Cybertelecom Federal Internet Law & Policy An Educational Project

Forensics / Evidence / Discovery

Let's assume that one wishes to learn how to contact an author or those responsible for online content or an online site. There are a number of ways to attempt to achieve this, ranging for easy to difficult.

Telephone (wiretap, transactional) Websites Accounts IP Numbers IP Number Assignment; IP Numbers as Personal Identifiers IPv6 Geolocation Mobile Phones :: Stingray Ports Domain Names WHOIS Social Media BGP :: Routes Interconnection and Exchange Point Locations Interconnection monitoring Statistics Assessment Crime Devices: Access to Cell Phones Outages :: Reliability Broadband Capacity, Utilization, Congestion

Encrypted Traffic

Even where traffic is encrypted, a monitor of the traffic can learn a great deal from the traffic, either from the metadata (aka transactional data) or from fingerprinting the data. Encrypted traffic can be significantly deanonymized.

• Monica Skowron, Artur Janicki & Wojciech Mazurczyk, Traffic Fingerprinting Attacks on Internet of Things Using Machine Learning (IEEE Access: Vol. 8, at 20386-20400) (2020), http://doi.org/10.1109/ACCESS.2020.2969015
• Noah Apthorpe, Danny Yuxing Huang, Dillon Reisman, Arvind Narayanan, & Nick Feamster, Keeping the Smart Home Private with Smart(er) IoT Traffic Shaping (Proceedings on Privacy Enhancing Technologies: Vol. 2019, Issue 3, at 128-148) (2019), https://doi.org/10.2478/popets-2019-0040
• Jan Kohout, Tom Pevny, Network Traffic Fingerprinting Based on Approximated Kernel Two-Sample Test (IEEE Transactions on Information Forensics and Security: Vol. 13, Issue 3, at 788-801) (2018), http://doi.org/10.1109/TIFS.2017.2768018.

Websites

Contact Us: Many sites have either "About Us" or "Contact Us" links on their website which will tell you who they are and how to contact them (don't forget to look for a copyright statement which may tell you who the owner of the content is - there may also be a DMCA statement with a point of contact for copyright concerns). This would be the easy method.

Accounts:

When individuals set up website or other online presences, they generally set up accounts with the host. Hosts generally like to get paid for their business and therefore their records may accurately reflect how to extract money out of the individual using their website. The problem is that Hosts may have privacy policies saying that they will not simply hand their clients information over to just anyone. except when in receipt of proper legal authority. Legal authority in a civil case may come in the form of a civil subpoena.

• Authorities
  • Rule 45 Subpoena
  • Rule 41 Warrants
  • Rule 34 Producing Documents, Electronically Stored Information, and Tangible Things, or Entering onto Land, for Inspection and Other Purpose
    • Zynga Game Network, Inc. v Williams et al, Case No. CV-10:01022JF(PVTx) (ND CA May 20, 2010)
  • 18 USC 2703(c) :: Stored Communications Act, permits the government to disclose basic subscriber information
  • Online Authentication
• Challenges:
  • Data stored outside of jurisdiction
    • See Mutual Legal Assistant Agreements with other countries
    • USA v. Microsoft, Dkt. 14-2985 (2nd Cir. ) (USG cannot with a warrant demand US companies turn over account data that resides outside the jurisidiction of the US - data in question was reportedly stored in Ireland)
    • Jeff John Roberts, Microsoft Cloud Warrant Case Edges Closer to Supreme Court, Fortune (Oct. 17, 2016)
  • Data stored encrypted
    • Companies began to initiate more robust encryption abilities for consumers in response to USG surveillance overreach.

