INVESTIGATING AND
PROSECUTING NETWORK INTRUSIONS
JOHN C. SMITH, SENIOR INVESTIGATOR
HI TECH / COMPUTER CRIME UNIT
SANTA CLARA COUNTY DISTRICT ATTORNEY'S OFFICE
70 WEST HEDDING STREET
SAN JOSE, CALIFORNIA 95110
408/299-8411 email jsmith@netcom.com
The Santa Clara County District Attorney's Office Hi Tech
/
Computer Crime Team has had years of experience
investigating and
prosecuting trade secret thefts, network intrusions, chip
thefts, and
other types of high technology thefts in Silicon Valley.
The Unit is
composed of two Deputy District Attorneys and one
Investigator.
Some of the cases we have handled include:
Theft of Source code to manufacture computer chips.
Theft of manufacturing processes to make computer chips.
Theft of password files from computers (hacking).
Sending harassing e-mail over networks (Internet).
Theft of software by rewriting into another computer
language.
Shutting down computers via telephone access.
Theft of Source Code to develop competing software
program.
Intrusion into computer systems using random number
dialers.
Theft of Source code via modems and cellular phone.
Intrusion into systems via the Internet using bugs such as
rdist.
Illegal intrusion into networks to destroy data.
Theft of hardware and computer chips.
THIS PRESENTATION WILL COVER
Network intrusions.
Theft of proprietary material
How to conduct your investigation and gather evidence.
How to gather and safeguard the evidence necessary for
prosecution.
How to get the appropriate law enforcement support.
How to work with law enforcement so they understand the
problem.
What is required for a search warrant.
How a Search Warrant Raid is conducted (You may be asked
to go.).
What is required for a telephone trap.
What is required for an arrest.
What to expect from the court process.
How to prepare to testify in court if necessary.
How to recover damages civilly or from probation.
Impact of the Electronic Communications Privacy Act.
Examples of Search Warrants and Telephone Traps are
attached.
Actual cases will be discussed and used as examples. The
search warrant
affidavits and telephone traps attached to this outline
are exactly as
I took them to court with the exception of the name
changes. By
thoroughly reading the affidavits, the reader will have
the opportunity
to see what probable cause to obtain a search warrant.
HAS A CRIME BEEN COMMITTED
Under most circumstances, For Federal or local law
enforcement to assist
you there has to be a violation of the law.
United States Code, Title 18, Section 1030, "Fraud
and related
Activity in Connection with Computers", is the
section relied upon
by the FBI. (A COPY OF THIS SECTION IS ATTACHED.) The FBI
will
also attempt to use sections dealing with theft by wire
and
interstate theft.
Each State has their own laws. These laws vary widely and
most
states have not yet enacted appropriate laws for dealing
with
computer or network intrusion.
California Penal Code Section 502, "Unauthorized
Access to
Computers, Computer Systems, and Computer Data." (A
COPY IS
ATTACHED.) Some of the subsections are felonies. A person
who is convicted of this section is subject to having
their
computer forfeited under Penal Code Section 502.01.
California Penal Code Section 499c, "Trade
Secrets" covers the
theft of trade secrets. This has to be scientific or
technical information, computer programs, or information
stored in a computer.
If local law enforcement decides that they do not have
sufficient information to file a crime report, conduct a
search warrant, or issue and arrest warrant, they may be
able
to phone or contact your suspect and warn them to stop.
This
does sometimes work.
WHEN A CRIME HAS BEEN COMMITTED
DO NOT CONFRONT OR TALK WITH THE SUSPECT.
This gives them the opportunity to hide or destroy
evidence.
Law enforcement probably will not help you if this occurs
because
of the slim chance of making a case.
If necessary call law enforcement and ask what the law is.
Many times executive of victims companies are hesitant to
file a
crime report until they know and understand what law
enforcement
will do. Can you discuss what your options are with the
appropriate law enforcement agency without having to make
an
official report?
You should be able to discuss your options without having
to file
an official crime report. Under most circumstances our
office will
not file a criminal case for theft of data or proprietary
information (Industrial Espionage) unless the
company/victim wants
to file a criminal charge. These cases are complex and
require the
willing cooperation of the victim. We make sure they
understand
what will be required of them before we will start an
investigation.
Many times both the FBI and local law enforcement will
have jurisdiction
over a network intrusion or theft. You may want to talk to
both about
how long their investigation will take and what they
expect from you.
Will their reports be available for your review and use in
civil
actions?
Law Enforcement does not like a company
"shopping" for the best
deal so be careful how you deal with agencies. Remember
the
agencies talk and work with each other.
Local law enforcement may have trouble conducting the
investigation
outside of their jurisdiction. Police Departments and
Sheriff's
Offices will work with their local prosecutors.
Will the FBI conduct an investigation? They have to work
with
the U. S. Attorney's Office to obtain a search warrant or
investigate a case.
SHOULD YOU REQUEST LAW ENFORCEMENT ASSISTANCE
This can be DAMAGE CONTROL, the only way you may ever know
the extent of
your loss or network penetration is from the evidence
collected from a
search warrant.
DO NOT WAIT TOO LONG TO CALL. It is best to notify law
enforcement
right way. In one case we worked, the backup tapes from a
system an
intruder was using were kept only a short time and then
reused.
In a civil action, you will demand discovery to obtain
evidence and
learn what document or data the defendant may have, but it
is up to the
person being sued to turn over the documents you are
accusing them of
stealing or using to penetrate your network.
Working with law enforcement is a time consuming and
demanding task.
For us to assist you with an investigation we require your
assistance
and cooperation. We need:
A commitment of your time and resources. You will have to
work
with law enforcement at almost every step of the process.
Interviews to prepare crime reports and the affidavit for
a
search warrant.
Engineers or computer operators to accompany law
enforcement on the
search warrant to assist with operation of computer system
and
identification of data or property.
Assistance the victim company to identify and describe
documents,
source code, and other evidence found.
A company expert may need to be available for explanations
and
assistance during a trial.
Documents may need to be provided to the defendant's
attorneys for
discovery. They may ask for more than you want to provide.
Your
attorney will have to argue against broad ranging
discovery.
Defendant's are entitled to seek evidence they need for
their
defense.
You and other company employees will be subpoenaed to
testify.
This is time-consuming in that witnesses may have to wait
their
turn in court
Very few cases actually go to trial! Approximately 5 % go
to trial in
Superior Court in Santa Clara County, California.
