Introduction

If you or your organization is the victim of a computer crime, what should you know before contacting the Federal Bureau of Investigation (FBI) for assistance or to report an incident? This document provides information about the federal investigative and prosecutorial process for computer crimes and explains some of the guidelines, policies, and resources the FBI uses when it investigates computer crime.^[1]

Various FBI technical programs address the growing complexity of computer investigations. FBI legal attaché stationed in 45 countries use sophisticated methods to investigate and coordinate cyber incidents around the world. In the United States, the Internet Crime Complaint Center (IC3) is a partnership between the FBI and the National White Collar Crime Center (NW3C). IC3 processes complaints of cyber crime and then coordinates computer crime investigations.

The FBI’s Cyber Division at FBI Headquarters in Washington DC coordinates investigations in which networks or computers are exploited as instruments in criminal activity or as targets. High priority is given to investigations that involve terrorist organizations or intelligence operations sponsored by foreign governments. The FBI trains and certifies computer forensic examiners who work in FBI field offices to recover and preserve digital evidence. The FBI maintains a computer forensic laboratory in Washington, DC for advanced data recovery and for research and development. Most FBI field offices also have specialized cyber squads called Cyber Action Teams (CATS) which provide expert assistance to law enforcement and aid cybercrime investigations.

Cyber Crime Investigations

Computer crimes can be separated into two categories: 1) crimes facilitated by a computer and 2) crimes where a computer or network is the target.

When a computer is used as a tool to aid criminal activity, it may include storing records of fraud, producing false identification, reproducing and distributing copyright material, collecting and distributing child pornography, and many other crimes.

Technology has made it easier for criminals to hide information about their crimes. Because of the sophistication of the digital environment, evidence is collected and handled differently than it was in the past and often requires careful computer forensic investigation. Crimes where computers are the targets can result in damage or alteration to the computer system. Computers which have been compromised may be used to launch attacks on other computers or networks.

The FBI uses a number of federal statutes to investigate computer crimes. The FBI is sensitive to the victim’s concerns about public exposure, so any decision to investigate is jointly made between the FBI and the United States Attorney in order to take the victim’s needs into account.

Computer Crimes: Frequently Used Federal Statutes

The following statutes are used most frequently by the FBI to investigate computer-related crimes.

1. Federal statutes investigated by the FBI:

United States Codes (U.S.C.)
18 U.S.C. 875 Interstate Communications: Including Threats, Kidnapping, Ransom, Extortion
18 U.S.C. 1029 Possession of Access Devices
18 U.S.C. 1030 Fraud and related activity in connection with computers
18 U.S.C. 1343 Fraud by wire, radio or television
18 U.S.C. 1361 Injury to Government Property
18 U.S.C. 1362 Government communication systems
18 U.S.C. 1831 Economic Espionage Act
18 U.S.C. 1832 Trade Secrets Act

For more information about federal legal codes related to cybercrime, visit
http://www.usdoj.gov/criminal/cybercrime/fedcode.htm

1. Local laws: Each state has different laws and procedures that pertain to the investigation and prosecution of computer crimes. Contact your local police department or district attorney’s office for guidance.

Federal Investigative Guidelines

The FBI investigates incidents when the following conditions are present:

• a violation of the federal criminal code has occurred within the jurisdiction of the FBI
• the United States Attorney’s Office supports the investigation and agrees to prosecute the subject if the elements of the federal violation can be substantiated

Federal law enforcement can only gather proprietary information concerning an incident in the following ways:

• request for voluntary disclosure of information
• court order
• federal grand jury subpoena
• search warrant

Gathering information

To ensure that your organization can react to an incident efficiently, make sure that staff knows who is responsible for cyber security and how to reach them. The following steps will help you document an incident and assist federal, state, and local law enforcement agencies in their investigation (be sure to act in accordance with your organization’s polices and procedures):

