linguist in German and South jurisdictions. Vietnamese. After five years in the Army, he worked as a Private Investigator until he joined the Herb began his teaching career in the 1970’s Jacksonville, Florida, Police Department/Sheriff’s when he taught audio stress analysis. In the Office (JSO) in 1970. During his 26 ½ years with the 1980’s he taught self-hypnosis courses JSO, Herb worked “Mod Squad” details, Patrol in Adult education classes in the Division, Under cover Narcotics, Burglary, public school system, and as a Robbery and Homicide. He was the P.O.S.T certified instructor, recipient of numerous commendations has taught police officers and citations. He got his associate in both basic and degree in police science in 1973 advanced courses.  from the Florida Junior College in Jacksonville, FL. After retiring from the JSO in 1996, Herb went to work for the St. Mary’s, Georgia Police Department (SMPD), and became the Criminal Investigation Division Commander. While at the SMPD, Herb began investigating computer-related crimes and attended the Seized Computer & Evidence Recovery Specialist course at the Federal Law Enforcement Training

http://informant.nw3c.org 11 Fighting Internet Crime

by NW3C Internet Fraud Analysts

ver the last decade, Internet fraud has become one Agencies with criminal investigative authority may search Oof the fastest-growing crime issues facing today’s law all complaints received at IC3, create cases, and collaborate enforcement community. As technology has evolved, so with other agencies nationwide through our Internet has the criminal element. Nearly all crime that once was Complaint Search and Investigation System (ICSIS). To committed in person, by mail, or over the telephone can access ICSIS, your agency must be a member of NW3C. now be committed through the Internet. The perceived Membership is free and open to federal, state, local and anonymity of the Internet and easy access to potential international law enforcement; regulatory and prosecution victims empowers criminals who prey on their victims’ agencies; as well as duly constituted permanent task forces. sympathy and generosity. NW3C also provides support services which also include training, case funding, investigative support and research. When these victims turn to your agency for help, the Internet Contact www.nw3c.org if you would like more information Crime Complaint Center (IC3) is your resource for the most on membership. up-to-date Internet fraud information. Education and Prevention What is IC3? It is imperative that potential victims be made aware of IC3, established in 2000, is a partnership between the cybercrime schemes. Lookstoogoodtobetrue.com is a great Federal Bureau of Investigation (FBI), the National White resource. The Web site, developed through a partnership Collar Crime Center (NW3C) and the Bureau of Justice with industry, the United States Postal Inspection Service Assistance (BJA). IC3 has formed additional alliances and IC3, provides information on the latest schemes, allows with industry representatives (online retailers, financial consumers to file complaints, gives victims the opportunity institutions, Internet Service Providers (ISP) and parcel to share experiences online and lets consumers take an delivery providers) that have substantially increased the flow interactive test to measure online safety habits. of IC3’s most valued commodity—information. Working with over 2,500 local, state, federal and international IC3 also prepares public service announcements on the latest law enforcement agencies, IC3 analysts receive, develop cyber trends in order to alert consumers of Internet fraud. and subsequently refer information for investigative and These announcements are posted on the Web sites: prosecutorial attention. • www.lookstoogoodtobetrue.com Cybercrime and IC3 • www.ic3.gov IC3 was designed to help address all types of cybercrime through its complaint system. Numerous fraud schemes • www.nw3c.org such as identity theft, “phishing,” “spam,” reshipping, • www.fbi.gov auction fraud, payment fraud, counterfeit goods, computer intrusion, online extortion and international Growing Challenge money laundering are reported to IC3. In 2008, IC3 received 275,284 complaint submissions - a 33.1% With Internet fraud a growing concern, IC3 will guide increase from 2007. you through all the steps of fighting Internet crime—from providing the latest information to educate your community, Services to allowing you the resources to collaborate with agencies across the nation.  To file a complaint, victims are advised to visit the IC3 Web site at www.ic3.gov. IC3 will further research, develop and refer the complaints to law enforcement and/or regulatory agencies for any investigation they deem appropriate.

12 Informant: July 2009 - December 2009 • Install firewall and virus detection software on personal computers.

• Always check credit card statements for any discrepancies.

• Check your credit report yearly for any errors; you are allowed one free credit report each year.

• Have the post office hold mail if going out of town.

• Do not download files or open e-mail attachments from an unknown source.

• Avoid using an automatic log-in feature on the computer.

• Before disposing of an old computer, have the hard drive reformatted to “wipe” or overwrite your hard drive. by NW3C Internet Fraud Analysts Reporting Identity Theft

citizen comes into the police department to file a To prevent further damages, it is important that identity theft A complaint because someone is using her identity for be reported right away and an alert placed on the victim’s fraudulent activities on the Internet. She wonders what she credit report. There are many resources available for those is supposed to do. Who should she contact? What forms who have been a victim of identity theft: does she need to fill out? How does she get her identity back? These are just some of the questions victims of identity theft • Contact local police to file a police report. have to tackle on a daily basis. Last year, The Internet Crime Complaint Center (IC3) received nearly 7,000 complaints • File a complaint with IC3 at www.ic3.gov. from citizens alleging their identities had been stolen. But the problem becomes much larger in scope when you • The Federal Trade Commission (FTC) offers an ID consider that not every victim of identity theft is aware that theft affidavit that can be obtained by calling 1-877- there are resources available to report the incident. 438-4338 or by visiting www.consumer.gov/idtheft.

Prevention • Contact all 3 credit bureaus: Equifax at 1-800-685-1111 IC3 has identified numerous ways thieves are able to commit or www.equifax.com; Experian at 1-888-397-3742 or identity theft. To obtain personal information, criminals www.experian.com; or TransUnion at 1-800-916-8800 resort to everything from rummaging through trash to or www.transunion.com. computer hacking. By using the following precautions, citizens can reduce the chance of a stolen identity: • Contact the Social Security Administration to advise them of the situation. • Only give a Social Security number when it is absolutely necessary. Never carry a Social Security • Contact all creditors and financial institutions and card in a wallet or purse. close all tampered accounts.

• If not essential, destroy any and all documents that contain During 2008, the IC3 saw many reports of identity theft personal information, such as account statements, old committed through unsolicited and fraudulent e-mails. credit cards and receipts. From “Please verify your account information” to “I would like to hire you,” there are many different ways a person’s • Always keep PIN numbers a secret and never write them identity can be compromised. Reminding citizens to protect down. Don’t carry them with the card. themselves by protecting their personal information will play a key role in combating identity theft. 

http://informant.nw3c.org 13 • Someone wants to purchase an item by sending a check or money order for more than the asking price. • Online acquaintances, often met through matchmaking Web sites, ask would-be victims to cash a check or money order. • An “employer” asks the “target” to deposit checks or money orders into his account or open a new account as part of the job requirement, making the “employee” liable for the counterfeit checks that get deposited. • “Target” gets an “advance” on the millions that are going to be received from a sweepstakes, lottery or inheritance. by NW3C Internet Fraud Analysts • The check comes via UPS or Fed Ex. People have the misconception that checks and money orders victim arrives at the police department with a are essentially the same as cash, but they need to remember A fraudulent check… what is this one a result of? that these items are only as reliable as the person sending Payment for a Craigslist offer? Some girl in Europe wants them. The fact is there is no justifiable reason why anyone to be a roommate? A work-at-home scam? An “advance” would send a check or money order and request money be on a sweepstakes someone supposedly won? Or maybe the wired anywhere in return. lonely hearts scam? No matter which counterfeit check scam is used, it all begins when the authentic-looking check or Validating the Check money order is received, along with a request that cash be Look at the routing numbers at the bottom of a check to see if sent somewhere in return. they appear blurry or printed in a fat dull type. If so, then the check is a fake. Water marking, logos, etc. can all be fabricated. How the Scams Work Routing numbers cannot be reproduced. According to the Internet Crime Complaint Center (IC3) data, counterfeit cashier’s check scheme targets, among others, Call the bank issuing the check using a local phone number individuals that use Internet classified advertisements to sell to verify the check’s validity. Do not use the phone number merchandise. Typically, an interested party located outside the provided on the check as it can also be a part of the scam. United States contacts the potential victim, who is told that Verify any business name that is on the check. Contact the Better the buyer has an associate in the United States that owes him Business Bureau and state Attorney General’s office. Also, contact money. As such, he will have the associate send the seller a the business directly to have them verify it. A check scam may cashier’s check for the amount owed to the buyer. involve the use of checks stolen from a legitimate business. The amount of the check may be thousands of dollars more Reporting than the price of the merchandise and the seller is told the excess amount will be used to pay the shipping costs associated Victims who have been targeted or have been scammed need to with getting the merchandise to his location. The seller is report it to the following agencies: instructed to deposit the check and wire the excess funds back • IC3 at www.ic3.gov to the buyer or to another associate identified as a shipping agent. In most instances, the money is sent to locations outside • The Federal Trade Commission at www.ftc.gov or the United States, oftentimes Nigeria. When a cashier’s check 1-877-382-4357 is used, a bank will typically release the funds immediately, or • The U.S. Postal Inspection Service or the local post office after a one- or two-day hold. Falsely believing the check has • State Attorney General’s office or local consumer cleared, the seller wires the money as instructed. protection agencies In some cases, the buyer is able to convince the seller that • For additional information on warning signs and some unforeseen circumstance has arisen that necessitates the prevention, visit www.fakechecks.org. cancellation of the sale. The victim is then tricked into sending the remainder of the money. Shortly thereafter, the victim’s bank Criminals are becoming more sophisticated each day and notifies them that the check was fraudulent and the bank is one of the best ways to fight back is to learn how not to holding the victim responsible for the full amount of the check. become a victim. As the saying goes, if it sounds too good to be true, it probably is.  Internet users need to be aware of the following indications of a counterfeit check scam:

14 Informant: July 2009 - December 2009 CY-FI: The Future of Cyber Forensics

Topic This Issue: Accreditation & Certification & Standards! Oh My! by Dr. Marcus K. Rogers CISSP, CCCI, Cyber Forensics Program Department of Computer & Information Technology, Purdue University apologize upfront for the twisting of the famous line by While on the surface the rush towards these activities is IDorothy in the Wizard of Oz, but I could not really think of a laudable, we need to step back and ensure that we understand more appropriate title given the subject of this column. Despite that maturing a scientific field is a dynamic and long-term my assertions in the last column that I would talk more in depth process. There is a very real danger that these initial steps about law enforcement training in this current column, I feel while necessary, are far from sufficient to ensure the long-term that we need to preface that discussion with a somewhat related validity/credibility of our discipline. The costs of any of the topic. I promise to address law enforcement training in more activities that I have listed are not insignificant; this in and of depth next time...honestly. After speaking with law enforcement itself could result in this becoming a “one off project” that would throughout the U.S. in the past few months, it would seem that ultimately be detrimental to the end goal that we all have. we are spending an inordinate amount of our precious time It is also very unrealistic to believe that we’ll ever have one and effort worrying about, and attempting to become either truly universal standard or certification in a field like ours that accredited (in the case of laboratories), or certified to develop is remarkably heterogeneous in not only the technology that is and/or follow some universal standard. involved, but also the various legal systems that we encounter. Computer forensics, digital evidence investigations or digital As the title for this column denotes, it is very easy to become and multimedia sciences (the term used by the American distracted and/or overwhelmed by the sheer scope of change Academy of Forensic Sciences) is currently in what historians that we will likely see in the coming years. What we cannot of science would term the confused initial period. This lose sight of is the fact that we will never truly arrive at a point phase is marked by the desire to achieve some universally where we can say “now we are done.” Like it or not this is not accepted scientific method or standard, and for the scientific about a final destination but is truly about the journey. So next and practitioner community to begin to harmonize on the time you feel that this is a never ending process of accreditation, basic elements that define the field. In our case, these basics certification and standards, take heart in knowing that in fact would seem to include accredited laboratories, certified you are correct, it truly is a never-ending journey.  investigators/technicians and formal methods for testing and validating tools and technologies. The powers that be (e.g., the References National Academy of Science, National Institute of Justice) are 1. NAS Report on Forensic Science: http://www.nap.edu/catalog. either endorsing or moving full steam ahead with laboratory php?record_id=12589 accreditations, the development of these standards, and some 2. Digital Forensics Certification Board:http://www.dfcb.or g funding in order to develop independent and formal validation 3. Scientific Working Group on Digital Evidence: and testing methods for the so-called industry tools. http://www.swgde.org

http://informant.nw3c.org 15 Historic Partnership Ushers in New Era of Cyber Forensics by Craig Butterworth, Communications Specialist, NW3C & Samantha McManus, Communications Manager, Microsoft