There will generally be plea bargaining and negotiations
so that an
agreed upon sentence can be reached. Both prosecutors and
defense
attorneys know what sentences can be expected from certain
cases.
White collar crimes are not usually prison crimes.
You should be able to access law enforcement's reports.
This will help
you understand your situation. You can then use those
reports for civil
proceedings.
If you are going to initiate civil litigation, it is a
good idea to wait
until you decide whether you are going to make a report to
law
enforcement. You do not want to alert the suspect to
criminal action in
the event a search warrant is issued.
Law enforcement does not (or should not) care if civil
actions are
filed. In most of our cases there have been parallel civil
actions
and they have not affected our cases.
In some cases the victim's attorneys have used our Search
Warrant
Affidavit to apply to the court for a TRO (temporary
restraining
order) to prohibit a suspect from using materials or data
they have
taken.
HOW TO GET LAW ENFORCEMENT'S ASSISTANCE
CORPORATE SECURITY - If your company has corporate
security or a
corporate investigator, talk with them. They may know the
capability of
law enforcement in your area. They may have contacts with
law
enforcement. They may know the best way to get assistance.
The High Technology Crime Investigation Association
(HTCIA) is a group
of local and federal law enforcement officers, corporate
investigators
and private investigators who have an interest in or work
in the area of
computer or high technology crime. HTCIA provides training
to its
members. I can put you in touch with someone from each
chapter.
HTCIA has chapters in:
Silicon Valley (San Jose), California
Southern California
Northern (Sacramento), California
Austin Texas
Portland Oregon
Chicago, Illinois
New York, NY
New Mexico
Chapters have begun forming in Netherlands and in Arizona.
(I try to keep up with current contacts and phone
Numbers.)
If you call local law enforcement, I recommend calling the
investigations or detective bureau directly.
If you call 911 or a regular police department reporting
number,
they will send a uniformed officer, and log the call on a
public
log. It is the uniformed officers job to write a report
which will
go through a review process, be logged in by records, and
then sent
to investigations for assignment to the appropriate
investigator.
This can some times take a week.
Try to get the direct assistance of an investigator. You
will
usually get a more experienced officer and faster
assistance.
Call your local prosecutors office. Most District
Attorney's Office
have investigators. Ask if there is a computer or hi tech
unit. Ask if
they know who would be best to assist you.
Training for law enforcement is becoming better and easier
to get.
Don't be surprised if there is a highly trained law
enforcement officer
in your local area. You just have to find them and
cultivate their
friendship. Interested law enforcement officers would
probably be
interested in talking with you or touring your facilities.
If your company will allow (many will not), consider
volunteering
to provide advice and assistance to local law enforcement.
I have
started a volunteer program of computer knowledgeable
individuals
who help me on search warrants and help retrieve data from
computers. If you work for someone you should get
permission
first. Many corporations see this type of volunteer work
as being
a conflict of interest. If this is the case, see if they
will let
you provide advice or training to law enforcement. This
will pay
dividends because it gives you direct access to law
enforcement for
advice if and when you need it.
The FBI has a highly trained computer crime team stationed
in Washington
D.C. They can be reached at (202)324-9168.
WORKING WITH LAW ENFORCEMENT
Remember there is a very good chance the law enforcement
officer is not
going understand the technical aspects what you are
talking about. Most
cannot work PC's much less understand a network problem.
You should have been making notes of your activities as
you track an
intruder. Put this is some type of a report or memo
format. This
report can be given to the officer. It can also be used as
part of the
report or as an attachment for a search warrant. You can
then use this
report to help you recall what you did if the case goes to
trial many
months later.
As you write your report remember WHO, WHAT, WHEN, WHERE,
WHY, and
HOW. If you and law enforcement can show this you can make
a case.
Diagrams are very helpful in understanding systems. A
diagram can be
attached to the report to help others who have to read and
understand
the report. Diagrams are frequently used in court.
EVIDENCE
In these types of cases evidence may consist of such
things as back up
tapes, printouts of computer programs, suspect's accounts
and the
contents, computer disks.
In one case we used an article found online that had been
written
by our suspect regarding activities he had been involved
in. We
attached this to our affidavit requesting a search
warrant.
In a intrusion case, you will be looking for evidence that
will show who
commit the violation and that can be used to obtain a
search warrant to
seize the suspect's personal computers at his home or
business.
A suspect would have a good defense if you only found
evidence in
an online account. The defense will claim that someone
else put
the evidence there. We would not charge a person with a
crime on
the basis of evidence found in an online account.
We investigated and obtained a conviction on a suspect
that
used someone else's account (after they broke the
password) to
shut down a computer. I later found the broken password in
the original suspects home computer. (I CAN EMAIL YOU THE
JUDGE'S RULING FROM THE APPEAL WHERE HE DISCUSSES THIS.)
You would use the evidence in the online account to seize
the
suspect computers. Law enforcement will then search the
suspect's
personal computers for evidence. You often find printed
material
at suspect's home that can be used as evidence.
Evidence must be gathered by law enforcement officers in
accordance
court guideline governing search and seizure or it will be
excluded.
This is referred to as the Exclusionary Rule. It does not
apply to
ordinary citizens such as you. You do have to remember
that if you do
something illegally you could be sued.
If you gather evidence at the request or suggestion of a
law
enforcement officer and the gathering does not meet the
legal
requirement, that evidence will be excluded.
Remember the provisions of the Electronic Communications
Privacy Act,
Chapters 2500 & 2700 of Title 18 of the United States
Code.
CHAIN OF POSSESSION - This means that for evidence to be
admitted in
court, the prosecution has to be able to show who obtained
it, who
secured it, anyone who has had control. It will probably
be necessary
to have anyone in this category testify. This applies to
anything you
may secure such as a disk or backup tape.
Evidence should be properly marked by placing your
initials on items
like tapes, printouts, documents, or equipment. Items can
be sealed in
envelopes or bags which should be signed, dated, and
sealed.
Evidence should be stored and locked, so that you can
testify that no
one other than yourself or those people that you can name
have had
access to it.
The defense may maintain that an item has been tampered
with or
changed.
Read the attached Search Warrant Affidavits for ideas on
what can be
evidence. These are actual warrants I have written and
served, but with
name changes.
The affidavit on page 27 is a good illustration of what
can be evidence.
OBTAINING AND SERVING SEARCH WARRANTS
The search warrant should be done as quickly as possible
before the
intruder can do further damage. It has been my experience
that this
type of person does not destroy data unless they are
threatened.