1. Preserve the state of the computer at the time of the incident by making a backup copy of logs, damaged or altered files, and files left by the intruder.
2. If the incident is in progress, activate auditing software and consider implementing a keystroke monitoring program if the system log on the warning banner permits.
3. Report the incident to the CERT/CC using the incident reporting form at  https://irf.cc.cert.org/.  Consider authorizing them to release the incident information to law enforcement. This will provide an excellent synopsis of what happened.
4. Document the losses suffered by your organization as a result of the incident. These could include the
   • estimated number of hours spent in response and recovery. (Multiply the number of participating staff by their hourly rates.)
   • cost of temporary help
   • cost of damaged equipment
   • value of data lost
   • amount of credit given to customers because of the inconvenience
   • loss of revenue
   • value of any trade secrets
5. Contact law enforcement and
   • provide incident documentation
   • share information about the intruder
   • share any ideas about possible motives

Contact Information

To initiate an investigation, contact your local FBI office or another appropriate federal, state, or local law enforcement agency. To report an incident to the FBI, you can submit a tip report at https://tips.fbi.gov .

Other links:
http://www.us-cert.gov/

http://www.dhs.gov

Computer Forensics

• The Honeynet Project’s Forensic Challenge
• Basic Steps in Forensic Analysis of Unix Systems, David Dittrich (Pasos Básicos en Análisis Forense de Sistemas GNU/Linux, Unix, modified, updated and translated to Spanish by Ervin S. Odishoo)
• Course notes for Black Hat ‘00 Unix forensics class, Dominique Brezinski and David Dittrich
• The Coroner’s Toolkit
• Windows Vista Security Guide, Microsoft
• Fundamental Computer Investigation Guide For Windows, Microsoft
  • Dan Farmer & Wietse Venema’s class on computer forensic analysis
    [ forensics.tar.gz contains the slides in 6-up portrait PostScript format for printing on just 25 double-sided pages]
  • Forensic Computer Analysis: An Introduction — Reconstructing past events, By Dan Farmer and Wietse Venema, Dr. Dobb’s Journal, September 2000
  • What Are MACtimes?: Powerful tools for digital databases, By Dan Farmer, Dr. Dobb’s Journal, October 2000
  • Strangers In the Night: Finding the purpose of an unknown program, by Wietse Venema, Dr. Dobb’s Journal, November 2000
  • Computer Forensics Column, Errata
• The Law Enforcement and Forensic Examiners Introduction to Linux, a Beginner’s Guide, Barry J. Grundy, NASA Office of the Inspector General
• Brian Carrier’s Sleuthkit (formerly TASK, formerly TCT-Utils)
  • PTK - A FREE alternative Sleuthkit Interface
  • Sleuthkit
  • Autopsy Browser
  • Sleuthkit Informer
  • Running Sleuthkit and Autopsy Under Windows, by Charles Lucas, June 11, 2004
• Notes on updating Red Hat Linux 7.1 to support >2GB images with TCT, TCTUTILS & Autopsy (see also Large File Support in Linux)
• Forensic Analysis of a Compaq RAID-1 Array and Using dd with EnCase v3, by Keith J. Jones
• RAID Reassembly - A forensic Challenge (using PyFlag to reconstruct a filesystem from a RAID array)
• Forensic Analysis Using FreeBSD - Part 1 by Keith J. Jones
• Email Forensics CEIC 2002, William L. Farwell, 2002
• Being an Expert Witness or Consulting for Counsel
  Guide to Forensic Testimony: The Art and Practice of Presenting Testimony As An Expert Technical Witness, by Fred Chris Smith and Rebecca Gurley Bace, Addison Wesley Professional, 2003, ISBN 0-201-75279-4 How Attorneys Use Experts and Consultants, ExpertPages.com
• Blogs
  • Windows Incident Response blog by Harlan Carvey
  • int for(ensic) {blog;} by Andreas Schuster

• Books
  • Forensic Discovery, by Dan Farmer and Wietse Venema, Addison Wesley Professional [Duffbert's Random Musings review of the book]
  • List of books on forensics compiled by Jeimy J. Cano, Universidad de los Andes