n-the-scene officers don’t have to be computer experts “The COFEE distribution agreement will be of enormous Oto gather important evidence anymore. Through benefit to U.S. law enforcement agencies dealing with the use of a single, simple USB device which requires technologically-sophisticated cyber criminals. NW3C minimal training, they can gather important evidence of is very pleased to partner with Microsoft in making “live” computer activity that would otherwise be lost in a this tool available and contributing to the fight against traditional offline setting. cybercrime,” said NW3C Director Don Brackman. COFEE has gone through an extensive vetting process, Microsoft and the National White Collar Crime Center having been validated by experts at the University of Florida, (NW3C) - the nation’s premier provider of economic and the University of Dublin and NW3C. Reports detailing the high-tech crime training to law enforcement have entered validation process will be available to member agencies via into an agreement that establishes NW3C as the first US- the NW3C Members Web site. based distributor of the Computer Online Forensic Evidence Extractor (COFEE). This agreement will make COFEE Dean Chatfield, Computer Crimes Section Supervisor at available to law enforcement agencies at no charge so they NW3C, says COFEE will allow on-scene investigators to collect can better combat the growing and increasingly complex information from RAM which was previously lost during the ways that criminals use the Internet to commit crimes. normal seizure of a computer system. This distribution agreement broadens availability for law enforcement agencies, building on Microsoft’s April 2009 How To Get It distribution agreement with INTERPOL, which is making (Note: distribution of COFEE is limited to law enforcement only) the COFEE tool available to law enforcement in each of its 187 member countries worldwide. COFEE is now available to NW3C member agencies for immediate download from the members’ Web site. Law One of the biggest challenges facing cybercrime investigators enforcement agencies that have a leo.gov or a riss.net e-mail today is the ability to conduct forensic analysis of a computer address will also have immediate access to the software. before it is turned off at the scene and restarted at the lab. Agencies who are not NW3C members or who do not Live evidence, such as some active system processes and have a leo.gov or riss.net e-mail will be required to fill network data, is volatile and may be lost while a computer out a registration form and fax credentials on department is turning off. This evidence may contain information that letterhead to NW3C. Once the credentials have been verified, could assist in the investigation and prosecution of a crime. access to COFEE will be granted. To request a registration COFEE uses common digital forensics tools to help first form, contact [email protected]. responders, who’ve had little or no previous training, collect such evidence in a reliable and cost-effective method that Technical Support meets accepted forensic standards. As with any new tool or device, questions will arise regarding “By making COFEE widely available to U.S. law enforcement, COFEE’s functionality and capabilities. NW3C staffers are Microsoft and NW3C are helping to put standardized, cyber fully prepared for this eventuality and will be available to forensic tools into the hands of the investigators who need them,” provide a full network of support. Chatfield sums it up this said Tim Cranton, Associate General Counsel, Worldwide way, “No cop will have to stand alone!”  Internet Safety Enforcement Programs at Microsoft. *COFEE Inquiries should be directed to [email protected]

16 Informant: July 2009 - December 2009 NW3C Analysts Recognized for Helping Take Down Florida-Based ID Theft Ring

ational White Collar Crime Center (NW3C) always negotiated in the farthest lane from the teller, which the NEnforcement Analysts Kathryn Malbon Rinker (far left) conspirators themselves referred to as “felony lane.” NW3C and Keisha Ruble (center) were each presented with a 2009 was asked to assist in the investigation by analyzing thousands Law Enforcement Public Service Award by acting U.S. Attorney of cell phone records. Ultimately, six defendants pleaded Dana Boente (not pictured), guilty to charges of conspiracy Richmond Division, Eastern to commit bank fraud and District of Virginia. aggravated identity theft. The two lead defendants were Members of the so-called “felony sentenced to more than 100 lane gang” engaged in fraudulent months in prison. transactions using stolen driver’s licenses and checks at bank drive- Assistant U.S. Attorney Laura throughs around the southeast. Colombell Marshall (pictured Total losses exceeded $370,000 far right) who prosecuted the and the identities of more than 200 case, called NW3C “a very good people were stolen. resource for law enforcement.” The conspirators recruited females Nearly 150 people attended to conduct the transactions while the awards ceremony which wearing wigs and sunglasses. To was held at the U.S. Attorney’s avoid detection, the checks were Enforcement Analysts Kathryn Malbon Rinker and Keisha Ruble Office in Richmond, VA.  with Assistant U.S. Attorney Laura Colombell Marshall.

? I M T S ACCELERATION & ADVANCEMENT OF FNT & TFCHN(-)I OCY NEXT GENERATION SYSTEMS & PROGRAMS I C E S DELIVER EXTEND ENHANCE EVOLVE SPACE EXPLORATION Proven Federal Experience. SUPPORT • Air Force Office of Scientific Research (AFOSR) HIGH PERFORMANCE SOFTWARE COMPUTING ENGINEERING • Air Force Research Laboratory (AFRL) • Biometrics Fusion Center (BFC) • Bureau of Public Debt (BPD) • Chemical Safety & Hazard InvestigationBoard (CSB) • Defense Logistics Agency (DLA) MW • Defense Threat Reduction Agency (DTRA) • Department of Defense (DoD) • Department of Energy (DOE) SERVICES • Department of Treasury • Department of Homeland Security (OHS) SOLUT IONS • Environmental Protection Agency (EPA) • Federal Bureau of Investigation (FBI) SUPPORT National Aeronautics & Space Administration (NASA) WARFIGHTER LAW ENFORCEMENT • National Archives and Records Administration (NARA) SUPPORT SUPPORT • Office of Naval Research (ONR) • Space & Missile Defense Command (SMDC)

2008 Awards & Accomplishments • Inc. 500 Award Recipient (#323) • Washington Technology' s FastSO Recipient (#70) SYSTEMS OPERATIONS & • SBA Minority Small Business Person of the Year (WV District) INTEGRATION MAINTENANCE

SCIENCE & RESEARCH SUPPORT SBA 8(a)-Certified IT Services Company http:llwww.imts.us

http://informant.nw3c.org 17 Glen Gainer: Financial Watchdog

by John Dahlia, West Virginia Executive Magazine

ay the word “auditor” “We began the show to educate the public about the duties Sand immediately and functions of the Auditor’s Office, its divisions and their images of a quiet, calculating interactions with other entities,” explained Gainer. person come to mind. But in West Virginia, the state The program, which runs on various cable-television auditor is far from what outlets across the state, includes exclusive interviews with you might expect. various federal, state and local leaders on current news and events affecting West Virginians. Auditor Gainer kicked Glen Gainer off 2009 with a special show interviewing West Virginia is West House of Delegates Speaker Rick Thompson. Virginia’s 19th Auditor. “The one job the Legislature has to do on a consistent Behind basis is keep the public informed on key issues,” said Gainer’s Thompson, a Democrat from Wayne County. “The State dispassionate, Dollar does just that.” almost “Where They Bring You Up to do, Just Like Your Daddy cautious Done…” demeanor is a man who In the Bruce Springsteen song, “The River,” the solemn is anxious to lyrics tell a story of a young man who, for whatever reason, explain what is brought up to work where his father did. For Gainer, he thinks the those haunting words ring true. He’s a second-generation West Virginia West Virginia Auditor, elected the same year his father, Glen Auditor’s office Gainer Jr., stepped down after serving 16 years. is all about. “My father had a stellar reputation as auditor,” Gainer “We are kind said. “He stood for what he thought was right regardless of like the of politics.” state’s financial independent But there were key differences between father and son. watchdog,” said Gainer Jr.’s management style focused on “chain of Gainer. command” where issues and problems percolate from the bottom to the top.

Gainer, elected in November 1992 at age 32 was re-elected “I’m a team manager,” Gainer said. “I believe in bringing as November 1996, 2000, 2004 and this past November. Quiet many people to the table who have a vested interest.” and steady, he has remained the state’s financial watchdog, as he calls it, almost as long as Harrison County’s Edgar B. So Gainer, the son, came into an office where change was Simms. Simms was elected in 1932 and held the office for not something most folks embraced. Clearly, the existing 24 years or seven terms. staff under his father expected the son to continue on at the same level. Instead, as Gainer recalls, he turned everything “I don’t think I’ll be in office as long as he was,” Gainer “upside down.” laughed. “I needed to let people know there was a new sheriff in Like Simms and the auditors before and after him, town,” Gainer said. “Everything was open for discussion, Gainer serves as the state’s official bookkeeper, Chief even long-standing policies this office may have held to.” Inspector and Supervisor over Public Offices, Securities Commissioner, and Commissioner of Delinquent and Customer First, Auditor Second Non-entered Lands. He also holds another, unexpected He came into office with a unique perspective. Prior to title. He’s the host of the monthly cable television program being elected, he worked in the private and public sectors. the “State Dollar.”

18 Informant: July 2009 - December 2009 His government work included four years in the State “That meeting gives me the opportunity to get feedback Treasurer’s office and three years in what then was called the and new ideas,” Gainer said. Department of Energy. And those new ideas resulted in the pilot and testing of “I came in after being on the user’s side of the Auditors Office,” different business processes, some of which are in effect he said. “So coming in the door I had already developed today. All of this comes from a group of people Gainer says distinct, stark areas that needed to be addressed.” used to hate the State Auditor’s office. Those areas: customer service and process service/technology. But by far Gainer’s biggest legacy is his creation of the Purchase Card system. Almost out of the box, Auditor Gainer, with an old fashioned horse sense approach, created what he calls “This was an area where we really led the nation,” he said. “We Audit Groups mainly from the inconsistent service he had were first to have cards issued to every agency in the state.” experienced. The West Virginia State Purchasing Card Program was “I’d send a payment in seven times with no problems,” he implemented in 1996. Gainer said he saw the need for explained. “But on the eighth time it was rejected.” a process that would create more accountability for purchases, improve relations with vendors and, ultimately, Staff simply parceled out the work using hand-written “cheat save the state millions through cost avoidance. sheet” Post-it notes stuck to desk lamps like multi-colored trees on desks throughout the office. “So now,” he said, “nearly half of all the state’s purchases are made on the purchasing card. And every time you “No,” he recalled, “we’re going to do away with that. The policies use the card you save anywhere between $50 and $200 are going to be the same for everyone. We are going to have because it’s more efficient.” audit groups so that people who do, for example, Department of Transportation pre-auditing are the only people who are Aside from the savings and as Gainer calls it, a “process going to do Department of Transportation pre-audit.” improvement,” the P-Card also became a new tool to be used when disaster strikes. Next on the list: process and technology. At the time, no state agency or office utilized scanning or imaging technology. “There are about 1,000 purchase cards we can turn on the Mountains of paper filling closets, file cabinets and entire second the Governor declares a state of emergency,” he said. buildings choked the state’s ability to run efficiently. The “That now allows our first responders to meet the needs of Auditor’s office, like the rest of the state, continued to file the people immediately.” paper contracts and other documents in giant-sized cabinets. Accountability is the Future “We imaged all those contracts so that every auditor had access to those contracts at the same time,” he said. “When Don’t ask Glen Gainer where he’ll be in five or 10 years. I looked at replacing 26 file cabinets with one big server, it He brushes off any future political aspirations. Instead, was a no brainer.” he’d rather talk about a goal to make all of West Virginia government transparent. Today, Gainer’s paperless or imaging initiative has taken off. Thanks in part to House Bill 2708 and Senate Bill “People should have an easy way at looking at how every dime 342, written by Gainer, agencies across the state are now of their taxpayer money is spent and they should be able to submitting invoices and other information electronically do it right on their PC at home,” he said. “When it comes to instead of through the mail. state money, folks should be able to point and click.” The Process Trendsetter A passionate believer in a checks and balance system, he says transparency will truly protect government from itself. “The safety in government has always been we do the same And like it or not, Gainer’s office posts all state employee thing the same way forever,” Gainer said. “The heck with that! salaries on his Web site. Let’s look at how we can do it better and more efficiently.” “It’s a bitter pill to swallow,” Gainer explained. “But These are tough words but words Glen Gainer tried to live transparency is the only way government can protect itself by each year in office. During his first term and beyond from itself.”  he looked at creative ways to improve the process. He re-invented the annual Payment Processing Seminar **Article was reprinted from The West Virginia Executive and named it the “State Auditor’s Conference” bringing Magazine. everyone who works with his office together in hopes of improving the process.

http://informant.nw3c.org 19 More and more we entrust every detail of our lives to computers, PDAs and cell phones. These devices collect and store large amounts of personal data, a valuable tool for users to organize their private and business affairs. For law enforcement, these devices can be a valuable tool in the investigation of illegal activities.