It is important that you keep information about the
investigation
limited to as few people as possible. This limits the
possibility
of the investigation being leaked.
When I go to a victim company to conduct my investigation,
I
usually do not identify myself as law enforcement to
company
receptionists and others not involved in an investigation.
You should ask law enforcement to merely request to speak
with
you when they come to your office to start the
investigation.
Probable cause is the criteria required for the issuance
of a Search
Warrant. You have to establish that a crime has been
committed and show
why there is cause to enter someone's home or business.
The law
enforcement officer, probably a local prosecutor, and a
judge all have
to believe that there is probable cause. For a conviction
you have to
prove that someone is guilty beyond a reasonable doubt,
much stronger
that probable cause.
If you have property or data stolen and probable cause can
be
established, a search warrant can be issued for both
building and
computer systems. Comparisons of data recovered can be
made with data
allegedly stolen.
You may be asked to accompany law enforcement on the
search warrant as
a technical assistant or to identify property.
If it is necessary for you carry documents in on a search
warrant,
consider copying them onto colored paper. This will
prevent the
defense from inferring that what might have been found was
left by
you.
Once law enforcement has served the search warrant and
examined the
seized computers and disks, you will start to be aware of
the extent of
your problem. You will probably be asked to help evaluate
and identify
programs found on computers.
This will probably lead to other victims.
Any evidence gathered during the search warrant, even
though maintained
by law enforcement, is legally under the control of the
court. Even
though a seized item may have your name on a document, it
will not be
returned to you unless the suspect signs a release or
after a hearing by
the court.
Many victims just want to get their property back after a
search
warrant has been completed. They may not want to go to
trial for
fear of disclosing information and think that if they drop
charges
they will get their property returned to them.
TELEPHONE TRAPS
(SEE ATTACHED EXAMPLES)
This requires the equivalent of a search warrant. You will
have to file
a crime report with law enforcement. The prosecutor or
U.S. Attorney's
office will have to approve the request before it is taken
to a judge
for signature.
The form will be different from State to State, but it
usually
always take probable cause.
Once you have information regarding where calls are coming
from, this
will be the probable cause needed to obtain a search
warrant for that
location.
Modifying and illegally using cellular phones has become
big business.
It is impossible to track and locate if a suspect has used
someone
else's id or cellular phone number. In one case the
suspect social
engineered a modem access number and then used a cellular
phone to
illegally access a companies network.
If you belong to any type of an association, invite a
local telephone
company representative to meet and talk with your group.
Most of the telephone companies are charging for these
types of
services. You will be required to pay the costs.
DISCOVERY AND PROTECTIVE ORDERS
Discovery is where the prosecution (not the defense)
provides all
reports, information on evidence, list of potential
witnesses, any
criminal history of witnesses, and any information except
how the
prosecution is going to present the case in court.
Any property or data recovered by law enforcement and will
be subject to
discovery if a person is charged with a crime. However a
protective
order can limit who has access, who can copy, and the
disposition of the
documents.
A protective order allows you to protect proprietary or
trade secret
documents related to the case.
California Evidence Code Sections 1061, 1062, & 1063,
deal with
protecting proprietary information, how to obtain
protective orders, and
how to close courtrooms during discussion of propriety
information. It
also limits who the defense can hire to use as an expert
witness.
If your State does not have such a law, you and members of
your
association should work to have one passed.
(AN ARTICLE ON THIS SECTION IS ATTACHED)
CRIMINAL TRIALS AND TESTIFYING IN COURT
Once a person is arrested they will be arraigned, during
which time the
court will make sure the suspect has an attorney. For a
felony a grand
jury hearing or preliminary hearing will be scheduled.
States do differ
somewhat in this process.
In a grand jury hearing the defendant nor their attorney
can be
present. A grand jury hearing is considerably faster.
In a preliminary hearing the prosecution must show that a
crime has
been committed and there is probable cause to believe that
the
defendant committed the crime.
If the defendant is held to answer in a preliminary
hearing or the grand
jury returns an indictment, a trial will be scheduled.
If the case goes to trial, interviews with witnesses will
be necessary.
You may have to assign someone to work with law
enforcement as a
liaison. Key employees will have to spend time away from
work at the
court as the prosecution is required to have another
witness ready as
soon as the current witness is excused.
If you are called as a witness, you should be given
instructions prior
to trial by the prosecutor about the type of questions to
expect and how
you will be allowed to answer questions. Remember the
prosecutor does
not know what the defense attorney will ask. The
prosecution is
required to furnish the defense with copies of all
reports, evidence,
and witnesses names prior to the trial.
Listen to the question carefully to get the fully meaning
and the
determine that is not a multiple part question or
contradictory. Most
defense attorney are going to want you to answer only yes
or no.
However if you can not answer with a yes or no, let the
court know that
it is necessary to answer with an explanation.
Do not answer immediately and make sure you understand the
question. This pause will give the prosecutor time to
object to
defense questions that are inappropriate, confusing, or
vague.
If you do not totally understand the question, ask for an
explanation or start your answer by stating: "I
understand your
question to be... (give an explanation) and thus my answer
would be
this....."
You can not give hearsay answers, only information that
you have seen or
done. This means that you can generally not testify as to
what someone
has told you.
Engineers are generally poor witnesses. They tend to see
things in
absolutes. Often times it is necessary to explain or
request
clarification so that a witness is not always answering
no.
In one case we called a woman engineer as a witness. On
the first
day she answered no so often everyone thought she was
committing
perjury. That evening I explain that she should begin
explaining
rather than just saying no. This worked for her.
EXPERT WITNESS - Based on your education, training, and
experience, you
may qualify to testify as an expert witness. This will
allow you to
give explanations about how computer systems or networks
function. In
order to give an opinion you have to be qualified as an
expert witness.
I have testified as an expert on fingerprints, drugs,
alcohol, and
prostitutes. It has taken up to an hour to go through this
process
as the defense can also challenge your expertise.
RECOVERY OF DAMAGES
To recover the cost of damages, such as reconstructing
data,
re-installing an uncontaminated system, or repairing a
system, you can
file a civil lawsuit against a person.
