INVESTIGATING AND
PROSECUTING NETWORK INTRUSIONS
JOHN C. SMITH, SENIOR INVESTIGATOR
HI TECH / COMPUTER CRIME UNIT
SANTA CLARA COUNTY DISTRICT ATTORNEY'S OFFICE
70 WEST HEDDING STREET
SAN JOSE, CALIFORNIA 95110
408/299-8411 email jsmith@netcom.com
The Santa Clara County District Attorney's Office Hi Tech
/
Computer Crime Team has had years of experience
investigating and
prosecuting trade secret thefts, network intrusions, chip
thefts, and
other types of high technology thefts in Silicon Valley.
The Unit is
composed of two Deputy District Attorneys and one
Investigator.
Some of the cases we have handled include:
Theft of Source code to manufacture computer chips.
Theft of manufacturing processes to make computer chips.
Theft of password files from computers (hacking).
Sending harassing e-mail over networks (Internet).
Theft of software by rewriting into another computer
language.
Shutting down computers via telephone access.
Theft of Source Code to develop competing software
program.
Intrusion into computer systems using random number
dialers.
Theft of Source code via modems and cellular phone.
Intrusion into systems via the Internet using bugs such as
rdist.
Illegal intrusion into networks to destroy data.
Theft of hardware and computer chips.
THIS PRESENTATION WILL COVER
Network intrusions.
Theft of proprietary material
How to conduct your investigation and gather evidence.
How to gather and safeguard the evidence necessary for
prosecution.
How to get the appropriate law enforcement support.
How to work with law enforcement so they understand the
problem.
What is required for a search warrant.
How a Search Warrant Raid is conducted (You may be asked
to go.).
What is required for a telephone trap.
What is required for an arrest.
What to expect from the court process.
How to prepare to testify in court if necessary.
How to recover damages civilly or from probation.
Impact of the Electronic Communications Privacy Act.
Examples of Search Warrants and Telephone Traps are
attached.
Actual cases will be discussed and used as examples. The
search warrant
affidavits and telephone traps attached to this outline
are exactly as
I took them to court with the exception of the name
changes. By
thoroughly reading the affidavits, the reader will have
the opportunity
to see what probable cause to obtain a search warrant.
HAS A CRIME BEEN COMMITTED
Under most circumstances, For Federal or local law
enforcement to assist
you there has to be a violation of the law.
United States Code, Title 18, Section 1030, "Fraud
and related
Activity in Connection with Computers", is the
section relied upon
by the FBI. (A COPY OF THIS SECTION IS ATTACHED.) The FBI
will
also attempt to use sections dealing with theft by wire
and
interstate theft.
Each State has their own laws. These laws vary widely and
most
states have not yet enacted appropriate laws for dealing
with
computer or network intrusion.
California Penal Code Section 502, "Unauthorized
Access to
Computers, Computer Systems, and Computer Data." (A
COPY IS
ATTACHED.) Some of the subsections are felonies. A person
who is convicted of this section is subject to having
their
computer forfeited under Penal Code Section 502.01.
California Penal Code Section 499c, "Trade
Secrets" covers the
theft of trade secrets. This has to be scientific or
technical information, computer programs, or information
stored in a computer.
If local law enforcement decides that they do not have
sufficient information to file a crime report, conduct a
search warrant, or issue and arrest warrant, they may be
able
to phone or contact your suspect and warn them to stop.
This
does sometimes work.
WHEN A CRIME HAS BEEN COMMITTED
DO NOT CONFRONT OR TALK WITH THE SUSPECT.
This gives them the opportunity to hide or destroy
evidence.
Law enforcement probably will not help you if this occurs
because
of the slim chance of making a case.
If necessary call law enforcement and ask what the law is.
Many times executive of victims companies are hesitant to
file a
crime report until they know and understand what law
enforcement
will do. Can you discuss what your options are with the
appropriate law enforcement agency without having to make
an
official report?
You should be able to discuss your options without having
to file
an official crime report. Under most circumstances our
office will
not file a criminal case for theft of data or proprietary
information (Industrial Espionage) unless the
company/victim wants
to file a criminal charge. These cases are complex and
require the
willing cooperation of the victim. We make sure they
understand
what will be required of them before we will start an
investigation.
