How the FBI Investigates Computer Crime
DKS with ERIC HAYES

Imagine your surprise if one ordinary day at work you receive an email claiming that your company's computers were used to help launch a major denial-of service attack, or if you receive a call from management saying that someone is threatening to expose corporate trade secrets unless they receive a big payoff? Or imagine your dismay if you discover a fellow employee has used your company's computer to illegally trade Metallica songs! What do you do?

 

You’re a Victim; Now What?

For many companies today, being the victim of computer crime, whether it is simple misuse or a major violation, is no longer a rare occurrence. What happens next? Trying to discover and repair the damage is just part of the story. For many people responsible for network and computer security, the next step is to take a deep breath, reach for the phone and call the Federal Bureau of Investigation (FBI). This article (originally published in collaboration with the FBI as a CERT^® Coordination Center [CERT/CC] tech tip [http://www.cert.org/tech_tips/FBI_investigates_crime.html]) explains some of the guidelines, policies and resources used by the FBI when it investigates computer crime and gives you some ideas about how you can help an investigation succeed.

The FBI has implemented various technical programs to address the growing complexity of computer investigations. FBI legal attachés stationed in 41 countries enable the FBI to use sophisticated methods to investigate and coordinate a response to cyber incidents around the world. In Washington, DC, the National Infrastructure Protection Center (NIPC) is a special unit that coordinates computer crimes investigations throughout the United States. The FBI trains and certifies computer forensic examiners for each of the 56 FBI field offices in the United States to recover and preserve digital evidence. The FBI maintains a computer forensic laboratory in Washington, DC, for advanced data recovery and for research and development.

		Federal Statutes Used in Computer Crimes The FBI uses a number of federal statutes to investigate computer crimes. The following are used most frequently:
		·	18 United States Code (U.S.C.) 875 Interstate Communications: Including Threats, Kidnapping, Ransom, Extortion
		·	18 U.S.C. 1029 Possession of Access Devices
		·	18 U.S.C. 1030 Fraud and Related Activity in Connection with Computers
		·	18 U.S.C. 1343 Fraud by Wire, Radio, or Television
		·	18 U.S.C. 1361 Injury to Government Property
		·	18 U.S.C. 1362 Government Communication Systems
		·	18 U.S.C. 1831 Economic Espionage Act
		·	18 U.S.C. 1832 Trade Secrets Act
			Note: Each state has different laws and procedures that pertain to the investigation and prosecution of computer crimes. Contact your local police department or district attorney’s office for guidance.

Computer crimes can be separated into two categories: (1) crimes facilitated by a computer and (2) crimes where the computer is the target (the focus of this article). Computer-facilitated crime occurs when a computer is used as a tool to aid criminal activity. This can include storing records of fraud, producing false identification, reproducing and distributing copyright material, collecting and distributing child pornography, and many other crimes.

Crimes where computers are the targets are unlike traditional types of crimes. Technology has made it more difficult to answer the questions of who, what, where, when, and how. Therefore, in an electronic or digital environment, evidence is now collected and handled differently from how it was handled in the past.

The FBI is sensitive to a victim’s concerns about public exposure, so any decision to investigate is jointly made between the FBI and the United States Attorney and takes the victim’s needs into account.

The FBI investigates incidents when both of the following conditions are present:

• a violation of the federal criminal code has occurred within the jurisdiction of the FBI
  
• the United States Attorney’s Office supports the investigation and agrees to prosecute the subject if the elements of the federal violation can be substantiated

Federal law enforcement can only gather proprietary information concerning an incident in the following ways:

• request for voluntary disclosure of information
  
• court order
  
• federal grand jury subpoena
  
• search warrant

The following steps will help you document an incident and assist federal, state, and local law enforcement agencies in their investigations (be sure to act in accordance with your organization’s polices and procedures):

1. Make sure that staff members know who in the organization is responsible for cyber security and how to reach them.
2. Preserve the state of the computer at the time of the incident by making a backup copy of logs, damaged or altered files, and files left by the intruder.
3. If the incident is in progress, activate auditing software and consider implementing a keystroke monitoring program. (Make sure the system log-on warning banner permits a monitoring program to be implemented.)
4. If you have reported the incident to the CERT/CC, consider authorizing it to release the incident information to law enforcement. This will provide an excellent synopsis of what happened. The CERT/CC Incident Report Form is located at http://www.cert.org/ftp/incident_reporting_form.
5. Document all losses your organization suffered as a result of the incident. These could include
   • the estimated number of hours spent in response and recovery (multiply the number of participating staff by their hourly rates)
   • the cost of temporary help
   • the cost of damaged equipment
   • the value of data lost
   • the amount of credit given to customers because of the inconvenience
   • the loss of revenue
   • the value of "trade secret" information
6. Contact law enforcement and
   • provide incident documentation
   • share information about the intruder
   • share your ideas about possible motives

To initiate an investigation, contact your local FBI office or the appropriate federal, state, or local law enforcement agency. To report an incident, call the FBI NIPC Watch and Warning Unit at (202) 323-3205.

 

About the Authors

DKS is a special agent with the Federal Bureau of Investigation.

Eric Hayes is a member of the technical staff and a senior technical writer/editor in the Networked Systems Survivability (NSS) Program at the Software Engineering Institute (SEI). The CERT Coordination Center is a part of this program. Before joining the SEI, Hayes worked in the Information Services Department at the Norwest Corporation as an editor of standard operating procedures (SOP) manuals and served as the team lead for SOP editors. Prior to that, he founded Hayes Communications, which offered services such as marketing, fundraising, research, Web page production, and public relations writing. Hayes received a BA in English writing from the University of Pittsburgh. At the graduate level, he has studied rhetoric at the University of Wisconsin at Milwaukee, technical editing at the University of Minnesota at Minneapolis, and technical writing at Carnegie Mellon University. Hayes is a member of the Society for Technical Communication.

 

The views expressed in this article are the author's only and do not represent directly or imply any official position or view of the Software Engineering Institute or Carnegie Mellon University. This article is intended to stimulate further discussion about this topic.