You can hire an attorney or you could consider filing a
claim in
small claims court. In California, neither you or the
person you
are suing can take an attorney into court. Small claims is
heard
only by a Judge. In California the maximum that you can
sue for in
Small Claims is $5,000.00. Check with your local court to
learn
the small claim maximum
THINGS TO REMEMBER DURING AN INVESTIGATION
To remember this think of Smith's Splendid / Silly /
Superfluous System
SPEED
STEALTH
SYSTEM SECURITY
SECURE EVIDENCE
SUSPICIOUS / SCREWY EMPLOYEES
SHOW & EXPLAIN - REPORTING
SEARCH WARRANT - PREPARE AND SERVE
SPEED
Obtain a copy of any unauthorized program or data quickly
before it is
moved or erased. This copy could be valuable evidence.
Notify law
enforcement and try to get a search warrant to find any
additional data
or seize any personal computers associated with the crime.
There is
likely to be additional information in the computers that
may tell you
about other intrusion into your systems as well as other
companies.
In one case I found 10 etc/passwd files, most with cracked
passwords. In recent cases I have found a backdoor login
program
and a trojan horse. I was able to show these programs to
the
systems operator so they could more effectively check
their
systems.
If you have a theft of a trade secret, you should talk
with your law
enforcement representative to find out what they can and
will do to
help. Can the secret be stopped before it is removed from
the United
States and what can be done if it is removed. We are
presently
prosecuting a company based in Taiwan.
STEALTH
Don't alert intruder that law enforcement is involved. In
several cases
it has taken several weeks to complete the investigation
and obtain a
search warrant. Very few people in the victim company knew
who I was,
they merely viewed me as another consultant. As a result
we recovered
computers and other data from the victims.
SYSTEM SECURITY
This will most likely be your major concern, but law
enforcement's role
is to catch the bad guys. Explain to law enforcement what
the intruder
can do with any data they may have taken or from just
gaining access.
Remember the law enforcement officer may not understand
the potential
damage to your system or the over ramifications to
"merely having an
unauthorized person connecting to your system."
Explain what an intruder can do if they can get root
access and
what it will take for you to correct the problem.
Even under the ECPA you can take steps to protect your
system, if you do
tell law enforcement what you found without a proper
search warrant.
If you think you need to examine someone's account to
protect your
system, you should document the reasons that you took the
action.
SECURE EVIDENCE
Remember the Chain of Evidence. This is critical as we can
not
introduce evidence in court unless we can prove the chain
of possession.
Make or obtain tapes of data when possible.
Try to determine the motive of the intruder. This will
help with the
prosecution
In cases of theft, a showing of probable cause will have
to be made that
the product being sought in the search warrant is the same
as the victim
companies. I have made comparison of the victims printed
manual with
the manual or manual pages from a suspect's software
program. A victim
company engineers statement that the functionality is the
same is not
sufficient, this statement must be corroborated with
evidence like the
manual pages.
SUSPICIOUS EMPLOYEES
If an employee with system knowledge leaves your company,
consider
changing passwords. We investigated a case where a
manufacturing
database was erased twice. The first time was with use of
a current
employees password that the suspect learned while employed
with the
victim.
Most of Santa Clara County District Attorney's office
cases of trade
secret theft have involved employee embezzlement. Several
examples
include:
WBS - a disgruntled engineer who carried out thousands of
pages of
proprietary information and tried to use them to get
another job after
he was terminated.
M Goldberg - a young man from France who was sent to the
United States
to work in American software companies rather than serve
his French
military draft obligations. When his 2 year obligation
expired he was
stopped from getting on an airplane with enough
proprietary information
to duplicate the software program he had been working on.
He said he
want to get a job when he returned to France.
CVD - The manager of a computer support group that had his
employees
rewrite his company's major database program from an IBM
mainframe
language to a C for Sun workstations. He then sold it for
several
million dollars. He was also trying to do business with
other
countries. A Sun Employee was also convicted for
commercial bribery
for helping CVD sell the stolen software to Sun. He was
also trying to
sell computer programs in other countries.
Raj - an Indian engineer who went to work as a security
guard at a
computer company's R&D building while at the same time
he was working
for other companies doing the same type of development.
Foreign companies - One tactic is to hire one employee
from a company so
that person can help determine who else to hire.
SHOW & EXPLAIN FOR LAW ENFORCEMENT
When you think you have a problem you should ask your
local law
enforcement whether they are required to take a report if
you talk to
them about a problem. If you decide you are going to file
a report
designate someone to work with law enforcement.
Remember a report and diagrams are helpful.
On a case of software theft, I worked with a customer
support software
engineer who was very good at explaining the company
product.
Law enforcement will have to talk directly with
development engineers,
financial officers, and other company officials. You can
not just have
your attorney relate the information. We require a
commitment from a
high ranking company official that they will support a
criminal trial
before we will start a search warrant.
SEARCH WARRANT
A search warrant to check a suspect's home and computers
is the only way
to know the extent of an intrusion into your computer
system or to learn
if any programs were modified or programs left in you your
system.
A search warrant is also often the only way to recover
stolen
proprietary information.
A phone trap also requires a search warrant.
FEDERAL AGENCIES
FBI has a computer crime team in Washington DC and some
trained agents
in various field offices
Secret Service, has experts in areas around the USA.
Customs tracks money exchanges.
U. S. Commerce Department - can keep companies who have
stolen products
from doing business in the USA such as in the case of the
Taiwanese
company charged with theft of trade secrets.
IRS sometimes even if you can not prove a crime the IRS
can tax people
who have stolen products, made money, and not paid taxes.
ECPA - TITLE 18 U S CODE 2500/2700
Electronic Communications Privacy Act Title 18 US Code
Chapters 2500 &
2700 as it relates to keystroke monitoring or system
administrators
looking in other people accounts. If you do not have a
banner or the
account holder has not been properly notified, the system
administrator
can be guilty of a crime and liable for civil penalties
from a law suit
for key stroke monitoring or looking in someone's account.
ATTACHMENTS
SEARCH WARRANT EXAMPLES:
Page 16 - For a Commerial E-Mail account
Page 20 - Illegally accessing a company network and
destroying data
Page 27 - Broken University account
Page 38 - Number Search & Trap and Trace for long
distance connections
Page 45 - Trap & Trace for attempted contact to system
Page 50 - Example of new language for describing computer
data and
computer equipment to be seized with a search warrant.
Page 52 - Section 1030 Title 18 U.S. Code
Page 55 - Section 499c California Penal Code
Page 56 - Section 502 California Penal Code
Page 61 - Article on 1061 California Evidence Code
The following three (3) Search Warrant Affidavits on file
with the
Superior Court were used to obtain a conviction in a case
where the
defendant was charged with the theft of passwords and for
shutting down
a computer.:
Page 65 - For account information from commerial provider,
conforms to
ECPA.