Apple® computers and portable devices are more popular than ever. Using the OS and OS X operating system, new users are attracted to a seemingly virus- free online experience. As these computers continue to sell at record numbers, law enforcement must become familiar with the Mac® OS X and its file system.

The following articles discuss the differences between Mac® and Windows®, and introduce the basic methods to forensically examine and locate evidence from the OS X operating system.

20 Informant: July 2009 - December 2009 http://informant.nw3c.org 21 Apples to Oranges Comparing the Mac® OS X Property List to the Windows® Registry by dennis Browning, Champlain College Center for Digital Investigations n today’s world, Macintosh® (Mac) computers are becoming Ivery popular. For this reason, it is important for forensic examiners to understand where they can find similar information in Mac® OS X as they would find in Windows®. Property Lists are very similar to that of the Windows® Registry. These files contain information that can make or break a case. This article will compare the Mac® version to the Registry entries found in Windows®. First, it is important to know what a Property List (plist) actually is, and the type of information that can be stored within them. Apple® Developers describe the plist as follows, “property lists Figure 2: Plist Editor Pro organize data into named values and lists of values using several object types. These types give you the means to produce data that Examination Tools is meaningfully structured, transportable, storable and accessible, There are many different tools available to forensic examiners but still as efficient as possible” (Property List Programming to use for plist examinations. The tools used in this paper to Topics, 2008). Plists can be considered the “registry” for Mac® analyze and parse through the plist files are Fat Cat Software’s OS X. The information contained within these files is different Plist Edit Pro and Echo One’s File Juicer. Both Plist EditPro for each program on the system. Each contains the settings for and File Juicer have a free trial available online. Both software the program, which calls the plist. Similar to Windows® Registry products were used for the purpose of this article. Both entries, if you change any value set in the file, the program will run programs were fully functional during the time of use. differently. It should be noted that plists are not a Mac® OS X item. They are actually found within Linux and Unix® distributions. Plist Examination Structure of Property List In most cases, data is only written to plists on the initial install of a program or when Mac® OS X is first installed. In all other Plists can take one of three different formats. The most recent, and cases plists are written each time a program is run. For the more common, format is the XML format. This format is more purpose of this article, the plists that are being looked at are portable than that of the alternatives and can be edited manually updated each time they are used. We will be looking at plist where the other two options are not. The other two formats are files related to the following: autorun locations, recent items, binary and ASCII. Binary formats are still used today but, one will wireless networks, mounted devices, Internet history, and rarely find an ASCII formatted plist. Binary formatted plists will installed programs, as they relate to their Mac® OS X equivalent perform faster if the plist is a large collection of data. Figure 1 below locations, and how they compare to Windows® registry. shows the XML formatted plist viewed using the program TextEdit, which comes installed on all Mac’s®. It is obviously very hard to read Windows® vs. Mac®: Round 1 – Autorun Locations in this format. If you were to open this same file in a plist editor one can clearly see the structure of the file better as seen in Figure 2. Windows® Mac® OS X For the most part, when a If one wants to have a program program is installed, the start on login/boot, they must program has a default setting tell the program to do so. of starting during the boot up process.

Autorun locations most commonly refer to the programs that automatically start or run when the computer is turned on. This is also similar for Mac®. On a Mac®, the location of this information is in the loginitems.plist. It would be beneficial for examiners to look at the startup items, as it would be proof that the user of that Mac intended for the program to start on Figure 1: TextEdit 22 Informant: July 2009 - December 2009 login/boot. The loginitems.plist can be found in the following location: /user/Library/Preferences/com.apple.loginitems.plist. Windows® vs. Mac®: Round 2 – Recent Items

Windows® Mac® OS X Figure 3b:Timestamp Match to Figure 3a The registry contains entries For the Mac® environment, for Most Recently Used these lists are more limited. (MRU) list, and User Assist. The MRU is a list of recent programs and files accessed. MRU’s are similar to the By default, Mac® OS X keeps Figure 3c: DNS servers connected to history that one can view in track of the last 10 recent an Internet browser. The sites accessed files. Within the that have been most recently settings for each section, a user visited are kept in a list for the can increase or decrease the user to go back to if needed. amount of records that are kept. The information that can be found in the Mac® plist, is only available as long as it is one of the last items opened in its respective section. However, it can be beneficial for an examiner, Figure 3d: IP address obtained, router IP and Subnet Mask if the user has only connected to a select few hosts. Based on the above information, an examiner can determine if Windows® vs. Mac®: Round 3 – Wireless Networks or when a suspect was connected to a network. An examiner can Windows® Mac® OS X use the DNS Servers to find out the Internet Service Provider In the Windows® Registry, This is similar on a Mac®. By (ISP) to which the suspect connected to the Internet. Many SSID’s are stored in one key using the two files together ISP’s keep record of the hardware address that is obtaining an and the settings, such as the (listed below), an examiner IP address from them. By getting a subpoena, an examiner can IP address, subnet mask and can see the last date that the get log histories for the owner of the network. other information about a computer was connected to that Windows® vs. Mac®: Round 4 – Mounted Devices particular network is stored network by looking at the apple. in another key. airport.preferences.plist.com Windows® Mac® OS X In Windows®, the serial Mac® does not record the In a forensic investigation, being able to determine if a suspect’s number for the USB device serial number of the device, computer was connected to a wireless network could be of is recorded, making it easier but Mac® does recorded that a evidentiary value. The SSID or service set identifier is recorded for to prove that a certain USB USB device was connected to all wireless networks that are added to the users preferred network was connected to the suspect’s a machine. connections. This can include connections to Wi-Fi hotspots. The computer. two important plists to look at can be found at the following locations: /hd/Library/Preferences/SystemConfiguration/com.apple.airport. USB devices and other mounted devices, such as CD/DVD prefrences.plist and /hd/Library/Preferences/SystemConfiguration/ installers, are almost an everyday occurrence now. Some com.apple.network.identification.plist. For example, Figure 3a USB devices don’t have a serial number so a random string is shows the SSID of “3dd”. Also, you can see that the security type created in place of the serial number. On the Mac®, the plist and password are shown. The password is hashed. /user/Library/Preferences/com.apple.finder.plist, shows all devices, whether it is a USB device, image, CD, DVD, or iPod, that are connected to the computer while logged in as a certain user. In this plist, the location of where the Finder opened the item is recorded under the FXDesktopVolumesPositions Key. The Finder is Mac’s® version of Explorer in Windows®. If a USB device or CD has an unique name, this plist is useful Figure 3a: com.apple.airport.preferences.plist to show that at some point, the device was mounted on the Once the examiner has the timestamp found in the Airport suspect’s computer. Preferences plist, they can then go to the Network Identification In today’s music-loving world, many people now have some form plist. In there, they will find the corresponding date on an entry of MP3 player. With the advancement of technology, criminals to find out more information about the network including: DNS are starting to hide information on iPods. On the Mac®, the servers, IP address, the interface used (wired or wireless), subnet following plist can be informative to an examiner: /user/Library/ mask and router IP. Figures 3b-3d show the information. Preferences/com.apple.iPod.plist. With this file, the examiner can http://informant.nw3c.org 23 verify if an iPod has been connected to that computer. In Figure When looking at alternative Web browsers, such as Firefox, 4, you can see that an iPod has been connected to the computer. Opera and Netscape, on a Windows® machine, the information is recorded differently. On a Mac®, this is similar. Since Firefox is not the native browser, information is stored differently. This folder can be found at /user/Library/Application Support/Firefox/Profiles. An examiner can take the profile folder and run it through File Juicer. File Juicer will again parse through all the files and provide the examiner with a folder with items in their respective folders. One difference here is when a user tells Firefox 2.0 or higher to clear its history, caches, etc., the typed URL’s are not cleared. A list of these URL’s can be found in File Juicer’s subfolder named URLs. If an examiner looks at the HTML page created, they will see a list of all URL’s that the enter key has been hit for. Windows® vs. Mac®: Round 6 – Applications Windows® Mac® OS X Figure 4: iPod Information/user/Library/Preferences/com. In Windows®, the folder On a Mac®, the executable files apple.iPod.plist is usually created in the are placed in the applications program files folder, and folder, and all other important With the information found in the above plist, an examiner contains executable and files needed to run the can check the serial number of an iPod to see if it has been other important files. program are placed in the connected. If, in a case, a suspect states that they do not have application support folder an iPod, this file can show that an iPod has been used. The found at /user/Library/. connected date shown above, shows the last date the iPod was For the most part, when a When a user uninstalls or in use on the suspect’s computer. The examiner can also prove user uninstalls a program, all deletes a program, all they how many times the iPod has been connected to that computer files and folders related to that are doing is removing the by the use count variable shown above. program are subsequently executable files from the deleted as well. applications folder. The Windows® vs. Mac®: Round 5 – Internet History application support folder Windows® Mac® OS X will still contain all of the files Internet Explorer is the Safari is the native Internet associated with that program. native Internet browser. browser. Similar to the Windows® world, when a user installs a program, The Internet Explorer Mac® has a similar setup. a folder is then created for that piece of software. The examiner Registry key has three Plists related to browsing can go in and see what programs have been installed on the subkeys, which include: history, download history, and machine even if the program has been deleted. main, typed URLs and cookies, each have their own download directory. location. Just to show some of the information that can be found in In Internet Explorer, Safari is similar. These file the application support folder, we will take a look at the temporary Internet files are are located in /user/Library/ folder for the instant messaging program Adium. Figure 5a stored as cache files. Caches/Safari. Using File shows the Adium Folder. Juicer, an examiner can view the contents of the caches files.

File Juicer, a software program that is used to extract images, video, audio and text from files, can create a Web page that contains all images found in the Safari Cache. This program makes it easier for an examiner to parse through potential evidence. Another great place to look for evidence is the browser history. The plist Figure 5a: Adium Application Folder found at /user/Library/Safari/History.plist provides an examiner with the Safari browser history. From the information found An examiner should be interested in the user names that are in this entry, an examiner can tell which sites the users visited associated with an instant messaging program like Adium. and how many times, as well as the date and time the sites were When the users folder is opened, the default user is the only accessed. In Safari 3.2.1, similar to Internet Explorer 7, users can one listed. When that folder is opened, an examiner has access now clear all cookies, download history, cache, and all the great to all of the settings and accounts that have been setup. Figure information examiners look for. If the user does this, the above 5b shows the account setup under the default user account. plists get cleared and are of no use to an examiner. 24 Informant: July 2009 - December 2009 5. Hsoi’s Shop: Software . (n.d.). Retrieved April 5, 2009, from http://www.hsoi.com/hsoishop/software/

6. Mac OS X Manual Page For plist(5). (2003.). Retrieved March 6, 2009, from http://developer.apple.com/documentation/Darwin/ Reference/ManPages/man5/plist.5.html

7. Property List Programming Guide: About Property Lists. Figure 5b: AIM user account (2008.). Retrieved March 6, 2009, from http://developer. apple.com/documentation/Cocoa/Conceptual/PropertyLists/ With the program Adium, a user can setup accounts for AboutPropertyLists/chapter_3_section_1.html#//apple_ref/ Facebook, MSN, Jabber, Yahoo and many others. If a user doc/uid/10000048i-CH3-SW2 has setup multiple accounts, they would all be listed in the account.plist. 8. Property List Programming Topics for Core Foundation: Introduction to Property List Programming Topics for Core Foundation. (2008.). Within this user’s folder, there is another folder for logs. This Retrieved March 6, 2009, from http://developer.apple.com/ log folder contains chat logs for every screen name the user has documentation/CoreFoundation/Conceptual/CFPropertyLists/ talked to. The chat logs are formatted as XML sites. CFPropertyLists.html An examiner can use these logs to see the time and date of 9. Read Me - File Juicer for Mac OS X. (2008, December 30). Retrieved March 2, 2009, from http://echoone.com/filejuicer/ when a message was sent. Also by looking at the above figure, ReadMe the examiner can see the user who sent the message and if the user has setup an alias for the screen name they are talking to. 10. ROT13 - Wikipedia, the free encyclopedia. (n.d.). Retrieved April 5, 2009, from http://en.wikipedia.org/wiki/Rot13 With the growing popularity of Mac® in today’s technological world, it is important that forensic examiners have the 11. (2008). Mac OS X, iPod, and iPhone Forensic Analysis DVD knowledge of the location of potential evidentiary information Toolkit. US: Syngre on a Mac®. Having a basic knowledge of the Mac® OS X file structure and Linux file structure will only help an examiner comprehend what they are looking at. By knowing where the information is and how to interpret that information, an examiner can be confident when going into an investigation that involves a Mac®. The files discussed in this article are only a few of the many possible evidentiary locations that an examiner should look at.  **Reprinted with permission from Dennis Browning. The white paper, that this article is based on, is available in its entirety at http://forensicfocus.com/apple-mac-os-x-property-list.