Searching and Seizing Computers and Obtaining Electronic Evidence in Criminal Investigations Computer Crime and Intellectual Property Section, Criminal Division, DOJ (2009) "In another scenario, a defendant establishes an account with an online service-such as a Web-based email service or a pornography site-and the credit card information or contact information associated with that account is used to identify the defendant and support probable cause to search computer media in the defendant's home. For example, in United States v. Kelley, 482 F.3d 1047, 1053 (9th Cir. 2007), an affidavit established probable cause through the real name and physical address associated with several America Online "screen names" used to receive child pornography. Similarly, in United States v. Terry, 522 F.3d 645, 648 (6th Cir. 2008), probable cause to search a home was established by demonstrating that an AOL email account was used to send child pornography, that the account's owner lived in that home, and that the account's owner had a computer in that home that he had used to send email through that account in the past. See also United States v. Wilder, 526 F.3d 1, 6 (1st Cir. 2008) ("it was a fair inference from his subscription to the Lust Gallery website, as described in the affidavit, that downloading and preservation in his home of images of child pornography might very well follow").Frequently, this scenario arises when investigators have discovered a child pornography website or email group and have successfully obtained its membership list. In United States v. Gourde, 440 F.3d 1065, 1070-71 (9th Cir. 2006) (en banc), the affidavit established probable cause through the defendant's membership in a known child pornography website, without independent evidence such as an IP address. Several other courts have also held that it is reasonable to infer from a defendant's voluntary membership in a child pornography website or "e-group" (a hybrid of an email discussion list and web forum) that the defendant downloaded or kept child pornography, although many of these courts pointed to corroborating evidence as well. See, e.g., United States v. Wagers, 452 F.3d 534, 539-40 (6th Cir. 2006); United States v. Shields, 458 F.3d 269, 279 (3d Cir. 2006) (membership in on-line child pornography Yahoo group, combined with "suggestive" email address of "LittleLolitaLove" supported probable cause); United States v. Martin, 426 F.3d 68, 77 (2d Cir. 2005) ("those who view are likely to download and store child pornography"); United States v. Froman, 355 F.3d 882, 890-91 (5th Cir. 2004) (considering factors of joining a group, remaining a member for a month, and using screen names "that reflect his interest in child pornography").Not all courts, however, have agreed that membership alone supports probable cause. In United States v. Coreas, 419 F.3d 151 (2d Cir. 2005), a Second Circuit panel sharply disagreed with the panel in Martin. Coreas involved an affidavit that, after false accusations were excised, contained "[s]imply" the allegation that the defendant, "by clicking a button, responded affirmatively to a three-sentence invitation . to join [a child pornography] e-group." Coreas, 419 F.3d at 156. The court held that this allegation "does not remotely satisfy Fourth Amendment standards" because "a 'person's mere propinquity to others independently suspected of criminal activity does not, without more, give rise to probable cause to search that person.'" Id. (quoting Ybarra v. Illinois, 444 U.S. 85, 91 (1979)). Similarly, in United States v. Falso, 544 F.3d 110, 121 (2d Cir. 2008), the Second Circuit held that there was no substantial basis for probable cause in a warrant that alleged only that it "appear[ed]" that the defendant "gained access or attempted to gain access" to a child pornography site."

Social Media

• Used for monitoring, surveillance, intelligency gathering
  • Levels if information gathering
    • Publicly available posts (a.k.a. "public source")
    • Obtain info about target from friend / witeness who can view private posts (third party doctrine)
    • Create fake accounts to connect with target (undercover)
    • Analytical software to track hastags, analyze and infer associations (big data)
    • Message interception (wiretap, ECPA)
  • Purposes
    • Tracking protests
    • Criminal Investigations
    • Government benefits applications investigations
  • See Social Media Terms of Service
    • Use of service for law enforcement intelligence gathering without proper authorization as potential violation of ToS
  • See also First Amendment
    • Monitoring of Online Discussion of Black Lives Matters movement
  • Collection of social media accounts and passwords
• Social Media Surveillance: The Threat of Systematic Data Collection, Fordham IPMELJ Jan. 30, 2017 ("In October 2016, the American Civil Liberties Union (“ACLU”) released a report stating that a data service company called Geofeedia was marketing a tool to law enforcement that would allow it to keep tabs on protesters on social media platforms.")
• Engineering around social media border searches FEBRUARY 10, 2017 BY DAN WALLACH FREEDOM TO TINKER ("The latest news is that the U.S. Department of Homeland Security is considering a requirement, while passing through a border checkpoint, to inspect a prospective visitor’s “online presence”. ")
• Matthew Cagle, Facebook, Instagram, and Twitter Provided Data Access for a Surveillance Product Marketed to Target Activists of Color, ACLU: Blog (Oct. 11, 2016, 11:15am),
• Electronic Bulletin Board
  • Guest v. Leis (6th Cir 2001) (under third party doctrine, no expectation of privacy)