Page 81 - For computers and other records to show network
intrusion.
Page 89 - For computers after a computer was shut down.
This affidavit deals with obtaining a copy of a suspect
electronic mail
account at a commerial account provider for the Internet
SUPERIOR COURT OF CALIFORNIA
SANTA CLARA COUNTY JUDICIAL DISTRICT
STATE OF CALIFORNIA - COUNTY OF SANTA CLARA
AFFIDAVIT IN SUPPORT OF SEARCH WARRANT
JOHN C. SMITH being sworn, says that on the basis of the
information contained within this Affidavit and any
attachments thereto,
he has probable cause to believe and does believe that the
property
described below is lawfully seizable pursuant to Penal
Code Section
1524, as indicated below, in that it:
( ) was stolen or embezzled;
(X) was used as the means of committing a felony;
( ) is possessed by a person with the intent to use same
as a means of
committing a public offense, or in the possession of
another to
whom he/she may have delivered same for the purpose of
concealing
or preventing its discovery;
(X) constitutes evidence tending to show that a felony has
been
committed or that a particular person has committed a
felony;
and that he has probable cause to believe and does believe
that the
described property is now located at, and will be found
at, the
location(s) set forth below and thus requests a warrant to
search
THE FOLLOWING LOCATION(S):
The premises at Blvd, Suite City of Town, County of Santa
Clara,
State of California, further described as Commercial
Communications a
commercial on-line computer service communication company
that provides
access to the Internet for subscribers. The Internet is a
world wide
network coordinated by National Science Foundation.
The premises to be searched also include any and all
electronic
mailboxes, directories, or accounts on Commercial
Communications's
computer system, registered to or containing data placed
in that
directory by Brendan Gomez.
DESCRIPTION OF PROPERTY TO BE SEIZED
1.2. Any and all documents and records, whether on paper
or stored on
magnetic media (including information stored within a
computer),
within the account of Brendan Gomez, which show the
unauthorized
entry or attempted entry or connection to other computer
systems
that connect to the Internet or were done
2. Any and all programs or computer instructions that
reside in the
account of Brendan Gomez at Commercial Communications that
would be
used for the unauthorized connections to other accounts on
the
Internet and would be used for the automatic transfer of
information or programs in any other account or systems on
the
Internet (hacking).
3. Documents and/or magnetic media showing the identity of
users,
owners, or lessees of the computer account managed by
Commercial
Communications and registered Brendan Gomez.
STATEMENT OF PROBABLE CAUSE
Your affiant declares that the facts in support of
issuance of this
search warrant are as follows:
Your affiant, John C. Smith, is a Senior Criminal
Investigator
(Peace Officer) employed by the Santa Clara County
District Attorney's
Office in Santa Clara County, California. Your affiant has
been
assigned to the High Technology / Computer Crime Unit of
that office
since December 1989. He has been a California Peace
Officer since June
1965. He is a member and past President of the High
Technology Crime
Investigators Association (HTCIA), and the Santa Clara
Valley Industrial
Security Managers Association. He has been a Macintosh
computer user
since about 1986 and an IBM PC user since 1990 and owns
both types of
computers. He is a regular user of the Internet and has
had classes on
the Unix/Workstation operating environment. He has over
274 hours of
training in the High Technology field. He has worked at
least eight (8)
prior network/intrusion type cases and given several talks
to computer
professionals on investigating intrusions. He has
conversed with experts
in federal law enforcement corporate network security who
have
specialized in these cases, and who have considerable
experience in
investigating and interacting with persons who have
illegally accessed
computers.
Your affiant was contacted by President of Commercial
Communications Company, Blvd., Suite 200 , Town,
California, on Friday,
June 17, 1994. President told affiant that Commercial had
received a
communication from the Computer Emergency Response Team
(CERT) that
detailed a break-in of a computer system at OutOfState
University from
an account at Commercial. (CERT is the federally funded
agency
responsible for monitoring security issues on the
Internet). This
communication is attached as Exhibit A. (NOTE FOR SUN USER
GROUP - This
attachment listed the dates, times, and computer systems
that were
illegally accessed. I attached it as part of the affidavit
so I would
not have to type the same information.)
Your affiant started his investigation by interviewing
John Little,
President of Commercial Communications and opening Santa
Clara County
District Attorney's Office Case #94-O-0889. Little gave
your affiant
the following information: He started Commercial
Communication,
(hereafter referred to as Commerical) in 1986. Commercial
is an on line
communications services, setup to provide customers with
access to the
Internet. Commercial has two T-1 leased lines, one to
BARRNET and the
other to CIX, Commercial Internet Exchange, in Santa
Clara.
President explained that the message from CERT detailed a
break-in
to an account and a computer system at OutOfState
University on June 9,
1994. In this intrusion the intruder achieved root access
and then broke
into five (5) OutOfState computers. (Root or superuser
status is the
privileged or upper level used by the systems administer.
At the root
level a user is allowed to do anything on the system such
as to look,
use or change any regular account and to create in files
under other
names that may run programs not normally allowed on a
system.) President
said that Commercial did not know which customer account
was being used
to reach OutOfState and Commercial was concerned that
Commercial's
computer systems may have been or be compromised.
Commercial employees
Brain Brown and Rich Black began checking the Commercial
system to make
sure Commercial's system had not compromised. They traced
the activity
from OutOfState back to Brenden Gomez's account. They open
the account
to see if Commercial's system was being compromised and
saw tools for
breaking into computer systems.
Your affiant interviewed BRIAN T. Brown, Commercial
Technical
Support staff member. Brown gave affiant the following
information: He
has worked at Commercial for 3 years and has been working
with UNIX for
about 6 years. Brown explained that after Commercial
received the
message from CERT, Exhibit A, he and Black matched IP
(Internet)
addresses from OutOfState with outgoing logs generated
automatically by
Commercial's computers. Commercial has a logging program
that captures
outgoing ftp (file transfer process) and telnet
connections, i.e.,
connections to computers at other locations. At about the
same time
the connections were made to the computer accessed at
OutOfState, Brown
saw three connections to OutOfState from a Commercial
account labeled
"brendan". Brown said there were no other
connections made to
OutOfState during this time period. Brown and Black opened
this account
to ensure that Commercial's system was not being
compromised and in the
account they observed a Sniffer program. The
"sniffer" program was not
operating at that time. A "sniffer" is a program
that captures the data
sent from a user to other users as the data is transmitted
over a
network. Login and password information can be pulled from
the data and
used to illegally access other accounts.