About the Author Dennis Browning received his B.S. degree in Computer & Digital 7U Forensics from Champlain College in May 2009 and currently works in the Information Technology Department at Fletcher Allen Health Care in Burlington, Vermont.

References 1. Cocoa. (n.d.). Retrieved April 5, 2009, from http://developer. apple.com/cocoa/ Subscribe to NW3C's Informant blog and 2. Farmer, D. (2007.). Computer Forensics - A Forensic Analysis Of stay on top of the latest trends in The Windows Registry. Retrieved March 1, 2009, from http:// cybercrime. www.forensicfocus.com/a-forensic-analysis-of-the-windows- registry Visit 3. Fat Cat Software - PlistEdit Pro. (n.d.). Retrieved March 6, 2009, from http://www.fatcatsoftware.com/plisteditpro/ http://informant.nw3c.org

4. Getting Started with Core Foundation. (2006, November 7). Retrieved April 5, 2009, from http://developer.apple.com/ referencelibrary/GettingStarted/GS_CoreFoundation/index. html#//apple_ref/doc/uid/TP30001089

http://informant.nw3c.org 25 Definition of Incident Response It has become apparent, given the threat environment, that the accepted forensic process of “pulling the plug” has become increasingly damaging to the investigation. Therefore it is important to clearly define what constitutes incident response. For the purpose of this article, incident response is defined as those actions taken on a running computer to stop destructive activity, obtain volatile information and prepare it for further forensic examination. Characteristics of Incident Response Incident Response is characterized by a dynamic The Art of Incident Response environment that requires a higher level of skill to successfully negotiate, and given the ever by Al Lewis, Director of Forensic Development diminishing nature of the data concerned, present & Services, MacForensicsLab Inc. the best chance of obtaining data critical to the investigation. Furthermore, the proliferation aw enforcement officers seek to locate the proverbial of computing technologies has made it impossible for only L“smoking gun” as a means to close each investigation. The highly trained computer forensic examiners to respond to “smoking gun” is the one item that proves, without a doubt, every digital crime scene; as a result, the responder is often the party responsible for the crime. In the cyber world, the under trained for the mission. computer is analogous to the gun. Therefore, forensic examiners The Scene have naturally focused their considerable skills on possessing the computer, rather than capturing the data. In doing so, Law enforcement officers will face three possible scenarios these examiners taught the necessity of “pulling the plug” on during his or her duties, the computer is running, the computer the computer to minimize altering any potential evidence. is in a suspended state or the computer is off. Furthermore, Pulling the plug is no longer a sustainable preference. In fact, there are categories defining the state of the running computer; given the modern threat environment, pulling the plug on a the computer is performing intentionally destructive activity, running system that is not actively destroying data borders on the computer is performing unintentionally destructive malfeasance. The data that is lost when pulling the plug can activity or the computer is running normally. There are be the difference between catching the criminal or having him additional considerations for law enforcement officers, walk free. The “gun”, or computer in this case, may not contain including encryption, remote shares, networked devices, any “bullets” once the power is off, so catching the “smoke” wireless access points, alias commands and booby traps. All (volatile data) may be the only way to identify exactly what these considerations combine to make the scene a complex, was occurring during the crime. In today’s investigations, the and uncertain environment for the responder. “smoke” is often more important than the gun. This is the art of incident response and when done correctly, the “smoke” may Response Strategies end up blowing right back into the criminal’s face. General. It is imperative that some form of incident response By understanding the threat environment, defining and be performed on-scene whenever there is a running computer. identifying the characteristics of incident response and As such broad guidelines can be established. Assuming officer discussing appropriate response strategies, this article will safety has been accounted for, the on-scene assessment must demonstrate that appropriate incident response is vital to be made to determine the necessary course of action. This modern investigations. In essence, this article will discuss how is similar to emergency medical personnel arriving at the to catch the smoke from a gun. scene of an accident. The medical personnel use the “ABC” (airway, breathing and circulation) acronym to assess injuries The Threat Environment and establish priorities of work. In a digital crime scene, the priority of work is focused on preserving potential evidence. The combination of complex communication networks, anti- By following the acronym “STU” responders of the digital forensic tools, encryption and criminals willing to do anything crime scene now have an approach to effectively control the to avoid capture defines the modern threat environment. situation – stop destructive activity, take volatile data and Indeed the ability for these criminals to hide their nefarious unplug the system for removal to a lab for further analysis. acts has never been easier, making incident response more important than ever. The actions the responder takes to stop the destructive activity depend on the type of activity taking place. If the destruction is intentional, the only viable option may be to pull the plug

26 Informant: July 2009 - December 2009 on the system. If the destructive activity is unintentional, it are running at any given time. Furthermore, the responder may be as simple as stopping a running process, removing has access to these directly through the built-in Terminal a network cable or even removing liquid spilled on the application. It is important to appreciate that UNIX® systems computer. Once the destructive activity has been stopped, and have scheduled maintenance operations controlled by cron if the computer is still running, the responder has a chance to and that these operations can inadvertently destroy data that capture the volatile data. may be of consequence in an investigation. Therefore, timely response to the system is paramount. Additionally, Mac OS Capturing volatile data on a system can be accomplished X has a wide variety of logs containing critical information manually or through automated tools. By comparison, pertaining to the system, networks, connections and more. manually capturing volatile data represents a much higher The default shell for Mac OS X (10.4 and higher) is bash. risk as it is prone to typing and user errors, it has a greater In previous versions of Mac OS X the default shell is tsch. affect on the digital crime scene and takes substantially longer The default shell is important to the responder that uses the to perform. Automated tools provide the best chance for Terminal application to gather critical data as each shell has successfully capturing volatile data in the digital crime scene. its own set of commands and capabilities. The best example of an automated incident response tool is MacLockPick. For additional details concerning MacLockPick Disk Arbitration visit (http://www.MacForensicsLab.com). The Disk Arbitration service is run by the Disk Arbitration It should be made clear that while the volatile data is extremely Daemon. This daemon attempts to automatically mount important, it may not provide a complete picture of the digital any device attached to the computer. By default all devices crime scene. As such, the computer must be unplugged and mounted by the Disk Arbitration Daemon are mounted onto moved to a forensic laboratory for detailed analysis. the Desktop. As a responder, it is vital to observe the Desktop for any devices that might be mounted there. It is important to Responding to the Live Macintosh® Computer remember, any device the responder attempts to connect to the As previously mentioned, there are commonalities regardless system will be mounted unless the Disk Arbitration Daemon of operating system when responding to running computers. issue is adequately addressed. The responder may choose to However, the differences can be enough to stop an investigation ignore Disk Arbitration, allowing it to run as designed. dead in its tracks. There are several features to consider when These Mac-specific features provide the responder powerful approaching a Macintosh® computer: the keychain, FileVault, tools to perform a manual analysis and allow the automated the kernel and disk arbitration. tools to perform an in-depth data capture. Regardless of these The Keychain. unique features, the responder should still follow the STU process as it is operating system and environment neutral. Macintosh® computers take a centralized approach to password management. Passwords are managed through a “keychain.” A As the world of technology continues to alter society, the user can have an unlimited amount of keys. The keychain “login” digital crime scene bends with it. The increasingly complex is the default and as such opens upon user login. Furthermore, communications networks and remote storage have made the the keychain remains unlocked while the user is logged in, process of locating and preserving data challenging. Specifically, granting access to all keys in the keychain. These default settings the type, location and state of data have made the art of incident must be explicitly changed by the user. The ability to access the response arguably more important than the follow up forensic keychain and all subsequent passwords is one of the primary examination. As such, every organization should consider goals of responders to a Macintosh® system. incident response as the first critical step in the forensic process, rather than a token procedure that can be skipped based on the FileVault. incorrect assumption that they can gain access to the data later. Organizations that embrace incident response, follow the STU Macintosh® computers running Mac OS X can turn on FileVault. process and seek to employ automated tools will have the best FileVault is a program that encrypts a user’s home folder using chance of catching the smoke from the gun and making major 128-bit encryption. By default all data generated by a particular steps forward in combating cybercrime.  user is stored in their user folder. Once FileVault is enabled it requires a master password to be set for the user. The master About the Author password allows the user to unlock the FileVault container, Al Lewis is the Director of Forensic Development & Services for which is seen only as a sparse image. If the Macintosh® is MacForensicsLab Incorporated and a professor at Marymount running FileVault and the responder pulls the power on the University in Arlington, Virginia where he teaches Cybercrime and computer without knowing the password, the user folder will Digital Terrorism. Previously, Mr. Lewis was a Senior Special Agent become completely inaccessible to the forensic examiner. for the U.S. Treasury Department. Prior to that he served as an Electronic Crimes Special Agent Program (ECSAP) agent with the The Kernel. U.S. Secret Service, responsible for cyber-based investigations and computer forensics. Mac OS X is a fully compliant UNIX® operating system. As such, there are a myriad of processes, logs and scripts that http://informant.nw3c.org 27 un to safely and soundly retrieve data in a quick and forensically So d sound manner from a Macintosh®. Consider using a limited scope examination or a full laboratory analysis based on E the following conditions: y Facilitate Arrest - You have a l x search warrant and need to find l evidence at the crime scene to a facilitate arrest of the target. a m Consent Search - You don’t c have anything more than i permission from the suspect to

i look, but the permission is to s

n look on the premises only.

a Exigent circumstances, such

e as a missing person. t

i Three techniques are available to

o examine the Macintosh®. First,

n the Macintosh® desktop/laptop/ F server can be booted into “single- user” mode. This state, as described in-depth later, is a forensically sound state and allows for information to be gathered. of a Macintosh In single-user mode, however, a thorough working knowledge of the Unix® operating system is by Ryan Kubasiak, Investigator, needed. Second, the same computer can be booted from a New York State Police LiveCD, such as a Mac OS X boot disk, a Knoppix distribution or Ubuntu LiveCD, to view the contents of the hard drive. Third, the computer can be booted into Firewire Disk Mode lthough crimes themselves have not changed, the (Target Disk Mode) and viewed from a secondary computer. Amethodology of committing them is ever changing. The challenge to law enforcement is to keep pace with the digital Each of these techniques have benefits as well as pitfalls. Single- aspect of all crimes. Most investigations now include a digital user mode utilizes an already installed operating system, which component, as well as traditional methods. Crimes of all levels contains features established by Apple® and has the greatest are being plotted, planned or perpetrated with computers, speed to preview data. It also is command line driven, very PDAs, cell phones, USB flash drives, wrist watches, electronic much a manual process for setup, therefore, it is possible that pens and other digital devices. Examiners need to be mindful the computer has been shut off or maliciously altered. Using of this, and trained to recognize these items. Specialized the suspect’s own operating system is almost always a bad idea examiners must be continually educated and trained on the and can lead to potentially incorrect results. current forensic analytical techniques. LiveCD offers a known boot media with a known operating First responders are critical in the initial action taken such system each time you conduct a preview. It offers a well- as on-site viewing of evidence and/or the securing of digital known, always available set of tools for each limited scope evidence. A loss of data or worse, corruption of data, can examination conducted. severely jeopardize any case. This is why it is important for examiners to constantly stay up to date in technology Blackbag Technologies offers a subscription for a forensically advancements and training. For law enforcement, the National sound Macintosh® boot disk. It is also possible to create your White Collar Crime Center offers excellent training courses own bootable disk that is both forensically sound and has for the perfect price, free. specific utilities installed. The downside to creating your own disk is the lack of support for future machines. Field forensics is never a substitute for a full-fledged, digital forensic laboratory. Working in an open environment such Target Disk Mode offers the greatest flexibility. Users are able as a suspect’s home or office, presents dangers as well as to use a laptop (or desktop) with the choice of an operating opportunity for missed information. With that in mind, this system to look at the computer. It yields the greatest speed and article will guide the first responder or specialized examiner the widest variety of tools for examination.

