Resurrection
03.12.10, 12:51
CERT®/CC: How the FBI Investigates Computer Crime (http://www.cert.org/tech_tips/FBI_investigates_crime.html)
---------
Introduction
If you or your organization is the victim of a computer crime, what should you know before contacting the Federal Bureau of Investigation (FBI) for assistance or to report an incident? This document provides information about the federal investigative and prosecutorial process for computer crimes and explains some of the guidelines, policies, and resources the FBI uses when it investigates computer crime.[1]
Various FBI technical programs address the growing complexity of computer investigations. FBI legal attaché stationed in 45 countries use sophisticated methods to investigate and coordinate cyber incidents around the world. In the United States, the Internet Crime Complaint Center (IC3) is a partnership between the FBI and the National White Collar Crime Center (NW3C). IC3 processes complaints of cyber crime and then coordinates computer crime investigations.
The FBI’s Cyber Division at FBI Headquarters in Washington DC coordinates investigations in which networks or computers are exploited as instruments in criminal activity or as targets. High priority is given to investigations that involve terrorist organizations or intelligence operations sponsored by foreign governments. The FBI trains and certifies computer forensic examiners who work in FBI field offices to recover and preserve digital evidence. The FBI maintains a computer forensic laboratory in Washington, DC for advanced data recovery and for research and development. Most FBI field offices also have specialized cyber squads called Cyber Action Teams (CATS) which provide expert assistance to law enforcement and aid cybercrime investigations.
Cyber Crime Investigations
Computer crimes can be separated into two categories: 1) crimes facilitated by a computer and 2) crimes where a computer or network is the target.
When a computer is used as a tool to aid criminal activity, it may include storing records of fraud, producing false identification, reproducing and distributing copyright material, collecting and distributing child pornography, and many other crimes.
Technology has made it easier for criminals to hide information about their crimes. Because of the sophistication of the digital environment, evidence is collected and handled differently than it was in the past and often requires careful computer forensic investigation. Crimes where computers are the targets can result in damage or alteration to the computer system. Computers which have been compromised may be used to launch attacks on other computers or networks.
The FBI uses a number of federal statutes to investigate computer crimes. The FBI is sensitive to the victim's concerns about public exposure, so any decision to investigate is jointly made between the FBI and the United States Attorney in order to take the victim's needs into account.
Computer Crimes: Frequently Used Federal Statutes
The following statutes are used most frequently by the FBI to investigate computer-related crimes.
1. Federal statutes investigated by the FBI:
United States Codes (U.S.C.)
18 U.S.C. 875 Interstate Communications: Including Threats, Kidnapping, Ransom, Extortion
18 U.S.C. 1029 Possession of Access Devices
18 U.S.C. 1030 Fraud and related activity in connection with computers
18 U.S.C. 1343 Fraud by wire, radio or television
18 U.S.C. 1361 Injury to Government Property
18 U.S.C. 1362 Government communication systems
18 U.S.C. 1831 Economic Espionage Act
18 U.S.C. 1832 Trade Secrets Act
For more information about federal legal codes related to cybercrime, visit
cybercrime.gov (http://www.usdoj.gov/criminal/cybercrime/fedcode.htm)
2. Local laws: Each state has different laws and procedures that pertain to the investigation and prosecution of computer crimes. Contact your local police department or district attorney's office for guidance.
Federal Investigative Guidelines
The FBI investigates incidents when the following conditions are present:
* a violation of the federal criminal code has occurred within the jurisdiction of the FBI
* the United States Attorney's Office supports the investigation and agrees to prosecute the subject if the elements of the federal violation can be substantiated
Federal law enforcement can only gather proprietary information concerning an incident in the following ways:
* request for voluntary disclosure of information
* court order
* federal grand jury subpoena
* search warrant
Gathering information
To ensure that your organization can react to an incident efficiently, make sure that staff knows who is responsible for cyber security and how to reach them. The following steps will help you document an incident and assist federal, state, and local law enforcement agencies in their investigation (be sure to act in accordance with your organization's polices and procedures):
1. Preserve the state of the computer at the time of the incident by making a backup copy of logs, damaged or altered files, and files left by the intruder.
2. If the incident is in progress, activate auditing software and consider implementing a keystroke monitoring program if the system log on the warning banner permits.
3. Document the losses suffered by your organization as a result of the incident. These could include the
* estimated number of hours spent in response and recovery. (Multiply the number of participating staff by their hourly rates.)
* cost of temporary help
* cost of damaged equipment
* value of data lost
* amount of credit given to customers because of the inconvenience
* loss of revenue
* value of any trade secrets
4. Contact law enforcement and
* provide incident documentation
* share information about the intruder
* share any ideas about possible motives
Contact Information
To initiate an investigation, contact your local FBI office or another appropriate federal, state, or local law enforcement agency. To report an incident to the FBI, you can submit a tip report at https://tips.fbi.gov.