Brown believes Brendan is 21 yrs old and a 1991 graduate
of High
School in Santa Clara. Brown has met Gomez through a
friend and has
talked with Gomez on network chat lines.
Gomez has only paid $40.00 towards the monthly costs of
his
"brendan" account while he should have paid
$240. Gomez opened the
account in 1993. Gomez's account was automatically
suspended, probably
in Aug 93, because of non payment. Gomez somehow got
around the
suspension closure and into his account. On Friday
6-17-94, Brown
closed the security hole for billing suspensions.
Your affiant would note that neither Black or Brown
actually
intercepted communications made by the person using he
"brendan" account
and that the copy of the "brendan" directory
made by Brown consisted
of data that was not stored temporarily as an incident of
an electronic
transmission. Your affiant specifically does not seek
authority to
intercept wire communications made by "brendan"
in the future.
Affiant contacted Robin Huxley, an employee of OutOfState
University. Huxley is responsible for security on the
computer system
that was compromised from Commercial Communications.
Huxley verified
the information in the report he sent to CERT and copied
to Commercial
Communications, attached as Exhibit A.
Based on these facts, you affiant is of the opinion that
it is
probable that Brendan Gomez has committed violations of
Penal Code
Sections 484 and 502c(2), which violations are punishable
by terms of
imprisonment of longer than one year, and that evidence
thereof exists
on the data tape of the Brendan Gomez directory made by
Commercial
communications.
WHEREFORE your affiant prays that a search warrant be
issued with
respect to the above locations for the seizure of said
property at any
time of the day and that the same be held under Penal Code
section 1536
and disposed of according to law.
___________________________
JOHN C. SMITH, Investigator
District Attorney's Office
Santa Clara County
Subscribed and sworn to before me
this 28 day of June 1994.
___________________________
Judge of the Superior Court
EXHIBITS:
A - Three page electronic Message From: huxley-
robin@CS.OutOfState.EDU, Date: 17 Jun 1994, TO:
cert@cert.org.
B - Three page report prepared by Brian Brown dated
94/06/22 containing
portions of outgoing message logs from Commercial
Communications.
This search warrant was used to search the residence and
computers of a
former employee suspected of illegally accessing and the
erasing a
company's database.
SUPERIOR COURT OF CALIFORNIA
SANTA CLARA COUNTY JUDICIAL DISTRICT
STATE OF CALIFORNIA - COUNTY OF SANTA CLARA
AFFIDAVIT IN SUPPORT OF SEARCH WARRANT
JOHN C. SMITH being sworn, says that on the basis of the
information contained within this Affidavit and any
attachments thereto,
he has probable cause to believe and does believe that the
property
described below is lawfully seizable pursuant to Penal
Code Section
1524, as indicated below, in that it:
( ) was stolen or embezzled;
(X) was used as the means of committing a felony;
( ) is possessed by a person with the intent to use same
as a means of
committing a public offense, or in the possession of
another to
whom he/she may have delivered same for the purpose of
concealing
or preventing its discovery;
(X) constitutes evidence tending to show that a felony has
been
committed or that a particular person has committed a
felony;
and that he has probable cause to believe and does believe
that the
described property is now located at, and will be found
at, the
location(s) set forth below and thus requests a warrant to
search
THE FOLLOWING LOCATION(S):
The residence of Joe Suspect described as the premises at
18
Street, City of , County of Santa Clara, State of
California, further
described as being a two (2) story structure, a tan color
with gray
trim, with the numbers 18 on a lone mailbox across the
street from the
residence; including any and all yards, outbuildings,
storage areas,
garages, carports, sheds, or mailboxes assigned to the
described
premises, including but not limited to those listed above.
FOR THE FOLLOWING PROPERTY:
1. Any and all documents and records, whether on paper or
stored on
magnetic media (including information stored within a
computer),
which show the unauthorized entry or attempted entry or
connection
to the computer systems at MfgCompany Inc, including but
not
limited to passwords, password files, security holes,
backdoor
logins, telephone numbers for modem connections, and
Software that
creates ZY Computer terminal emulation in a personal
computer.
2. Any and all programs or computer instructions that
would be used
for the unauthorized connections to the computer system at
MfgCompany Inc and would be used for the unauthorized
transfer of
information or programs.
3. Any and all documents and records, whether on paper or
stored on
magnetic media, that contain any portion of files from the
computer
systems of MfgCompany Navigtation
4. Computer hardware, software, and data including, but
not limited to
central processing units (CPUs), hard disks, hard disk
drives,
floppy disk drives, tape drives, CD-ROM drives, display
screens,
keyboards, printers, modems, magnetic tapes, cassette
tapes, and
floppy disks, found together or separately from one
another.
5. Written documentation, whether typed or handwritten,
including, but
not limited to, computer manuals and instructions for the
use of
any computers and their accessories found at the premises.
6. Evidence of occupancy and control of said premises and
work areas,
including but not limited to, utility company bills,
cancelled mail
envelopes, and personal papers.
STATEMENT OF PROBABLE CAUSE
I declare that the facts in support of issuance of this
search
warrant are as follows:
I, John C. Smith, am a Senior Criminal Investigator (Peace
Officer)
employed by the Santa Clara County District Attorney's
Office in Santa
Clara County, California. I have been assigned to the High
Technology
/ Computer Crime Unit of that office since December 1989.
I have been
a California Peace officer since June 1965. I am a member
and past
President of the High Technology Crime Investigators
Association
(HTCIA), and the Santa Clara Valley Industrial Security
Managers
Association. I have been a Macintosh computer user since
about 1986
and an IBM PC user since 1990 and owns both types of
computers. I am a
regular user of the Internet and has had classes on the
Unix/Workstation
operating environment. I have over 274 hours of training
in the High
Technology field. I have worked at least nine (9) prior
network/intrusion type cases and given several talks to
computer
professionals on investigating intrusions. I have
conversed with
experts in federal law enforcement and corporate network
security who
have specialized in these cases, and who have considerable
experience in
investigating and interacting with persons who have
illegally accessed
computers. I am a member the Santa Clara County Network
Security
Working Group responsible for developing and overseeing
the security of
the County's wide area network.