Many times both the FBI and local law enforcement will
have jurisdiction
over a network intrusion or theft. You may want to talk to
both about
how long their investigation will take and what they
expect from you.
Will their reports be available for your review and use in
civil
actions?
Law Enforcement does not like a company
"shopping" for the best
deal so be careful how you deal with agencies. Remember
the
agencies talk and work with each other.
Local law enforcement may have trouble conducting the
investigation
outside of their jurisdiction. Police Departments and
Sheriff's
Offices will work with their local prosecutors.
Will the FBI conduct an investigation? They have to work
with
the U. S. Attorney's Office to obtain a search warrant or
investigate a case.
SHOULD YOU REQUEST LAW ENFORCEMENT ASSISTANCE
This can be DAMAGE CONTROL, the only way you may ever know
the extent of
your loss or network penetration is from the evidence
collected from a
search warrant.
DO NOT WAIT TOO LONG TO CALL. It is best to notify law
enforcement
right way. In one case we worked, the backup tapes from a
system an
intruder was using were kept only a short time and then
reused.
In a civil action, you will demand discovery to obtain
evidence and
learn what document or data the defendant may have, but it
is up to the
person being sued to turn over the documents you are
accusing them of
stealing or using to penetrate your network.
Working with law enforcement is a time consuming and
demanding task.
For us to assist you with an investigation we require your
assistance
and cooperation. We need:
A commitment of your time and resources. You will have to
work
with law enforcement at almost every step of the process.
Interviews to prepare crime reports and the affidavit for
a
search warrant.
Engineers or computer operators to accompany law
enforcement on the
search warrant to assist with operation of computer system
and
identification of data or property.
Assistance the victim company to identify and describe
documents,
source code, and other evidence found.
A company expert may need to be available for explanations
and
assistance during a trial.
Documents may need to be provided to the defendant's
attorneys for
discovery. They may ask for more than you want to provide.
Your
attorney will have to argue against broad ranging
discovery.
Defendant's are entitled to seek evidence they need for
their
defense.
You and other company employees will be subpoenaed to
testify.
This is time-consuming in that witnesses may have to wait
their
turn in court
Very few cases actually go to trial! Approximately 5 % go
to trial in
Superior Court in Santa Clara County, California.
There will generally be plea bargaining and negotiations
so that an
agreed upon sentence can be reached. Both prosecutors and
defense
attorneys know what sentences can be expected from certain
cases.
White collar crimes are not usually prison crimes.
You should be able to access law enforcement's reports.
This will help
you understand your situation. You can then use those
reports for civil
proceedings.
If you are going to initiate civil litigation, it is a
good idea to wait
until you decide whether you are going to make a report to
law
enforcement. You do not want to alert the suspect to
criminal action in
the event a search warrant is issued.
Law enforcement does not (or should not) care if civil
actions are
filed. In most of our cases there have been parallel civil
actions
and they have not affected our cases.
In some cases the victim's attorneys have used our Search
Warrant
Affidavit to apply to the court for a TRO (temporary
restraining
order) to prohibit a suspect from using materials or data
they have
taken.
HOW TO GET LAW ENFORCEMENT'S ASSISTANCE
CORPORATE SECURITY - If your company has corporate
security or a
corporate investigator, talk with them. They may know the
capability of
law enforcement in your area. They may have contacts with
law
enforcement. They may know the best way to get assistance.
The High Technology Crime Investigation Association
(HTCIA) is a group
of local and federal law enforcement officers, corporate
investigators
and private investigators who have an interest in or work
in the area of
computer or high technology crime. HTCIA provides training
to its
members. I can put you in touch with someone from each
chapter.
HTCIA has chapters in:
Silicon Valley (San Jose), California
Southern California
Northern (Sacramento), California
Austin Texas
Portland Oregon
Chicago, Illinois
New York, NY
New Mexico
Chapters have begun forming in Netherlands and in Arizona.
(I try to keep up with current contacts and phone
Numbers.)
If you call local law enforcement, I recommend calling the
investigations or detective bureau directly.