28 Informant: July 2009 - December 2009 Every digital examination should involve the following steps: An extremely high percentage of Macs run OS X . OS X based Macintoshes® have the possibility of containing OS 9 “within” • Physically secure evidence or conduct on-site preview the OS X installation. It is referred to as “Classic” and is run (collection) simultaneously the OS X environment. • Acquisition of digital media Data Files • Verification of acquired data For several years, Macintosh® has used two “forks” to any • Archive of acquired data with verification file. They are the Resource fork and the Data fork. Apple® has recommended developers discontinue the use of the Resource • Analysis of acquired data fork. If a Macintosh® file is copied to a File System that doesn’t support Resource forks, the fork will be lost. As an examiner, • Reporting of results this is extremely important to know. If a file with a Resource fork is copied to a Fat32 volume, for instance, the MacOS X The first two allow for the usage of original evidence. Special will handle the resource fork and open the file appropriately. care is taken during these steps to insure original evidence is However, the way in which it is handled is through a hidden file. not altered. An on-site examination typically will yield only With an example file named “test.txt”, one will notice a hidden a fraction of the evidence on a target computer. It may yield file in the same directory named “._test.txt”. This is the resource no evidence at all. It is not a substitute for a full, in-laboratory fork. MacOS X will copy this file from FAT32 correctly when analysis. Just because it was not found during a limited scope the “test.txt” file is copied. Moving over to an operating system examination, doesn’t mean it’s not there. that doesn’t recognize this, such as Microsoft Windows, the Apple® has always been a very unique company, hence the same copy will lose the Resource fork data. Resource forks can operating system, file systems and applications are also unique. best be equated to Alternate Data Streams in the NTFS world. Some basics to know and understand before looking at a Macintosh® application files (or .app files) are actually not a Macintosh® include the following: single file at all. They are a folder that is displayed as a single File System custom icon, and appropriately launched. If you Control-Click on an application file, you will notice the choice to “Show HFS+ (and the older HFS) are the two predominant file systems Package Contents”. This will actually open the folder rather found on any Macintosh®. Without something to recognize this than launch the application. The contents have a small chance file system, you will be left looking at a seemingly unallocated of being evidentiary in value, but the user data associated with drive with raw data only. Tools such as Encase® from Guidance an application is typically in the home directory. Any folder Software and BBT Forensic Suite® from BlackBag Technologies, can be made into an application by simply adding the “.app” can appropriately interpret the file system and display the extension to the name. However, when you double-click a self- contents in a user friendly way. Also, Macintosh® itself knows made application, you will likely get an error message because how to display its own file system, and we use this fact when it is not truly an application yet. using Single-User mode, LiveCD or the target disk mode. Since an application is really just a specialized folder, problems A Macintosh® may contain other file systems, just as any occur if it is copied to a File System and opened within other computer. With the release of “BootCamp” from another operating system. Viewing MyApplication.app in a Apple®, Intel-based systems could very well have NTFS, Windows environment will show a folder with the name of FAT32, EXT3, etc. The Intel-based Macintosh® computers MyApplication.app. Further, the folder will open in windows are very capable of running multiple operating systems with and the package contents will be seen, much like the “Show multiple file systems. Always be aware of this when using Package Contents” command. investigative techniques. Some applications actually use this package concept to create Operating Systems the data file. iWork has two applications: Keynote and Pages. They each save files in a Package format, and not a single Mac OS X and Mac OS 9 are the two dominant operating flat file. Looking at MyDocument.pages on a FAT32 volume systems that can be found on any Macintosh®. With the release through Microsoft Windows will again result in a folder with of “Boot Camp” from Apple®, any operating system that operates the name MyDocument.pages and the folder will open when on Intel hardware can be successfully installed and run on the double-clicked. Be aware of this operation, and expect it when computer. Just because an “apple “ is displayed on the side of sharing files between operating systems. the computer doesn’t mean an Apple® operating system will be used. Apple® has released Windows XP Service Pack 2 drivers Even more importantly, if you are examining a Mac OS X as well as Windows Vista drivers. Many hack Web sites have based system with a Windows tool, you will see package files figured out how to use Boot Camp to successfully install and differently than the intended view and functionality. Certain boot other operating systems. portions of a forensic examination of a Mac OS X based system will require a Macintosh®. Plan accordingly!

http://informant.nw3c.org 29 MAN Pages Turn FileVault - Clicking on this button will enable FileVault for the currently logged in account. The sparse image of the One of the best features of each Mac OS X-based system is the user’s home directory will be created and the user will be help available. Specifically, the MAN pages are perfect support logged out. documentation for any case. When you use a command line function, consider making the MAN page for that command Require password to wake this computer from sleep or screen a part of your report. The MAN pages are updated as system saver – This will cause the computer to prompt for the currently updates come out, making the output of the MAN page on the logged in user’s password to wake or unlock the screen saver day of usage important. An easy way to do this is an output redirect. For example, if you are about to use the `dd’ command Disable automatic login – This causes the Login Window to line utility, output the MAN page to a text file, such as man dd appear during the boot sequence. When this is not checked, > DD_MANPages.txt. the selected user will automatically login during the boot sequence. This will output the MAN page entry to a text file. Save this text file in your case notes area for future reference. The best Require password to unlock each secure system preference reference material an investigator can have is the materials - Forces a password to be entered before changes to security supplied by the company itself. can be made. LiveCD Log out after X minutes of inactivity - Will cause automatic log off the currently logged in user (or users) after the specified A LiveCD method for acquisition of a Macintosh® is usually number of minutes. the preferred method. This involves booting the target Macintosh® with a known, forensically sound CD. LiveCD’s Use secure virtual memory - Causes the /var/vm/swapfile0 can include a custom tailored Linux distribution such as and other subsequent page files to be encrypted. When this Helix, SMART or a Knoppix variant. It can also include is not checked, all pages of memory to disk are in clear text, paid-for tools like BBT Macquisition. offering an abundant source of user information. The swap files are deleted during boot, and not at shutdown or logout! Drive Removal It is important for a full analysis to include items such as the Physical drive removal can be the most complicated part of options listed above. For instance, it is not the same when a a Macintosh® examination. The cases of some Macintosh® system has the auto-login feature on, rather than off. Having computers will seem like a security barrier as you try to open to know a password to get into the system narrows down the them. Others will open within seconds and present the internal number of people that may have used a computer immediately. drives very neatly. When choosing this method, you will likely In order to gain this information, “plist” files will need to be want to use a physical write blocking device for the acquisition. examined. A likely area for system-wide settings to be stored Many companies offer a great selection of just such devices. The is /Library/Preferences. appropriate steps to take will be determined by the physical write blocking device you choose to use. Once the disk drive The home directory is the likely area to find all of the evidence is physically write blocked, an imaging process can begin with for any case, barring system-wide log and settings files. MacOS any tool of your choosing, on any operating system. X is very good at containing a user’s files and settings to this area. This trait allows FileVault to work as well as it does. Possible failures of this method can be the result of a bad cable When conducting a limited scope examination, directing your between the drive and the physical write blocking device, bad searches to this area first is a good idea. cable from the physical write blocking device to the forensic computer, or the imaging tool can’t recognize the file system Read this white paper in its entirety at MACOSXForensics.com. of the target Macintosh® hard drive and displays the disk as About the Author unallocated space. Ryan Kubasiak is currently employed by the New York State Police FileVault and MacOS X Security (NYSP) as an Investigator in the Computer Crime Unit Forensic Laboratory. Investigator Kubasiak has been with the NYSP for 11 FileVault Preference Pane 1/2 years. Prior the the NYSP, Investigator Kubasiak was employed by SUNY Buffalo as a network administrator where he worked FileVault is the security technology available in Mac OS with Apple, Microsoft and Novell server and desktop platforms. 10.4 to secure a user’s home directory. When turned on, the Investigator Kubasiak strives to maintain community contact through user’s home directory will be encrypted using 128 bit AES organizations such as NW3C, HTCIA, and IACIS, as well as the Web site MacOSXForensics.com and podcast “Inside the Core”. encryption to a Sparse image DMG file. The window shows the available security features from the Security Preference Pane. A description of each follows. Master Password - This is the master password used to unlock a FileVault sparse image when the user has forgotten the password.

30 Informant: July 2009 - December 2009 ManTech Enterprise Integration Center (e-IC) Pioneering Technology Solutions with Global Reach"

Biometrics International Standards Nanotechnology Computer Based Training Business Process Analysis/Design Interoperability

ManTech is a national and international provider of advanced information technology solutions and services. ManTech has made the Mountain State the home for its Enterprise Integration Center (e-IC) since 1992. The ManTech e-IC serves enterprises from an information-sharing and technology-solution perspective. The DoD represents the center’s largest and most challenging set of clients. Since its inception, the ManTech e-IC has focused on using emerging information technology concepts to give its customers not only the latest in technology but also an enduring computer/network environment with enterprise architecture that is based on national or international standards. The ManTech e-IC, is based in Fairmont and Hinton, WV. Each office has a strong and committed workforce. Its West Virginia offices employ a large number of highly skilled computer scientists, engineers, and experts in Information Technology (IT) and DoD subject matter who focus on providing a diversity of high-technology solutions and services, including: global collaboration system design, development, and operations; biometrics and security; nanotechnology research and analysis (www.nanolog.org); DoD logistics process analysis and engineering (www.dod-spot.com); software and system engineering; computer-based training (CBT) design and development (www.elisonline.com); business process analysis and engineering; system life-cycle maintenance; Web based catalog design (http://test.sdosso.org), development, and operations; transportation, distribution and deployment systems support services; corrosion information exchange; customs-clearance-process automation; enterprise modeling and simulation; Enterprise-Information Interoperability (EII); Web services; Net-Centric Enterprise Services (NCES); International Organization for Standardization (ISO) support services (www.tc184-sc4.org) ; Interactive Electronic Technical Manuals (IEM), and business case-analysis development; Condition-Based Maintenance Plus (CBM+), a major initiative supporting the U.S. Navy’s evolving set of logistics, maintenance capabilities and processes. ManTech provides a full spectrum of standards management support services of our clients, which include membership participation in the Organization for the Advancement of Structured Information Standards (OASIS) body, the Network Centric Operations Industry Consortium TM (NCOIC), and others. CONTACT INFORMATION: Ashley Maxey ManTech e-IC 1000 Technology Drive, Suite 3310 Fairmont, WV 26554 (304) 368-4100 www.ManTech.com **This is a paid advertisement

he Informant is more than a magazine! Not only do we have more compelling articles for you to read and learn from, the TInformant Blog site also allows you to communicate with NW3C specialists and react to the latest financial and high-tech crime news instantly. But we can’t do all this alone. Our readers look to your knowledge and expertise to learn new tips and tools for their investigations. We are accepting articles to include in the next Informant E-zine. Articles around the topics of intelligence analysis, financial crime, Internet crime and other white collar crimes are encouraged and welcomed. So fire up your keyboard and let us have it! Submit your article(s) to [email protected] by November 20, 2009

Submit Your Articles to the Informant. http://informant.nw3c.org http://informant.nw3c.org 31 Seven Deadly iPhone Sins: What Every Enterprise Should Know by Jonathan Zdziarski, Research Scientist, McAfee, Inc.