I began case #94-0-1102 on Monday, July 18,1994, by
interviewing
Alan Albert, Director of Information Systems, MfgCompany
Inc, Community,
California, and, Jonathon A., a private investigator hired
by
MfgCompany. I again met with Albert and A. on August 5,
1994 and with
Albert on August 8, 1994. Albert told me that someone
illegally gained
access to MfgCompany's corporate computer network on June
12, 1994 and
again on July 26, 1994. On these occasions the intruder
erased the
files from MfgCompany's manufacturing database, modified
key files that
allow data to be moved between computers for company use
and caused the
password file on an ZY Computer 4 computer (named Pacific)
to become
void so that the 400 to 500 users of that system could not
log on.
Albert stated that these intrusions have cost MfgCompany
over
$100,000 to repair the damage and hundreds of hours in
lost time
repairing the system so that the manufacturing database
will function
properly. MfgCompany has had to hire a full time
consultant to check
the integrity of the system and ascertain if there are
back door login
programs or other programs hidden in the system that would
allow an
intruder to access MfgCompany's system without
MfgCompany's knowledge.
Albert explained that MfgCompany has offices around the
world and
uses its electronic network to connect operations and
offices.
MfgCompany has employees in 30 countries. MfgCompany's
information
systems and core business systems are headquartered in
Bldg x, Ave.,
Community, California. MfgCompany has its manufacturing
database set up
on three ZY Computer 4 Mini Computers, named Atlantic,
Pacific, &
Baltic, on MfgCompany's ethernet (network connection).
There are
approximately 500 computers, both Unix and personal
computers, on
MfgCompany's network. MfgCompany's manufacturing database
is an
inventory system called "MIP" for Manufacturing
& Inventory Planning.
The ZY Computer 4 operating system is in a language called
MPE and the
database application/program is called "Enhanced
Software", produced by
SoftwareCo Computer Systems of Santa Clara County.
Albert believes that the unauthorized intrusion and damage
to the
system was done by a former MfgCompany employee, Ray
Suspect, who was
the Manager of the Operations Group in the Information
Systems
Department. Albert said that Suspect was only one of two
people who had
all of the information and skills necessary to locate and
change the
files that were changed. Albert explained that MfgCompany
has not cross
trained Information Systems employees so that in some
cases only one
person will know a job or function. In most cases there
will only be
two people who may have the same skills. Suspect was
released by
MfgCompany.
Albert told me the following: Suspect was hired because he
had
worked for (ZY Computer) and was very knowledge able about
the ZY
Computer 4 Computer. Suspect set up the "Enhanced
Software"
communications software that allows communication and file
exchange
between the ZY Computer 4 computers, Pacific & Baltic,
at MfgCompany.
Ray connected to MfgCompany's computer network system from
his home as
part of his job on a daily or regular basis via a modem
into the ZY
Computer 4 and into a modem bank on an X.25 network
(worldwide network)
that is connected to the ethernet (local). He was also
aware of the
modem connections for Unix computers and personal
computers on the
ethernet based network.
An internal investigation preceded Suspect's termination,
so that
he was working at the company while the termination was
discussed. He
has the knowledge to place hidden programs (backdoor
logins) on the
system that would allow him access to the system.
On June 12, 1994, MfgCompany experienced an unauthorized 3
minute
logon to one of the ZY Computer 4 Mini Computers, called
Pacific.
Pacific contains MfgCompany's manufacturing database.
During this
unauthorized intrusion the intruder performed four (4)
actions that have
caused MfgCompany to have to spend many hours and extra
cost to repair
their computer system.
In the first action the intruder erased MfgCompany's data
files in
the manufacturing database but not the executable database
program.
In the second action, two Configuration files were removed
from
Pacific's Enhanced Software application which tell
Enhanced Software how
to use how to obtain data from the other 2 ZY Computer 4s
on the system.
Enhanced Software resided on both Baltic and Pacific, but
with
different sets of data. The data is divided between
Pacific and Baltic
based on demand and location. For MfgCompany to achieve
maximum
utilization of the Enhanced Software database and its
computers, all
three ZY Computer 4's have to be able to communicate and
pass data. The
2 configurations files which were removed are separate
from the Enhanced
Software executable code and do not reside in the same
group
(directory). The intruder had to have expert knowledge of
the ZY
Computer 4 system and the SoftwareCo Enhanced Software
application to
know which files from approx 20,000 files in the
application and
manufacturing database files would stop the computers from
communicating. Once MfgCompany had purchased and installed
Enhanced
Software, it added a feature called Enhanced
Software" to the main
program. The two deleted configuration files that were
deleted were
part of this added feature. Albert stated less than
(Small) percent of
SoftwareCo's customers use this feature. He learned this
from dealing
with SoftwareCo.
In the third action, the intruder moved to the
"ftp" (file transfer
protocol) file in the ZY Computer 4 Operating System of
the computer
Pacific. In this "ftp" file the intruder changed
a small "i" to a
capital "I" in a directory name in a path in the
script which caused the
path to become invalid and not function properly. This
change of case on
the "i" in "mis" was made globally in
this script and thus modified
approximately 30 paths. This in turn affected 30 files
which prohibited
data from being send to Unix computers on the network.
MfgCompany had
purchased this "ftp" feature separately and Ray
Suspect had installed
it. The "ftp" feature is used by the ZY Computer
4's to automatically
transfer certain files that are listed in a script, to
Unix computers on
MfgCompany's ethernet network. This transfer is completed
by the
computer referring to a path (the hierarchy of
files/directories that
lead to a given file) in the script of directions and then
copying the
specified file to the location designated in the path.
Since Unix
computers are sensitive to capital and lower case letters,
every letter
in the path has to be of the same case as it listed in
root (main)
directory of the Unix computer where it is located. If any
one letter
is of a different case the computer will not make the
transfer of the
copy. MfgCompany employees then use the data on the Unix
computers for
business. This failure signaled the corporation that there
has been a
failure in the Information Systems. Ray Suspect created
this ftp script
for MfgCompany when it was set up and them maintained it.
In the fourth action, the intruder voided passwords on the
ZY
Computer 4 computer named Pacific by causing the password
expiration
program to expire several hours later on Monday May 13,
1994, at 0001
hours. Thus when MfgCompany employees tried to logon on
Monday morning
they could not use the computer system as all of the
passwords had
became invalid.
The intrusion was made through the account of Employee4.
Network
system log's indicated that Employee4's password was used
to make the
connection. The passwords for the network were not changed
after
Suspect left MfgCompany. While at MfgCompany, Suspect had
authorization
to review and copy the password file as he was one of
three system
administrators with "root" privileges.
Only two people in the company, Employee2 and JoeSuspect,
had the
total level of knowledge to complete the above actions.