If you call 911 or a regular police department reporting
number,
they will send a uniformed officer, and log the call on a
public
log. It is the uniformed officers job to write a report
which will
go through a review process, be logged in by records, and
then sent
to investigations for assignment to the appropriate
investigator.
This can some times take a week.
Try to get the direct assistance of an investigator. You
will
usually get a more experienced officer and faster
assistance.
Call your local prosecutors office. Most District
Attorney's Office
have investigators. Ask if there is a computer or hi tech
unit. Ask if
they know who would be best to assist you.
Training for law enforcement is becoming better and easier
to get.
Don't be surprised if there is a highly trained law
enforcement officer
in your local area. You just have to find them and
cultivate their
friendship. Interested law enforcement officers would
probably be
interested in talking with you or touring your facilities.
If your company will allow (many will not), consider
volunteering
to provide advice and assistance to local law enforcement.
I have
started a volunteer program of computer knowledgeable
individuals
who help me on search warrants and help retrieve data from
computers. If you work for someone you should get
permission
first. Many corporations see this type of volunteer work
as being
a conflict of interest. If this is the case, see if they
will let
you provide advice or training to law enforcement. This
will pay
dividends because it gives you direct access to law
enforcement for
advice if and when you need it.
The FBI has a highly trained computer crime team stationed
in Washington
D.C. They can be reached at (202)324-9168.
WORKING WITH LAW ENFORCEMENT
Remember there is a very good chance the law enforcement
officer is not
going understand the technical aspects what you are
talking about. Most
cannot work PC's much less understand a network problem.
You should have been making notes of your activities as
you track an
intruder. Put this is some type of a report or memo
format. This
report can be given to the officer. It can also be used as
part of the
report or as an attachment for a search warrant. You can
then use this
report to help you recall what you did if the case goes to
trial many
months later.
As you write your report remember WHO, WHAT, WHEN, WHERE,
WHY, and
HOW. If you and law enforcement can show this you can make
a case.
Diagrams are very helpful in understanding systems. A
diagram can be
attached to the report to help others who have to read and
understand
the report. Diagrams are frequently used in court.
EVIDENCE
In these types of cases evidence may consist of such
things as back up
tapes, printouts of computer programs, suspect's accounts
and the
contents, computer disks.
In one case we used an article found online that had been
written
by our suspect regarding activities he had been involved
in. We
attached this to our affidavit requesting a search
warrant.
In a intrusion case, you will be looking for evidence that
will show who
commit the violation and that can be used to obtain a
search warrant to
seize the suspect's personal computers at his home or
business.
A suspect would have a good defense if you only found
evidence in
an online account. The defense will claim that someone
else put
the evidence there. We would not charge a person with a
crime on
the basis of evidence found in an online account.
We investigated and obtained a conviction on a suspect
that
used someone else's account (after they broke the
password) to
shut down a computer. I later found the broken password in
the original suspects home computer. (I CAN EMAIL YOU THE
JUDGE'S RULING FROM THE APPEAL WHERE HE DISCUSSES THIS.)
You would use the evidence in the online account to seize
the
suspect computers. Law enforcement will then search the
suspect's
personal computers for evidence. You often find printed
material
at suspect's home that can be used as evidence.
Evidence must be gathered by law enforcement officers in
accordance
court guideline governing search and seizure or it will be
excluded.
This is referred to as the Exclusionary Rule. It does not
apply to
ordinary citizens such as you. You do have to remember
that if you do
something illegally you could be sued.
If you gather evidence at the request or suggestion of a
law
enforcement officer and the gathering does not meet the
legal
requirement, that evidence will be excluded.
Remember the provisions of the Electronic Communications
Privacy Act,
Chapters 2500 & 2700 of Title 18 of the United States
Code.
CHAIN OF POSSESSION - This means that for evidence to be
admitted in
court, the prosecution has to be able to show who obtained
it, who
secured it, anyone who has had control. It will probably
be necessary
to have anyone in this category testify. This applies to
anything you
may secure such as a disk or backup tape.