While this subject could fill an entire book (and has), take the following summarized points into consideration. The following apply not only to the iPhone® 3G[s], but also to earlier generation devices. The seven deadly sins of the iPhone® have been uncovered throughout the past few years of forensic research on the device. Yet today’s iPhone® firmware remains just as insecure as the very first version. Some speculate this may be related to contracts with telephone carriers such as AT&T, but many of these vulnerabilities appear to be mere products of poor programming, plain and simple. Here are the top seven things law enforcement and consumers should know about the iPhone®: 1. The iPhone’s® passcode and encrypted backup password can be easily bypassed. This allows an identity thief who gains physical access to the device (even if for only a short time) to not only access an iPhone® (or iPhone® 3G or 3G[s]), but to sync an unencrypted copy of all its live data through iTunes®, creating a copy of the owner’s contacts, correspondence, photos, and other valuable data. If it can be synced with iTunes®, it can be stolen in a very short period of time. 2. The iPhone® 3G[s] promises hardware encryption, but this hardware encryption does not appear to protect the information on the iPhone® from information theft. The ith advancements in iPhone® forensics, examiners are operating system needs to automatically decrypt the Wnow able to see inside the popular device’s innards at a iPhone’s® disk in order to boot, allowing anyone with the raw-disk level. Raw disk is the holy grail of computer forensics, right know-how to easily acquire all of the data - including as it allows the examiner to glean both live and deleted data deleted data - on the device, bypassing any encryption. In from a computer, or in this case a mobile phone. Deleted fact, the only useful benefit for hardware encryption thus far data is often far more interesting than live data, as the suspect has been the ability to quickly format the device, discussed generally believes it no longer exists. What’s more, many people next. The law enforcement tools used to perform a raw are blissfully unaware of just what kind of extra information disk recovery obtain a decrypted disk image by engaging their iPhone® is storing behind their back. Free tools for law the iPhone’s® built-in decryption mechanism. You read enforcement, available at http://www.iphoneinsecurity.com, right. The iPhone® itself decrypts all of your private data on make raw-disk recovery of an iPhone® an almost effortless task, command, so if you have the iPhone®, you have both the and with these advances in forensics comes the sobering reality lock and the key. that hackers too can (and have) taken advantage of the same 3. Remote wipe and “LocateMe” features can easily be disabled techniques to steal personal information from these devices. by simply removing the SIM card. Any semi-intelligent thief Government agencies and enterprises have recently adopted looking to steal information from your corporate handsets the iPhone® 3G[s] into many networks. With buzzwords like, can easily shut these features down within seconds, armed “hardware encryption” and “remote wipe”, many have been with only a paper clip. misled into believing that the iPhone® 3G[s] is secure enough to 4. If your device is stolen, not only is the iPhone’s® live store confidential correspondence or other information. Apple® is information exposed, but also all of the deleted information no doubt pushing the enterprise market, but is the iPhone® truly on the device. Because the iPhone® has such a large storage secure enough? The answer to that is no. The iPhone® 3G[s] was capacity, and because its solid state disk uses built-in wear- no more secure than its two predecessors. In fact, its encryption leveling logic, it can take six months or more to overwrite served no practical use in actually securing data. deleted data. The hardware itself is designed to minimize

32 Informant: July 2009 - December 2009 writing to the same place on disk, leaving a wealth of 7. There is a wealth of information stored on the device deleted data for an information thief. Remember those that most users don’t even realize is there. Information embarrassing photos you took last year, then deleted? about your last GPS position, your wireless networks, They’re likely still on the iPhone®, and can be accessed by your searches, unread voicemail and much more are all anyone with the right know-how. accessible to a thief, if they know how to get it. 5. The iPhone® OS has a built-in keyboard “logger” which logs Consider the risk to your enterprise should the confidential nearly everything you type into the device’s keyboard to information on corporate iPhones® be stolen. The iPhone® is auto-learn the owner’s typing habits. As a result, endless logs about the size of a small laptop disk drive, and is about as easy of data are being created containing information typed in to copy information from should a thief steal or “borrow” it by the user. Even fields with auto-correction turned off have without your knowledge. been seen to have some of the data entered in them stored in this cache. Anything you type into a browser window, While consumers should be aware of these security issues in SMS message, e-mail, etc., is stored in this keyboard logger order to protect their identity and personal information, it is cache - and it isn’t going away anytime soon. also important for law enforcement to understand the wealth of information that is available to them from this device.  6. Every time you push that home button, the iPhone® snaps a screenshot of the last thing you were doing. This is done About the Author for most built-in applications such as Mail and Safari, and Jonathan Zdziarski is a Research Scientist for McAfee, Inc and author has been observed for some third party applications as of many books including iPhone® Forensics, iPhone® SDK Application well, such as Facebook and others using a Web interface. Development and iPhone® Open Application Development. Jonathan is A large collection of screenshots of “the last thing” you the leading expert in digital iPhone® forensics and provides tools and or your employee were looking at are being stored on the training to law enforcement agencies and enterprises worldwide. device, exposing screenshots of potentially confidential information to anyone with the right know-how.

AMU’s programs and costs were a good ﬁt for me. I paid my own tuition—and the book grant for undergrad students helped greatly. Additionally, my courses had a huge overlap to my job. I was able to apply what I learned along the way.

Sgt. David Coffman Sacramento County Sheriff’s Dept. Ares, Graduate, Intelligence Studies Degree Program

ILI Intelligence Studies AMU offers a 100% online Master’s Degree in Intelligence Studies with a concentration in Criminal Intelligence designed speciﬁcally for law enforcement professionals.

• 100% online, with ﬂexible weekly schedules • 8 and 16 week courses start monthly • Competitive tuition • Small class sizes—no cohort groups • No on-campus residency requirements

www.amuonline.com or 877.777.9081

American Military University

http://informant.nw3c.org 33 • Called list • Callers list • Text Message Inbox • Text Message Outbox • Contacts • Bluetooth Name and MAC ID • User Information All TomTom models have a file which may contain the location the user set as home, a list of any recent destinations and possibly last journey data. It also has a device information file which contains the device serial number, model number, software version and other general information about the device. Higher end TomTom models like the “GO” series can act as a hands-free device for mobile phones and may contain call data, text messages, contacts and a list of paired phones by their MAC address.

he sale of portable navigation devices are at an all time Thigh. Last year, more than forty million portable GPS

devices like TomTom’s “GO®” series or Garmin’s “Nuvi®” series Destination Recent File BIF Setting File Called File Calls File File Inbox File Outbox were sold worldwide. With the entrance of hybrid devices into TomTom One Regional the marketplace, GPS devices now contain much more than YYNN N N N navigational information and may contain data commonly TomTom One Europe Y Y NN N N N found in cell phones as well as audio, video and text-based files like MS Word or PDF documents. These devices can also be the TomTom Go 510 Y YYY Y Y Y source of invaluable evidence for law enforcement. 710/720/730 TomTom Go 750/790 Y Y Y Y Y Y Y The law enforcement community has seen a dramatic TomTom Go 910/920/930 increase in the use of GPS devices as an instrument of a Y Y Y Y Y Y Y crime or as a “witness device” autonomously collecting and TomTom Navigator 6 Y Y NN N N N logging positional data while the crime is being carried out. TomTom and Garmin units are by far the most popular Data Acquisition devices law enforcement has encountered. The focus of this article will be on TomTom devices but the general process Data acquisition can be achieved through different methods can be extended to other device brands as well. depending on the TomTom model. This is specifically related to whether the device has internal memory or stores its data TomTom Specifics on a removable SD card. TomTom provides a range of devices for navigation. In the case of devices that use SD cards, the card can be Depending on the capabilities of the model, several different removed and processed like any other removable media. kinds of information can be acquired. Most models have A forensically sound copy of the SD card should be made an SD card slot or an internal memory and allow pictures, and used to analyze the data. An important note: TomTom documents, audio and video files to be stored and accessed devices do not support the write protection option built into through the device. Standard TomTom files found on a SD cards and regardless of the write protection tab setting device may include: (located on the left of the SD card if looking at the top) will • Location Information write data to the card.

• Device Info In the case of devices that have internal memory, the devices appear in Windows under “My Computer” when plugged in via USB as a removable storage device with the label

34 Informant: July 2009 - December 2009 “TomTom”. Once visible in “My Computer”, it is possible to .cfg files contain: open the TomTom directory and copy the contents. A more • sound approach than “clicking and dragging” the files to the Home location desktop would be to acquire an image of the device and work • Favorites from that disk image. AccessData’s FTK Imager is available from their support Web site and will acquire devices without • Manually entered addresses a license. FTK 1.80 will parse up to 5,000 files without a license dongle and is sufficient for devices with 2GB hard • Details of last journey (if entered) drives or less. FTK or Encase will make it easier to decode • Last GPS fix of the device and view the files. For each of the locations a latitude and longitude is stored Note when powering on the unit to acquire data: if the along with both an automatically assigned name and a user device establishes a lock from the GPS satellites, the editable name and a house number. It also stores how the device will overwrite the Last GPS Fix information in user chose to navigate to the address (entering the latitude the CurrentLocation.dat file with its present location. A and longitude, selecting it from the favorites list, etc…). faraday bag can be used to prevent this from happening or examining the device inside a building away from windows Recommended Seizure Techniques can accomplish the same thing. Like any other GPS device, TomTom devices are Target Files continuously collecting information and writing data to memory whenever they are powered on. When you seize a Once the data has been acquired the following files are good device, power the unit off and do not turn it on until you sources of information. are ready to examine it. When you are ready to examine • *.cfg - Contains locations. The file name depends the device you should be inside away from windows so the on the model but is generally found in a folder device does not have a clear view of the sky. A faraday bag with the name of the map. The file name is either can be used to ensure that the TomTom cannot establish a ‘Mapsettings.cfg’ or .cfg. There may lock from the GPS satellites. If it establishes a satellite lock, be more than one map installed on the TomTom. The the device will overwrite the Last GPS Fix information in map currently in use can be found by looking at the the CurrentLocation.dat file. ‘currentmap.dat’ file. Until the latest software update, App 8.0.10, released in • ttgo.bif or ttnavigator.bif – General device the July/August 2008 timeframe, turning a TomTom device information, model number, serial number, user off that is protected by a pin code would not prevent you password (encrypted) from accessing the device with a computer. App 8.0.10 has “fixed” that issue and requires the pin code to be entered • Settings .dat - Paired phone ID and MAC address before the device will go into disk mode. (max 5) and any user information. Tools Available • Called.txt - Name called (if in phonebook), Number called Currently there are two tools available for examining TomTom devices, Blackthorn2 and TomTology There is also • Callers.txt - Name of caller (if in phonebook), Number a separate EnCase Enscript available to parse files from an of caller image file using EnCase. E-mail us for information and to request a copy at [email protected]  • Inbox.txt – Name, Number, Message, Date & Time About The Author • Outbox.txt – Name, Number, Message Ben LeMere has more than 12 years of military and federal government • Contacts.txt - Name of contact, Number of contact. service and is widely recognized as a subject matter expert in GPS This file only exists if the user has chosen to import forensics. His career has afforded him extensive technical, analytical their address book from their phone. and operational experience. He currently serves a certified Computer Forensic Examiner and Project Manager at the Department of Defense Data Analysis Cyber Crimes Center. Prior to this position, Ben was responsible for developing and implementing one of the first GPS forensic analysis TomTom devices can store information related to the programs for the Department of Homeland Security. owner’s home address and a list of their “Favorite” locations. If a user selects to navigate to either their home, a Favorite or an address entered as a destination then this information is stored in the “recent destination” file that ends with a .cfg extension.

http://informant.nw3c.org 35 A Brief History of Scareware By Internet standards, scareware is a long-standing problem. The Federal Trade Commission (FTC) encountered its first scareware case back in 2004, challenging conduct dating back to the early 2000s. Several other enforcement actions by both the FTC and State Attorneys General followed shortly thereafter. These early scareware scams seem almost quaint when compared to the rogue security threats facing consumers today. Yesterday’s scareware fraudsters relied largely on pop-up advertising to lure consumers into downloading bogus security applications. These early pop- up ads were largely text-based. The ads warned consumers of security problems with their computers, and encouraged them to visit a Web site where they could download software to scan and repair their computers. Consumers who took the bait received amateurish-looking software that purported to scan their computers and detect a variety of threats. Consumers were then given the option of purchasing the “full version” of the ave you program to resolve the security issues Hever been “detected” in the scan. in the middle of typing an Today’s scareware applications are far more advanced. important document or simply Text-based pop-up ads have been replaced by elaborate surfing the net, when all of a and convincing animated graphics that sudden an urgent message appears closely resemble the “look and feel” of the on your screen saying, “Your computer Windows operating system. These new may have been infected!” Panic quickly sets in scans appear entirely legitimate and and you find yourself asking… should I click and possibly can trick consumers into believing save my computer from a harmful virus or is this a scam? that Windows itself has detected It is one of the most profitable and prolific scams on the malicious files. Internet today. Rogue security software, also known as Unlike the bogus computer “scareware,” exploits consumers’ legitimate concerns scans of old, the new generation about Internet-based threats. Using unsolicited and of fake scans can be displayed entirely utterly bogus computer scans that claim to detect within consumers’ Internet browsers. As a result, malicious files or viruses on consumers’ computers, scareware fraudsters no longer need to dupe consumers into criminals are able to obtain your personal identifying downloading software in order to display their fake scans. information. Rather, scareware fraudsters need only convince consumers Once the bogus scans are complete, consumers are urged to to visit a Web page – or redirect them to a Web page without purchase a computer security product, often with a generic their consent – where the elaborate fake scan is displayed. name such as PC Antispyware 2010, in order to eliminate Other forms of rogue security software are covertly installed the malicious content “detected” by the scan. Although directly onto consumers’ computers through exploits, or the scan is nothing more than an elaborate ruse, millions by using malicious software that has already compromised upon millions of consumers take the bait and fall victim to the computer. For example, the much publicized Conficker scareware fraudsters.