Employee2 is
the senior applications engineer in Information Systems.
Albert said
that Employee2 and Suspect did not work together and were
only speaking
acquaintances. Employee2 was on a canoeing trip on June
12, 1994, and
it was Albert's belief that this trip was out of State.
On July 26, 1994, MfgCompany discovered that its computer
network
had again been illegal accessed and files erased. This
came to
MfgCompany's attention because production schedules
stopped working on
the ZY Computer 4 as a result of database files having
been erased. No
other modifications. This intrusion took 8 minutes. On
this occasion
both Pacific and Baltic ZY Computer 4s had files erased.
This
intrusion was possible as security for whole system went
down on July
26, 1994, as a result of a hardware upgrade.
On Friday, 8-12-94, I spoke with Jonathon A. and Robert
Burns,
Private Investigators. Burns told me that he works for A.
and was
checking the trash of Suspect. Burns said that on 8-12-94,
at about
12:30 a.m., he checked the trash of JoeSuspect, 1111 Rd.,
The trash
was located in a trash can next to the street for
collection. There are
no sidewalks or curbs in this area. In the trash he found
piece of
yellow lined paper approximate 3 X 5 inches. The paper had
the
following numbers written on it:
123-1111
1112
1113
1114
444-5555
During a conference call between Alan Albert, A., and
myself, as A.
read the numbers, Albert told us the 123 numbers connect
to a modem pool
in the computer room of the Information Service's office
in Community
where the ZY Computer 4 computers are maintained. This
modem pool
allows a connection to MfgCompany's ethernet/local network
in Community.
Information services uses this modem pool as a connection
to
MfgCompany's network when they need to check the system.
Albert went on
to say that the 444-5555 telephone number is a San Jose
telephone number
that serves as a connection point to MfgCompany's world
wide X.25
network. A. faxed me a copy of the paper with numbers.
Your affiant seeks permission to bring MfgCompany employee
Alan
Albert and Jonathon A., private investigator under
contract to
MfgCompany, along on the search to assist with the
identification of the
files. Albert will be under the direct supervision and
control of your
affiant or another peace officer assisting your affiant in
the service
of this warrant.
Your affiant is aware that such a procedure was approved
in People
v. Superior Court (Moore) (1980) 104 Cal. App. 3d 1001.
Albert will be
closely supervised by members of the District Attorney's
office staff or
other law enforcement officers.
Computers:
Your affiant requests permission to search and seize any
computer
systems and magnetic media found at the scene.
Your affiant knows from his training and experience that
computer
systems commonly consist of central processing units
(CPUs), hard disks,
hard disk drives, floppy disk drives, tape drives, display
screens,
keyboards, printers, modems (used to communicate with
other computers),
electronic cables, cassette tapes, floppy disks, and other
forms of
magnetic media containing computer information.
Your affiant knows from his training and experience that
computer
users will commonly keep computer hardware and software in
their homes,
garages, carports, outbuildings, storage areas and sheds
assigned to
their premises.
Your affiant requests permission to seize computer systems
and
magnetic media found at the scene without first conducting
an
examination of each and every hard and floppy disk to
determine if such
systems and media contain the items requested by this
affidavit.
Computer users frequently collect a great deal of software
on disks or
other magnetic media. Searching that media within a
reasonable amount
of time to determine which material is relevant to this
investigation
would be difficult and could risk destruction of the
evidence.
Your affiant may also need to examine at another location
any
computer(s) found at the scene because most hard disks
contain so much
data that an on-site inspection is impractical. The
examination
required to determine whether the hard disk contains the
items requested
by this affidavit could take days or weeks. Furthermore
there may be
too many tapes and or disks to allow a thorough search of
such disks
within a reasonable period.
Finally, the computer and magnetic media is the best
evidence
available. Magnetic media is easily erased or destroyed.
Leaving
magnetic media behind may result in the loss of that
magnetic media as
evidence. Your affiant believes that it is better to seize
the original
evidence than to rely solely on copies which have not been
authenticated
in the presence of counsel for persons who could face
criminal charges
based on material found pursuant to this warrant.
Your affiant also seeks to seize documentation associated
with the
computer(s) found at the scene. Your affiant may need that
documentation to search the computer. Moreover, that
documentation may
well contain information identifying the owner and/or user
of that
computer.
Occupancy:
Based on your affiant's training and experience, your
affiant knows
that occupants of dwellings usually receive correspondence
addressed to
the occupants at that particular dwelling. Such
correspondence usually
includes, but is not limited to, phone bills, utility
bills, rental
agreements, rent receipts, identification papers, canceled
mail
envelopes, and personal letters. Additionally, your
affiant knows that
other evidence of ownership and control of said dwellings
can usually be
found on the occupants of said dwellings and may include,
but is not
limited to, keys, rent receipts and photographic
identification
documents, with names and addresses on them. Your affiant
seeks
permission to seize those items.
Based on these facts, you affiant is of the opinion that
it is
probable that Suspect has committed violations of Penal
Code Section
502c(2), the violation of which is punishable by terms of
imprisonment
of longer than one year.
WHEREFORE your affiant prays that a search warrant be
issued with
respect to the above locations for the seizure of said
property at any
time of the day and that the same be held under Penal Code
section 1536
and disposed of according to law.
___________________________
JOHN C. SMITH, Investigator
District Attorney's Office
Santa Clara County
Subscribed and sworn to before me
this 16th day of August 1994.
___________________________
Judge of the Superior Court
This affidavit was used to get into the residence
and personal computers
of a part time university employee who broke an other
employees account
and used that account.
SUPERIOR COURT OF CALIFORNIA
SANTA CLARA COUNTY JUDICIAL DISTRICT
STATE OF CALIFORNIA AFFIDAVIT IN SUPPORT
COUNTY OF SANTA CLARA OF SEARCH WARRANT
JOHN C. SMITH, Sr. Criminal Investigator, Santa Clara
County
District Attorney's Office being sworn, says that on the
basis of the
information contained within this Affidavit and any
attachments thereto,
he has probable cause to believe and does believe that the
property
described below is lawfully seizable pursuant to Penal
Code Section
1524, as indicated below, in that it:
( ) was stolen or embezzled;
(X) was used as the means of committing a felony;
( ) is possessed by a person with the intent to use same
as a means of
committing a public offense, or in the possession of
another to
whom he/she may have delivered same for the purpose of
concealing
or preventing its discovery;
(X) constitutes evidence tending to show that a felony has
been