• Articles/Journals
  • Digital Evidence: How Law Enforcement Can Level the Playing Field With Criminals, by Nancy Ritter, NIJ Journal No. 254, July 2006
  • Ten Steps to Forensic Readiness, by Robert Rowlingson, International Journal of Digital Evidence, Winter 2004, Volume 2, Issue 3
  • Forensic Readiness, by John Tan, @Stake, 2001
  • International Responses to Cyber Crime
  • International Journal of Digital Evidence
  • Sleuthkit Informer
  • Open Source Digital Forensic Tools: The Legal Argument, by Brian Carrier, @stake
  • Computer forensics specialists in demand as hacking grows, by Suzanne Monson, Special to The Seattle Times, September 8, 2002
  • Electronic Data Discovery Primer, by Albert Barsocchini, Law Technology News, August 28, 2002
  • Solving the Perfect Computer Crime, by Jay Lyman, www.NewsFactor.com, February 27, 2002
  • NT Incident Response Investigations and Analysis, by Harlan Carvey, Information Security Bulletin, June 2001
  • “A harder day in court for fingerprint, writing experts: US judge limits testimony of forensic analysts, in a ruling that might alter how evidence is presented at trial,” by Seth Stern, Christian Science Monitor, January 16, 2002
  • Cybersleuthing solves the case (and related stories) by Deborah Radcliff, Computerworld, January 14, 2002
  • Digital sleuthing uncovers hacking costs, by Robert Lemos, Special to CNET News.com, March 22, 2001
  • “Intrusion Detection Systems as Evidence”, by Peter Sommer, Computer Security Research Centre, London School of Economics & Political Science
  • Advancing Crime Scene Computer Forensic Techniques, by Chet Hosmer, John Feldman, and Joe Giordano
  • Recovering and Examining Computer Forensic Evidence, Forensic Science Communications, FBI, October 2000
  • Analysis: The forensics of Internet security, by Carole Fennely, SunWorld (via CNN), July 26, 2000
  • September 2000 Market Survey — Computer Forensics, by James Holley, SC Magazine (ranks Linux dd a Best Buy! ;)
  • Cybercops Need Better Tools — Law enforcement agencies are falling behind hackers, says exec of CIA tech incubator, by Matthew Schwartz, Computerworld, July 31, 2000
  • Crime Seen (Cover story on digital forensics), by Bill Betts, Information Security Magazine, March, 2000
  • Disk Shows Love Bug-Like Virus, by Dirk Beveridge, AP, May 16 2000
  • Computer Forensics: Investigators Focus on Foiling Cybercriminals, by Illena Armstrong, SC Magazine (cover story), April 2000
  • CD Universe evidence compromised — Failure to protect computer data renders it suspect in court, by Mike Brunker and Bob Sullivan, MSNBC, June 7, 2000
  • Crime & Clues — The Art and Science of Criminal Investigation
  • FBI Forensic Science Communications

• Organizations/conferences/training
  • International Organisation on Computer Evidence
  • European Network of Forensic Science Institutes — Forensic information technology Working group
  • International Association of Computer Investigative Specialists (IACIS)
  • A list of Calls for Papers, Conferences and On-going Training courses
  • A list of Scheduled Training courses

• Law and Legal Process
  • Secret Service Form 4017: Cyber Threat/Network Incident Report
  • Judicial Gatekeeping in Texas, by Thomas F. Allen, Jr. and Robert Rogers, Harvard Law School ‘99 (Daubert)
  • Admissibility of Scientific Evidence Under Daubert
  • Frye v. United States 293 F. 1013 (D.C. Cir. 1923)
  • Rules of Evidence, Harvard School of Law
• Digital Timestamping
  • Trusted Timestamping at Wikipedia
  • Stamper digital timestamping service
  • Internet X.509 Public Key Infrastructure Time Stamp Protocol (TSP)
  • What is digital timestamping?, RSA Cryptography FAQ section 7.11
  • Secure Time/Date Stamping in a Public Key Infrastructure, Surety.com White Paper (PDF)
  • Time Stamp Protocol, by Byun, Jung-Soo
  • Time is of the Essense: Electronic documents will only stand up in court if the who, what, and when they represent are unassailable, by Charles R. Merrill, CIO.com, March 15, 2000
  • How to Time-Stamp a Digital Document (PDF), by Stuart Haber and W. Scott Stornetta, Journal of Cryptology, Vol. 3, No. 2, pp. 99-111 (1991)
  • Improving the Efficiency and Reliability of Digital Time-Stamping (PostScript), by Dave Bayer, Stuart Haber, and W. Scott Stornetta, in Sequences II: Methods in Communication, Security, and Computer Science, eds. R. Capocelli, A. DeSantis, and U. Vaccaro, pp. 329-334, (Springer-Verlag, 1993)
  • Secure Names for Bit-Strings (PostScript), by Stuart Haber and W. Scott Stornetta, in Proceedings of the 4th ACM Conference on Computer and Communication Security, (ACM, 1997).
• Online resources
  • dnsstuff.com
  • samspade.com
  • Computer Forensics World