Government

• Secret Service, Best Practices for Seizing Electronic Evidence linked from end of www.secretservice.gov/financial_crimes.shtml
• FBI Forensic Science Communications Journal
• Handbook of Forensic Services (pdf)
• DoD Computer Forensics Laboratory
• US Secret Service Forensic Services Division
• DOJ
  • “Status and Needs of Forensic Science Service Providers: A Report to Congress”
  • DOJ Tracking a Computer Hacker, Daniel A. Morris, USA Bulletin (May 2001)
• NIST
  • Paul Cichonski, Tom Millar, Tim Grance & Karen Scarfone, Computer Security Incident Handing Guide, NIST Special Publication 800-61 Revision 2 (2012), https://nvlpubs nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf (generally discussing detection and analysis of data)
  • Karen Scarfone & Peter Mell, National Institute of Standards and Technology (NIST), Guide to Intrusion Detection and Prevention Systems (IDPS), NIST Special Publication 800-94 (2007) (NIST Guide to Intrusion Detection and Prevention Systems).
  • Karen Kent, Suzanne Chevalier, Tim Grance & Hung Dang, National Institute of Standards and Technology (NIST), Guide to Integrating Forensic Techniques into Incident Response, NIST Special Publication 800-86 (2006), https://nvlpubs nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-86.pdf (discussing use of data from network traffic, network traffic data sources, collecting network traffic data, and examining and analyzing traffic data)
  • PDA Forensic Tools:An Overview and Analysis, NIST 9/14/2004
  • NIST Computer Forensics Tool Testing (CFTT) Project Web Site
  • NIST Special Publication 800-61, Computer Security Incident Handling Guide., NIST 9/26/03
  • Draft NIST Special Publication 800-86, Guide to Computer and Network Data Analysis: Applying Forensic Techniques to Incident Response, NIST 8/12/2005

Resources

• IEEE/CreateNet Computer Network Forensics Research (CNFR) Workshop 2005
• Interop Network Forensics Day 2005
• Guide to Computer Forensics and Investigations Book Review 2004
• Network Forensics: Tapping the Internet O'Reilly 2002
• Good detective work means paying attention before, during, and after the attack. ACM Queue 2004
• CERT
• First Responders Guide to Computer Forensics, CERT 6/10/2005
• CERT: How the FBI Investigates Computer Crime July 2000
• Carnegie Mellon University, Handbook for Computer Security Incident Response Teams

Laws

• PROTECT Our Children Act of 2008, Title II, recognized the needs to expands DOJ's CSI capabilities by expanding DOJ's computer forensics capacity - and DOJ gets to file an annual report on its expanded computer forensics capacity. $2m is appropriated for this
• The Adam Walsh Child Protection and Safety Act of 2006, Sec. 705, which called for Additional Computer-Related Forensics examiners, dedicated to investigating crimes involving the sexual exploitation of children and related offenses.

Papers

• Richard Clayton’s Anonymity and traceability in cyberspace

Links

• Immigration and Customs: Cyber Crime Center: Digital Forensics Section
• National Cyber-Forensics & Training Alliance a partnership of iC3, the National White Collar Crime Center, CMU, WVU, and Duquesne U.
• NIST Computer Forensic Reference Data Sets (CFReDS)
• US Secret Service Forensic Services Division
• DOE Cyber Forensics Center
• FBI, Office of Science and Technology Branch (lab, forensics)

News

• Cybercrime spurs college courses in digital forensics, USA Today 6/6/2006