Other links:
US-CERT: United States Computer Emergency Readiness Team (http://www.us-cert.gov/)
Department of Homeland Security | Preserving our Freedoms, Protecting America (http://www.dhs.gov)
---------
Introduction
If you or your organization is the victim of a computer crime, what should you know before contacting the Federal Bureau of Investigation (FBI) for assistance or to report an incident? This document provides information about the federal investigative and prosecutorial process for computer crimes and explains some of the guidelines, policies, and resources the FBI uses when it investigates computer crime.[1]
Various FBI technical programs address the growing complexity of computer investigations. FBI legal attaché stationed in 45 countries use sophisticated methods to investigate and coordinate cyber incidents around the world. In the United States, the Internet Crime Complaint Center (IC3) is a partnership between the FBI and the National White Collar Crime Center (NW3C). IC3 processes complaints of cyber crime and then coordinates computer crime investigations.
The FBI’s Cyber Division at FBI Headquarters in Washington DC coordinates investigations in which networks or computers are exploited as instruments in criminal activity or as targets. High priority is given to investigations that involve terrorist organizations or intelligence operations sponsored by foreign governments. The FBI trains and certifies computer forensic examiners who work in FBI field offices to recover and preserve digital evidence. The FBI maintains a computer forensic laboratory in Washington, DC for advanced data recovery and for research and development. Most FBI field offices also have specialized cyber squads called Cyber Action Teams (CATS) which provide expert assistance to law enforcement and aid cybercrime investigations.
Cyber Crime Investigations
Computer crimes can be separated into two categories: 1) crimes facilitated by a computer and 2) crimes where a computer or network is the target.
When a computer is used as a tool to aid criminal activity, it may include storing records of fraud, producing false identification, reproducing and distributing copyright material, collecting and distributing child pornography, and many other crimes.
Technology has made it easier for criminals to hide information about their crimes. Because of the sophistication of the digital environment, evidence is collected and handled differently than it was in the past and often requires careful computer forensic investigation. Crimes where computers are the targets can result in damage or alteration to the computer system. Computers which have been compromised may be used to launch attacks on other computers or networks.
The FBI uses a number of federal statutes to investigate computer crimes. The FBI is sensitive to the victim's concerns about public exposure, so any decision to investigate is jointly made between the FBI and the United States Attorney in order to take the victim's needs into account.
Computer Crimes: Frequently Used Federal Statutes
The following statutes are used most frequently by the FBI to investigate computer-related crimes.
1. Federal statutes investigated by the FBI:
United States Codes (U.S.C.)
18 U.S.C. 875 Interstate Communications: Including Threats, Kidnapping, Ransom, Extortion
18 U.S.C. 1029 Possession of Access Devices
18 U.S.C. 1030 Fraud and related activity in connection with computers
18 U.S.C. 1343 Fraud by wire, radio or television
18 U.S.C. 1361 Injury to Government Property
18 U.S.C. 1362 Government communication systems
18 U.S.C. 1831 Economic Espionage Act
18 U.S.C. 1832 Trade Secrets Act
For more information about federal legal codes related to cybercrime, visit
cybercrime.gov (http://www.usdoj.gov/criminal/cybercrime/fedcode.htm)
2. Local laws: Each state has different laws and procedures that pertain to the investigation and prosecution of computer crimes. Contact your local police department or district attorney's office for guidance.
Federal Investigative Guidelines
The FBI investigates incidents when the following conditions are present:
* a violation of the federal criminal code has occurred within the jurisdiction of the FBI
* the United States Attorney's Office supports the investigation and agrees to prosecute the subject if the elements of the federal violation can be substantiated
Federal law enforcement can only gather proprietary information concerning an incident in the following ways:
* request for voluntary disclosure of information
* court order
* federal grand jury subpoena
* search warrant
Gathering information
To ensure that your organization can react to an incident efficiently, make sure that staff knows who is responsible for cyber security and how to reach them. The following steps will help you document an incident and assist federal, state, and local law enforcement agencies in their investigation (be sure to act in accordance with your organization's polices and procedures):
1. Preserve the state of the computer at the time of the incident by making a backup copy of logs, damaged or altered files, and files left by the intruder.
2. If the incident is in progress, activate auditing software and consider implementing a keystroke monitoring program if the system log on the warning banner permits.
3. Document the losses suffered by your organization as a result of the incident. These could include the
* estimated number of hours spent in response and recovery. (Multiply the number of participating staff by their hourly rates.)
* cost of temporary help
* cost of damaged equipment
* value of data lost
* amount of credit given to customers because of the inconvenience
* loss of revenue
* value of any trade secrets
4. Contact law enforcement and
* provide incident documentation
* share information about the intruder
* share any ideas about possible motives
Contact Information
To initiate an investigation, contact your local FBI office or another appropriate federal, state, or local law enforcement agency. To report an incident to the FBI, you can submit a tip report at https://tips.fbi.gov.
Other links:
US-CERT: United States Computer Emergency Readiness Team (http://www.us-cert.gov/)
Department of Homeland Security | Preserving our Freedoms, Protecting America (http://www.dhs.gov)