• Guidelines and standards
  • Investigations Involving the Internet and Computer Networks, National Institute of Justice, NCJ 210798, 2006
  • Electronic Crime Scene Investigation: A Guide for First Responders, National Institute of Justice, NCJ 187736, 2001
  • Forensic Examination of Digital Evidence: A Guide for Law Enforcement, National Institute of Justice, NCJ 199408, 2004
  • U.S. Department of Energy Computer Forensic Laboratory’s First Responder’s Manual (PDF)
  • Handbook of Legislative Procedures of Computer and Network Misuse in EU Countries (CSIRT Project Survey)
  • Directors and Corporate Advisors Guide to Digital Investigations and Evidence, by Peter Sommer for IAAC, September 2005
  • Federal Guidelines for Searching and Seizing Computers, U.S. Deptarment of Justice
  • Searching and Seizing Computers and Obtaining Electronic Evidence in Criminal Investigations, Computer Crime and Intellectual Property Section, Criminal Division, United States Department of Justice, January 2001 (PDF Version)
  • Field Guidance on New Authorities (Redacted), enacted in the 2001 Anti-terrorism Legislation (”USA Patriot Act”), issued by the Department of Justice
  • How the FBI Investigates Computer Crime, CERT Coordination Center
  • Evidence Examinations — Computer Examinations, Handbook of Forensic Services, U.S. Department of Justice, FBI
  • Digital Evidence: Standards and Principles, Forensic Science Communications, US DoJ, April 2000, Volume 2, Number 2
  • Recovering and Examining Computer Forensic Evidence, Forensic Science Communications, US DoJ, October 2000, Volume 2, Number 4
  • RFC 3227: Guidelines for Evidence Collection and Archiving, by Dominique Brezinski and Tom Killalea
  • An Introduction to the Field Guide for Investigating Computer Crime, by Timothy E. Wright (Security Focus Incident Handling focus)
  • The Field Guide for Investigating Computer Crime: Overview of a Methodology for the Application of Computer Forensics, by Timothy E. Wright (Security Focus Incident Handling focus)
  • The Field Guide for Investigating Computer Crime: Search and Seizure Basics, by Timothy Wright (Security Focus Incident Handling focus)
  • Recovering from an Intrusion, by /dev/null
• Interviews
  • Info.sec.radio segment on forensics (@15:45.0), July 10, 2000
  • SecurityFocus interview with Jennifer Grannick
  • SecurityFocus interview with Chad Davis
• Reverse engineering/Debugging/Malware Analysis
  • Reverse Engineering Hostile Code, by Joe Stewart, SecurityFocus Online, October 23, 2002
  • Alien Autopsy: Reverse Engineering Win32 Trojans on Linux, by Joe Stewart, SecurityFocus Online, November 14, 2002
  • Reverse Engineering Malware, by Lenny Zeltser, May 2001
  • The Honeynet Project’s Reverse [engineering] Challenge
  • Fenris, by Michal Zalewski, BINDVIEW
    • Other open source reverse engineering tools listed by Michal Zalewski
    • Using fenris on the Honeynet Project Reverse Challenge binary
    • Using fenris on burneye protected binaries
  • OllyDbg Win32 runtime debugger (See also OllyDbg Stuph debugger aids)
  • Linux tools for Reverse Engineering at Packet Storm
  • LinuxAssembly.org resources
  • Linux Assembly HOWTO, by Konstantin Boldyshev and François-René Rideau
  • Programmer’s Tools Decompiler/Dissassembler page
  • Linux Kernel Internals (especially the “How System Calls Are Implemented on i386 Architecture chapter)
  • The Decompilation Page at the University of Queensland
  • IDA Pro Disassembler (commercial product, multi-platform/OS) [older freeware version]
  • GDB tutorial
  • Gnu GDB docs
  • Cornell Theory Center Totorial on GDB
  • Norm Matloff’s Debugging Tutorial
  • UNIX Kernel Stack Overflows, SunSolve Online Infodoc
  • The Solaris Memory System: Sizing, Tools and Architecture (PDF)