36 Informant: July 2009 - December 2009 worm has been observed downloading and installing Enforcement alone, however, will not stop the scareware “SpywareProtect 2009” – a known scareware product – onto problem. As long as scareware remains profitable, new computers it has infected. Once installed, the rogue security fraudsters will continue to enter the marketplace. Consumer product activates itself, proceeds to display a bogus scan education, therefore, is a critical part of the equation. If that detects a variety of threats and then urges consumers to consumers stopped purchasing security products advertised purchase the product. through unsolicited computer scans, the market for scareware would collapse. With no profit incentive, there The Emergence of “Malvertising” would be no reason for fraudsters to continue to create One of the most ominous developments in scareware is the scareware programs. emergence of “malvertising” – the use of malicious Internet To get the word out to consumers, the FTC issued a advertisements to redirect users to Web sites that display scareware “consumer alert” in connection with the filing bogus computer scans. of the “WinFixer” case, and has added information about Malvertisements are trojan horses: advertisements that scareware to the OnguardOnline.gov consumer education appear legitimate but contain hidden code capable of portal. Many other organizations, including the Washington redirecting consumers away from the Web site they are State Attorney General’s Office and a number of legitimate viewing. To the Internet advertising network or Web site paid computer security companies, are also working to help to place the advertisement, the malvertisement appears as consumers recognize the tactics used by scareware fraudsters. an innocuous display ad for a legitimate company. Once the Continuing and expanding these outreach efforts will be an  hidden code within the malvertisement is activated however, essential step in winning the war against scareware. the previously benign ad starts redirecting consumers away About The Author from the page they are viewing to a malicious Web site. Ethan Arenson is an attorney with the Federal Trade Commission Because it enables scareware fraudsters to ambush virtually where he serves as the FTC’s Spam Coordinator. Mr. Arenson is any Internet user with a bogus computer scan, malvertising also lead counsel in FTC v. Innovative Marketing, a scareware represents a grave threat to consumers. Malvertisements enforcement action currently in litigation. He can be reached at have infiltrated some of the most popular Web sites on the [email protected]. Internet, including Expedia.com, MySpace.com, FoxNews. References: com and Newsweek.com. Although these malicious ads are typically detected quickly and removed, they impact a 1. See FTC v. Seismic Entertainment Productions, Inc., No. 1:04 CV huge number of consumers due to the high volume of daily 00377 JD (D.N.H. 2004). traffic on these Web sites. 2. See, e.g., FTC .v MaxTheater, Inc., No. 05-CV-0069-LRS (E.D. Tackling the Scareware Problem Wash. 2005); FTC v. Trustsoft, Inc., No. H-05-1905 (S.D. Tex. 2005); State of Washington v. Secure Computer, LLC, Scareware fraudsters are generating massive profits by intimidating consumers into purchasing worthless security 3. See http://msmvps.com/blogs/spywaresucks/ products. Although it is difficult to discern exactly how archive/2008/11/24/1654896.aspx (Expedia); http://msmvps.com/ blogs/spywaresucks/archive/2008/02/22/1521712.aspx (MySpace); much money is being made, a recent report by Panda http://msmvps.com/blogs/spywaresucks/archive/2008/11/16/1654254. Security estimates that more than 6.5 million consumers are aspx (FoxNews); http://msmvps.com/blogs/spywaresucks/ duped into spending more than $415 million on scareware archive/2008/08/16/1644872.aspx (Newsweek). products each year. 4. Panda Security, The Business of Rogueware: Analysis of the New Style With so much money at stake, stopping scareware will not of Online Fraud at p. 13, http://www.pandasecurity.com/img/enc/ be easy. Enforcement is certainly a large part of the puzzle. The%20Business%20of%20Rogueware.pdf?sitepanda=particulars The FTC has been very active in the investigation and prevention of scareware scams, and is currently litigating a 5. FTC v. Innovative Marketing, Inc., No. 08-CV-3233 (D. Md. major enforcement action against the syndicate responsible 2008). for the notorious “WinFixer” family of rogue security 6. See Fright Fight: Washington Attorney General leading battle products. The FTC alleges that the “WinFixer” defendants against scareware with Microsoft, http://www.atg.wa.gov/ marketed hundreds of scareware products and generated pressrelease.aspx?id=21026. more than $100 million in sales. The Washington State Attorney General’s office also has been aggressively pursuing scareware fraudsters.