  • SE Toolkit (Sun memory management tuning utility)
  • Books
    • The Art of Computer Virus Research and Defense, by Peter Szor, Addison Wesley in collaboration with Symantec Press, ISBN 0321304543, February, 2005
    • Linkers and Loaders, by John Levine, Morgan-Kauffman, ISBN 1-55860-496-0, October 1999
    • Intel 64 and IA-32 Architectures Software Developer Manuals, Intel Corporation
  • Anubis: Analyzing Unknown Binaries, Secure Systems Lab, Vienna University of Technology
• Anti-Forensics (Note: Use these on an isolated analysis system)
  • SecuriTeam.com TESO Burneye Unwrapper
  • Advanced in ELF Runtime Binary Encryption - Shiva, by Neil Mehta, Blackhat USA 2003 (PDF)
  • Unpackers/decrypters/unprotectors (Generic/universal unpackers/deprotectors/dumpers)
  • Packer and Unpackers
  • EXEStealth executable protection
  • Generic ExeStealth Unpacker v1.0
• Encryption/Stegonography
  • www.Decryption.info
  • Steganalysis - Attacks against Steganography and Watermarking - Countermeasures - , by Neil F. Johnson
  • Defeating Statistical Steganalysis, CITI, University of Michigan
• Forensic analysis tools and related software
  • Bootable CD-ROM toolkits
    • Knoppix Security Tools Distribution (STD)
    • Penguin Sleuthkit (a remaster of Knoppix)
    • Trinity Rescue Kit (TRK)
    • The Farmer’s Boot CD
    • The Auditor security tools Live CD
    • grml - Linux Live-CD for sysadmins / texttool-users / geeks
    • FLAG (Forensic Log Analysis GUI), from the Australian Defence Signals Division
    • Helix Incident Response and Forensics LiveCD
    • The FIRE (formerly known as “Biatchux“) bootable CD-ROM forensic toolkit
    • Bart’s Preinstalled Environment (BartPE) bootable live windows CD/DVD
  • Secure Deletion
    • Darik’s Boot and Nuke (DBAN)
    • See also the links on Josh Larios’ old autoclave web page
  • Fingerprint databases
    • The Solaris Fingerprint Database
    • known goods
    • The NIST National Software Reference Library (NSRL)
  • Rootkit identification utilities
    • Rootkit Hunter
    • chkrootkit
  • File system integrity checking tools
    • Osiris
    • AIDE
    • FTimes and HashDig
  • Time Zone Converter
  • Open Source Windows Forensic Tools for Windows
  • Linux NTFS file system drivers
  • Open Source Windows Forensic Tools for Unix
  • chkwtmp (SunOS 4.x)
  • chklastlog (SunOS 4.x)
  • NT Objectives was mentioned in a DEFCON talk on forensics. They produce a free toolkit (that lets you do the same thing as find does for free on Unix!)
  • NTI Information & Resource Page (Mostly Windows-specific instructions, but some general forensic guidelines)
  • Slashdot thread on wiping hard drive contents
  • Put A Trace On It: A Command You Can “truss”, SunSolve Online document
  • Signatures of Macintosh files
  • DD’¿½Ultimate Guide to Mac OS Forensics
• Forensic analysis or related hardware
  • Cold boot disk encryption attack is shockingly effective, Engadget, February 21, 2008
  • Hard Disk Removal, Sanderson Forensics
  • Customer Installable Parts, Apple Computer
  • WiebeTECH (Fire Wire docking devices)
  • FIREVue FireWire 400 / IDE Bridge Boards
  • Forensic-Computers.com
  • F.R.E.D.D.I.E.
  • The Image MASSter Solo 2 Forensic system
  • Daten Airbag (hard drive write protection)
  • Centurion Guard
  • Agaté USB hard drive
• Partitioning/File system documentation
  • Windows NT Boot Process and Hard Disk Constraints, Microsoft Knowledge Base Article 114841
  • See “Splitting the Disk” in Sleuthkit Informer #2
  • Sleuthkit Media Management Tools
  • Linux Resource: Top: Kernel: File Systems
  • Ext2fs Home Page
  • Ext3 for the 2.2 kernel
  • SGI’s XFS Port to Linux
  • IBM’s JFS Port to Linux
  • FAT: General Overview of On-Disk Format, Microsoft
  • Microsoft Extensible Firmware Initiative FAT32 File System Specification, Microsoft
  • Linux Magic Numbers
  • JPEG File Interchange Format (JFIF)
  • The proposed Filesystem Hierarchy Standard [PDF file] (Directories/files, their locations, and intended purposes: A good topographic map of Unix filesystems.)
  • Journal File Systems, by Juan I. Santos Florido
  • Large File Support in Linux
• Destruction/Recovery of data
  • Selling More Than You Bargained For, Fulcrum Inquiry press release, February 2007. (This echoes a study done by Simpson Garfinkel at MIT, and my own experience purchasing surplus equipment from “a major aerospace company” in the late 1990s. Sad to see this problem is still so prevalent.)
  • I Just Bought Your Hard Drive, the Red Tape Chronicles, by Bob Sullivan, MSNBC.com, June 5, 2006
  • Safe destruction of hard drives (This is good! ;)
  • Zapping data on CDs! (NICE light show!)
  • Unlocking a password protected harddisk (ATA Security Mode features), by the Rockbox Crew
• Incident costs, damage estimation, and risk analysis
  • Project Develops Model for Analyzing Security Incident Costs in Academic Computing Environments
  • A Study on Incident Costs and Frequencies, by Virginia Rezmierski <ver@umich.edu>, Adriana Carroll <adriana_carroll@hotmail.com>, and Jamie Hine
  • Faking It:Calculating Loss in Computer Crime Sentencing By Jennifer S. Granick, March 17, 2006 (Draft) [In relation to this case: Computer Privacy Upheld, but Sidestepped by Silver Platter Doctrine and Schools Special Needs Exception]
  • Security Attribute Evaluation Method: A Cost Benefit Approach, by Shawn Butler, Carnegie Mellon University, International Conference on Software Engineering 2002 (ICSE 2002) Proceedings
  • Multi-Attribute Risk Assessment, by Shawn Butler, Carnegie Mellon University, Proceedings from Symposium on Requirements Engineering for Information Security (SREIS 2002)
  • Attack Trees: Modeling security threats, by Bruce Schneier, Dr. Dobb’s Journal, December 1999
  • Attack Modelling for Information Security and Survivability, Andrew P. Moore, Robert J. Ellison, Richard C. Linger, Technical Note CMU/SEI-2001-TN-001, March 2001
  • A Quick Tour of Attack Tree Based Risk Analysis Using Secur/Tree, whitepaper by Amenaza.com, May 2002
• Other documents/terms/legal resources
  • Forensic Examination of a RIM (Blackberry) Wireless Device, by Micheal W. Burnette, June 2002
  • What is RAID?
  • Linux DTP Hardware RAID HOWTO, by Ram Samudrala, v1.6, February 20, 2002
  • Computer/High-Tech Crime and Related Sites
  • Resources for High-Tech Crime Units, Officer.com
  • What is “Bates Numbering?”
  • Forensics Links from www.forinsect.de
• Certificate/Degree Programs
  • A university in Texas is offering a cybersecurity degree program, by Sandra Swanson, Informationweek, May 3, 2002
  • U.T. Dallas To Establish Digital Forensics And Security Institute To Help Fight Cybercrime, University of Texas, Dallas, press release, May 1, 2002
  • University of New Haven Forensic Computer Investigation Program
  • Graduate Certificate Program in Computer Forensics (GCCF), University of Central Florida
  • UCF’s list of University Programs/Courses in Computer Forensics [PDF]
  • Georgetown Institute for Information Assurance
  • Dan J. Ryan’s Educational Materials
  • Johns Hopkins University Information Security Institute
  • Carnegie Mellon University Information Networking Institute (a C3S affiliated program)
  • Syracuse University Information Security Management Program
  • Dartmouth University Institute for Security Technology Studies
  • Purdue University CERIAS Information Assurance Education Graduate Certificate Program

Identity Theft, Security, Technology News Computer Forensics, FBI