http://informant.nw3c.org 37 • Charitable institutions may have to return charitable donations received (both in kind gifts and cash) from the schemer. Bankruptcy law allows the trustee to recoup monies paid to charitable institutions for two years or longer if the state fraudulent conveyance statute reaches further back. Tips to Investors Investors need to become more sophisticated and diligent when it comes to investing their money. To help avoid becoming a victim of a “Ponzi” scheme an investor should consider taking the following steps: Ponzi • Don’t be fooled by the charisma or “irrational” excitement of an individual trying to sell you a financial plan, especially if he/ she is well known, of the same ethnic An update on the Investigations of Some Recent background or religion or if your friends have Ones and What Happens When They Collapse recommended the plan. by Robert Holtfreter, Ph.D., Central Washington University • Avoid the investment if a promise is made of here was hardly a month in the last two years when the unusual above market returns or if the fraudster Tmedia did not report a new “Ponzi” scheme. Thousands cannot explain how the cash is invested. of investors realized that they had become victims of elaborate It is best to remember that if the financial plan sounds ‘“too investment schemes and lost most, if not all, of their hard good to be true, it probably is.” earned money. In most “Ponzi” schemes, individuals invest their money because they have undue respect for the individual The FBI recently reported on the status of the investigation of running the scam and are lured by the fraudulent promise of the following recent “Ponzi” schemes. unusual returns that are normally unavailable in the financial markets. This article will discuss what happens when these • On 01/23/2009, a Broomall, Pennsylvania man was charged schemes collapse and provide information to avoid becoming a in a large-scale investment fraud that he used as a pyramid, victim of a “Ponzi” scheme. or “Ponzi,” scheme to defraud investors of tens of millions of dollars between 1996 and 2008. Consequences for Investors When a “Ponzi” Scheme Collapses • On 02/24/2009, the New York FBI Field Office arrested an individual based on the operation of an international, What happens to a victimized individual or organization when Internet-based “gold unit” Ponzi scheme. a “Ponzi” scheme collapses? Some undesirable effects can include: • On 02/27/2009, a former Brentwood, Tennessee financial advisor and owner of Park Capital Management Group • Investors will lose principal when the scheme collapses. (“PCMG”) admitted to operating an elaborate Ponzi The investors may lose all of their assets earmarked for scheme to defraud investors who deposited funds with current or retirement needs. PCMG for investment in brokered stocks and other marketable securities. • Investor may have to repay interest and principal if bankruptcy is filed. If the “investment” is classified • On 03/04/2009, two Arizonans and two others were indicted as a loan, the lender may have to demonstrate the for a Ponzi fraud scheme. A 90-count indictment alleges at exercisable of reasonable due diligence in making the least 300 victims invested $8 million during the scheme.  loan, a daunting task if the proposed interest rate was well above the legal interest rate. About the Author • The records of investors may become public in Robert Holtfreter, Ph.D., CFE, is a distinguished professor of accounting & research at central Washington University. He has published numerous numerous legal filings and lawsuits. articles on identity theft, debit/credit card fraud, security breaches and • The client may have to spend money and time in obtaining data mining models. He is a member of the Editorial Boards of the professional tax advice or defending a legal claim. Fraud magazine Journal of Forensic Accounting and Journal of Forensic & Investigative Accounting. He can be reached at [email protected] 38 Informant: July 2009 - December 2009 Guilty Pleas Entered in raided the residences of Koumbairia and the Drug Enforcement Agency. They also Connection with $1.6 Million Glay and recovered more than 400 images of commended the assistance provided in this Counterfeiting Conspiracy counterfeit checks purporting to be drawn case by Paralegals Jeannette Fennell, Mary on the accounts of customers with Sun Trust, Treanor, Margaret McCabe, Sarah Reis, and Two Foreign Nationals are the final two Bank of America, M&T Bank (formerly Carolyn Cody, Legal Assistants Jamasee defendants to admit responsibility capping a Providence Bank), AM South Bank, Wachovia Lucas, Priscilla Hutson, Latoya Wade, Latoya three-year government investigation Bank, United Bank, Branch Banking & Trust Davenport, Jacqueline Akyea, and Student Co., and CitiBank. The U.S. Secret Service Intern Sierra Tate. Lastly, they praised the WASHINGTON DC - Naibeye Koumbairia, investigated all of the images of counterfeit work of Assistant U.S. Attorneys Debra 35, of the District of Columbia, and William checks recovered from Koumbairia and Glay’s Long-Doyle, Scharn Robinson, and John W. Glay, Jr., 33, of Germantown, Maryland, residences and found more than $1.6 million Borchert, who are prosecuting this case.  entered guilty pleas today to all of the charges worth of counterfeit checks that had been in an indictment filed against them last year passed in the D.C. area by conspirators working Commission Orders a Record $5.7 charging them in connection with a wide- with Koumbairia and Glay. Those counterfeit Million in Penalties, and Over ranging conspiracy to counterfeit checks checks were passed on the accounts of more $67.2 million in Restitution for drawn on the accounts of more than ninety than ninety individuals and businesses. Investors businesses and individuals, announced Acting U.S. Attorney Channing D. Phillips, Koumbairia pleaded guilty to sixteen counts PHOENIX, AZ— The Arizona Corporation U.S. Secret Service Special Agent in Charge charging him with conspiracy, wire fraud, Commission today ordered a Scottsdale Jeffrey Irvine, and Montgomery County Chief bank fraud, and uttering the securities of a man and his affiliated companies to pay of Police J. Thomas Manger. private entity. Glay pleaded guilty to four $66.9 million in restitution and $5.4 million counts charging him with conspiracy, wire in administrative penalties for defrauding Both defendants pleaded guilty before Judge fraud, and bank fraud. At sentencing, both investors in a promissory note scheme, John D. Bates in the U.S. District Court for the defendants will face possible sentences of up resulting in one of the largest securities District of Columbia. Sentencing in the case to thirty years’ incarceration. Koumbairia, sanctions ever levied by the Commission. has been continued until December 21, 2009. who was born in Chad, and Glay, who was Including the other cases that came before the Commission today, the Commission ordered According to charging documents, born in Liberia, acknowledged in pleading a total of over $67.2 million in restitution to Koumbairia and Glay directed a large network guilty that they may face possible deportation restore investors. of conspirators who worked from 1999 as a result of their criminal activities. through 2007 to systematically cash high- The guilty pleas by Koumbairia and Glay The Commission found that Scottsdale quality counterfeit checks in the D.C. area. represent the fourteenth and fifteenth resident Dan Wise, a former certified public The conspiracy consisted of insiders (such guilty pleas obtained by law enforcement account, and his four companies, Whispering as corrupt bank employees and a corrupt in connection with this three-year long Winds Properties, LLC, LM Beagle Properties, accountant), check printers, check passers, investigation into counterfeit check-passing LLC, Karlena, Inc. and Axis International, Inc. and other “recruiters” who identified people in the D.C. area. A grand jury indicted seven misrepresented to at least 125 investors that addicted to drugs or in need of money and conspirators in connection with this case, all their money would be used to fund real estate convinced them to pass counterfeit checks of whom have now entered guilty pleas. In loans secured mostly by collateral such as and share in the criminal proceeds. The announcing todays guilty pleas, Acting U.S. commercial buildings, residential homes and corrupt insiders provided Koumbairia, Glay, Attorney Phillips, U.S. Secret Service Special land. The Commission found that Wise did and other conspirators with copies of genuine Agent in Charge Irvine and Montgomery not assign investors a security interest in any checks and bank account information. Using County Chief of Police Manger commended collateral and that he further misrepresented that information, Koumbairia and Glay the outstanding investigative work of Special the safety level of the investments. The created counterfeit checks that were passed Agents Ryan Petrasek, Jesse Barnwanijakul, Commission’s Securities Division provided by other conspirators at banks, retailers, and Jonas Balciunas, Stephen Kopeck, Jennifer information about Wise’s conduct to the U.S. check-cashing establishments. Anderson, Chad Brewer and Shane Burroughs Securities and Exchange Commission, which subsequently filed a preliminary injunction, On March 6, 2007, law enforcement of the U.S. Secret Service, Detectives Susan freezing the bank accounts of Wise and his officers with the U.S. Secret Service and the Mercer, Debbie Clark, and Debbie Tupa of companies and seizing their computers and Montgomery County Police Department the Montgomery County Police Department, and Forensic Examiner James W. Brown of business records. http://informant.nw3c.org 39 In a separate case, Donald Robert Mattson, Jr. in administrative penalties for failure to that provided consulting for businesses and of Gilbert agreed to pay $179,000 in restitution reasonably supervise two of its securities consumers that had substantial insurance and $25,000 in administrative penalties for salesmen in Tucson. Woodbury Financial claims because of severe weather and other fraudulently promoting an unregistered Services has already reimbursed $2,037,617 to disaster-related damage. Paramount led their foreign exchange trading program while not the victims of Mayra Angulo and Mark Islas clients to believe they had insurance claim registered to sell securities in Arizona. The who used post office boxes under their control management teams, engineers, architects and Commission found that although Mattson to defraud 30 of their clients, some of whom expert construction consultants and a full represented that investor funds would be used resided in Arizona and Mexico. In February service construction company. to trade in the foreign currency exchange 2009, the Commission issued a default order market, he used $20,000 of the funds to repay against Angulo and Islas, revoking their As part of the “public adjusting” process, one investor and withdrew a portion in cash securities salesman registrations. To ensure Paramount solicited parties who had without authorization from the investors. that this type of conduct will not reoccur, substantial insurance claims to sign a “Public Additionally, Mattson promised a 3% Woodbury Financial Services has increased Adjustment Contract” that misrepresented monthly return to at least one investor, but the number of unannounced audits of its the suspects, Mekeel, Todd and Slepcevic, as has not distributed any return to the investor. registered securities salesmen. Additionally, being licensed public insurance adjusters. The In settling this matter, Mattson neither admits Woodbury Financial Services implemented suspects offered to prepare a property damage nor denies the Commission’s findings, but a program that includes annual background assessment and costs of repair report and agrees to the entry of the consent order. In checks for unreported criminal activity and then coordinate inspections with the clients’ a related action, the Commission issued credit checks to identify those securities insurance company regarding property a default order against Mattson’s affiliated salesmen who are in financial trouble and damage and the cost of repair. The contract company, Knuckleball Capital Management, may pose a potential risk to their clients and stated “the client shall pay Paramount 20% LLC, requiring the payment of $179,000 in the securities dealer. In settling this matter, of the total amount of the loss settlement restitution and $50,000 in administrative Woodbury Financial Services neither admits negotiated with and agreed to by the client’s penalties. The company, while not registered nor denies the Commission’s findings, but insurance company.” as a securities dealer, fraudulently sold agrees to the entry of the consent order. Additionally, Paramount negotiated with unregistered investment contracts and insurance companies, causing the insurance commodity investment contracts to at least More caution for investors: companies to issue checks to their clients, six Arizona investors. Even when investing with someone they which include Paramount as a payee. The In another case, the Commission revoked know, investors should verify the registration suspects allegedly forged the signatures on the securities salesman registration and of sellers and investment opportunities and the back of the insurance checks and the investment adviser representative license of investigate disciplinary histories by contacting checks were deposited into Paramount’s bank Michael V. Bradley of Scottsdale. Bradley, the Arizona Corporation Commission’s account. Paramount did not forward any who is also a licensed insurance agent, agreed Securities Division at 602-542-4242 or toll free of the insurance monies to the consumer or to pay $95,006 in restitution and $50,000 in in Arizona at 1-866-VERIFY-9. The Division’s companies who initiated the claims. administrative penalties for fraudulently investor education Web site also has helpful Two individuals and two companies are selling unregistered limited partnership information at www.azinvestor.gov.  known to have fallen victim to Paramount’s interests totaling over $6.06 million. The fraudulent scheme totaling $335,461.41. Commission also denied Bradley’s pending Two California Men Arrested After collecting their money, the suspects left applications for renewal of his securities For Insurance Fraud the apartment in Slidell and returned to Los salesman registration and investment adviser LOUISANA - This week, detectives with Angeles, California. representative license. Without the approval Louisiana State Police Insurance Fraud and of his securities dealer, Associated Securities Auto Theft Unit, with the assistance of the Louisiana State Police detectives investigated Corp., Bradley sold 22 limited partnership California Department of Insurance, arrested the case and warrants were issued out of three interests in a hedge fund called APEX Equity two men who conspired to steal insurance parishes for the suspects in this case. Options Fund, L.P. through his investment proceeds from individuals and businesses that adviser firm, Wealth Enhancement & were affected by Hurricane Katrina. The suspects are identified as: Preservation, LLC. The Commission found that Bradley misrepresented to investors that In September, 2008, the Louisiana Department Steve Slepcevic (W/M, age 42 of Palo Verdes, the APEX hedge fund would provide safety of of Insurance forwarded a case to Louisiana CA), turned himself in on September 17, principal and liquidity. Bradley cashed in his State Police Insurance Fraud and Auto Theft 2009, at the St. Tammany Parish Jail. Slepcevic and three of his investment clients’ financial Unit alleging that Michael J. Mekeel, Matthew was charged with four counts of Criminal gains before the hedge fund failed. Some of Todd and Steve Slepcevic of Paramount Conspiracy to Commit Theft by Fraud Bradley’s other investors, including his own Disaster Recovery, Inc., committed fraudulent ($334,461.41) and four counts of Money father, lost their retirement savings. In settling acts when they participated in a scheme that Laundering. this matter, Bradley neither admits nor denies stole insurance proceeds from individuals and Matthew Todd (W/M, age 50, of, Chatsworth, the Commission’s findings, but agrees to the businesses after Hurricane Katrina. CA), was arrested on September 14, 2009, in entry of the consent order. Shortly after Hurricane Katrina, representatives Los Angeles, CA and is currently awaiting Additionally, the Commission has settled from Paramount Disaster Recovery, a Palo extradition back to Louisiana. Upon his its allegations against Minnesota-based Verdes, CA based company, rented an return, Todd will be booked into Acadia Woodbury Financial Services, Inc. with apartment in Slidell, Louisiana. Paramount Parish Jail on Criminal Conspiracy to Commit the company agreeing to pay $250,000 Disaster Recovery claimed to be a company Theft by Fraud ($112,998.61). He will also be 40 Informant: July 2009 - December 2009 booked into Jefferson Parish Jail on two counts in the Colorado Department of Corrections. a class-three felony. She was sentenced on of Criminal Conspiracy to Commit Theft by Essien, a Nigerian national, will be deported Aug. 4, 2008 to eight years probation, to Fraud ($201,459.20 & $10,987.50). upon completion of his sentence. 200 hours community service, and drug and alcohol evaluation and treatment. Michael Mekeel (W/M, age 38 of Henderson, An Adams County jury convicted Essien in NV), faces charges of two counts of Criminal July on four felony charges all related to the use • Jessica Caplan (DOB: 8/11/1969) Conspiracy to Commit Theft by Fraud of shell corporations and false invoices to skim was convicted of forgery, a class- ($201,459.20 & $10,016.10) in Jefferson Parish. money off the top of nearly three-dozen real five felony, during a jury trial. She is He will also be booked into the Acadia Parish estate transactions. The charges were violating scheduled to be sentenced Oct. 17, Jail on Criminal Conspiracy to Commit Theft by the Colorado Organized Crime Control Act, a 2009. Fraud ($112,998.61). He has not yet been located class-two felony; two counts of forgery, both and is believed to be in Nevada area at this time. class-five felonies; and theft by receiving, a • Heather Etuk (DOB: 4/29/1977) pleaded Warrants for his arrest have been issued.  class-four felony. His conviction followed a guilty on Aug. 4, 2008 to forgery, a class- seven-day trial. five felony. She was sentenced Sept. 29, Murphy, Texas Man Arrested for 2008 to five years probation, $30,900 Federal Bank Fraud and Identity Essien’s conviction stemmed from an restitution, a 90-day suspended jail Theft Violations indictment the Office of the Attorney General sentence and 100 hours of community obtained from the Statewide Grand Jury in service. SHERMAN, TX—U.S. Attorney John M. Bales March 2008. The indictment alleged that Essien announced today that a 43-year-old Murphy, and his colleagues fraudulently obtained $10.9 • Jessica Decker (DOB: 3/26/1978) pleaded Texas man has been arrested on charges of million in mortgages to buy 34 properties guilty on Oct. 7, 2008 to obtaining a bank fraud and identity theft in the Eastern in Adams, Arapahoe, Denver and Jefferson financial device with a false statement, a District of Texas. counties between April 28, 2004 and Dec. 29, class-one misdemeanor. She was sentenced 2006. Essien and his colleagues then skimmed Oct. 7, 2008 to two years probation and Clifford Wayne Robertson appeared today $1.1 million from the transactions to pay for $88,000 restitution. before U.S. Magistrate Judge Amos L. Mazzant repairs to the properties that the defendants’ to be formally charged with bank fraud and • Enoh Etuk (DOB:11/28/1953) pleaded shell corporations never completed. aggravated identity theft. guilty on July 24, 2009 to theft, a class- According to the indictment, Essien, while one misdemeanor. She was sentenced on According to the Indictment, an investigation acting as a real estate broker, negotiated the July 24, 2009 to two years probation, and determined that Robertson claimed to be a property acquisitions and directed the buyers ordered to pay $133,781 restitution.  real estate investment advisor who hosted to create the shell corporations. A.M. radio real estate investment talk shows and in-person seminars. Beginning The Office of the Attorney General also in December 2007, Robertson is alleged to has successfully prosecuted nine of Essien’s have used the identity of another person codefendants in the mortgage fraud ring. Each to submit a fraudulent personal financial defendant has either pleaded guilty or been statement to a lending institution in order to convicted following a jury trial. obtain money by false pretenses. Robertson was indicted on Sept. 10, 2009 and was • Scott Hinkley (DOB: 2/21/1970) pleaded arrested today in Dallas, Texas. guilty on Dec. 12, 2008 to violating the Colorado Organized Crime Control Act, If convicted, Robertson faces up to 32 years in a class-two felony, and forgery, a class-five federal prison. felony. He was sentenced Feb. 12, 2009 to 10 years in community corrections. This case is being investigated by the Federal Bureau of Investigation and prosecuted by • Bradly Decker (DOB: 12/7/1980) pleaded Assistant U.S. Attorney Tammy Reno. guilty on July 24, 2009 to theft by receiving, a class-three felony. He is scheduled to be It is important to note that an indictment sentenced on Sept. 24, 2009. should not be considered as evidence of guilt and that all persons charged with a crime are • Idara Ekiko (DOB: 2/28/1978) pleaded presumed innocent until proven guilty beyond guilty on Aug. 5, 2009 to computer crime, a reasonable doubt.  a class-three felony. She is scheduled to be sentenced on Sept. 30, 2009. Attorney General Announces 30 Year Prison Sentence For • Cheri Decker (DOB: 4/4/1976) pleaded Leader Of Multimillion-Dollar guilty Aug. 26, 2009 to violating the Colorado Mortgage Fraud Ring Organized Crime Control Act, a class- two felony, theft, a class-three felony, and DENVER, CO — Colorado Attorney General forgery, a class-five felony. She is scheduled John Suthers announced today that an Adams to be sentenced on Oct. 22, 2009. County judge has sentenced Uto Essien (DOB: 6/24/1964), the ringleader of a multimillion- • Jennifer Wosley (DOB: 4/11/1975) pleaded dollar mortgage fraud operation, to 30 years guilty on June 16, 2008 to computer crime,

http://informant.nw3c.org 41 oo, 3 IC3 NOW SERVES AS A t CENTRALIZED HUB FOR SOLVING CYBER CRIME!

INTERNET CRIME COMPLAINT CENTER IC3 offers a central repository for complaints related to Internet cri w w. I c 3. G O V forwards complaint data via an aut ted process, creates cases based on refer red information -within the complaints, and provides timely statistical data of current trends. For victims of Internet crime, IC3 provides a convenient and east :horities of a suspected violation. ¦

BUILD CASES ASSIST WITH I NVESTIGATIONS IC3 analysts review complaints IC3 analysts will perform searches on a daily basis and build cases within ICSIS at the request of law for state and local law enforcement. enforcement agencies for specific complaint information in their jurisdiction.

PROVIDE RESOURCES AUTO REFER COMPLAINTS IC3 analysts can perform closed Automatically refer Internet crime database searches (i.e. on Accurint, complaints to law enforcement CLEAR, Lexus Nexus, etc.) to improve agencies with jurisdiction to aid in investigations. preventive and investigative efforts.

OW ICSIS ICSIS (Internet Complaint Search & Investigation System) allows law enforcement to search all complaints sent to IC3. It also allows law enforcement to build and share case information seamlessly with members of their own agency and agencies around the country. rwv3c 7 Bureau of Justice Assistance "1 U.S. Department of Justice