Evidence should be properly marked by placing your
initials on items
like tapes, printouts, documents, or equipment. Items can
be sealed in
envelopes or bags which should be signed, dated, and
sealed.
Evidence should be stored and locked, so that you can
testify that no
one other than yourself or those people that you can name
have had
access to it.
The defense may maintain that an item has been tampered
with or
changed.
Read the attached Search Warrant Affidavits for ideas on
what can be
evidence. These are actual warrants I have written and
served, but with
name changes.
The affidavit on page 27 is a good illustration of what
can be evidence.
OBTAINING AND SERVING SEARCH WARRANTS
The search warrant should be done as quickly as possible
before the
intruder can do further damage. It has been my experience
that this
type of person does not destroy data unless they are
threatened.
It is important that you keep information about the
investigation
limited to as few people as possible. This limits the
possibility
of the investigation being leaked.
When I go to a victim company to conduct my investigation,
I
usually do not identify myself as law enforcement to
company
receptionists and others not involved in an investigation.
You should ask law enforcement to merely request to speak
with
you when they come to your office to start the
investigation.
Probable cause is the criteria required for the issuance
of a Search
Warrant. You have to establish that a crime has been
committed and show
why there is cause to enter someone's home or business.
The law
enforcement officer, probably a local prosecutor, and a
judge all have
to believe that there is probable cause. For a conviction
you have to
prove that someone is guilty beyond a reasonable doubt,
much stronger
that probable cause.
If you have property or data stolen and probable cause can
be
established, a search warrant can be issued for both
building and
computer systems. Comparisons of data recovered can be
made with data
allegedly stolen.
You may be asked to accompany law enforcement on the
search warrant as
a technical assistant or to identify property.
If it is necessary for you carry documents in on a search
warrant,
consider copying them onto colored paper. This will
prevent the
defense from inferring that what might have been found was
left by
you.
Once law enforcement has served the search warrant and
examined the
seized computers and disks, you will start to be aware of
the extent of
your problem. You will probably be asked to help evaluate
and identify
programs found on computers.
This will probably lead to other victims.
Any evidence gathered during the search warrant, even
though maintained
by law enforcement, is legally under the control of the
court. Even
though a seized item may have your name on a document, it
will not be
returned to you unless the suspect signs a release or
after a hearing by
the court.
Many victims just want to get their property back after a
search
warrant has been completed. They may not want to go to
trial for
fear of disclosing information and think that if they drop
charges
they will get their property returned to them.
TELEPHONE TRAPS
(SEE ATTACHED EXAMPLES)
This requires the equivalent of a search warrant. You will
have to file
a crime report with law enforcement. The prosecutor or
U.S. Attorney's
office will have to approve the request before it is taken
to a judge
for signature.
The form will be different from State to State, but it
usually
always take probable cause.
Once you have information regarding where calls are coming
from, this
will be the probable cause needed to obtain a search
warrant for that
location.
Modifying and illegally using cellular phones has become
big business.
It is impossible to track and locate if a suspect has used
someone
else's id or cellular phone number. In one case the
suspect social
engineered a modem access number and then used a cellular
phone to
illegally access a companies network.
If you belong to any type of an association, invite a
local telephone
company representative to meet and talk with your group.
Most of the telephone companies are charging for these
types of
services. You will be required to pay the costs.
DISCOVERY AND PROTECTIVE ORDERS
Discovery is where the prosecution (not the defense)
provides all
reports, information on evidence, list of potential
witnesses, any
criminal history of witnesses, and any information except
how the
prosecution is going to present the case in court.
Any property or data recovered by law enforcement and will
be subject to
discovery if a person is charged with a crime. However a
protective
order can limit who has access, who can copy, and the
disposition of the
documents.
A protective order allows you to protect proprietary or
trade secret
documents related to the case.
California Evidence Code Sections 1061, 1062, & 1063,
deal with
protecting proprietary information, how to obtain
protective orders, and
how to close courtrooms during discussion of propriety
information. It
also limits who the defense can hire to use as an expert
witness.
If your State does not have such a law, you and members of
your
association should work to have one passed.
(AN ARTICLE ON THIS SECTION IS ATTACHED)
CRIMINAL TRIALS AND TESTIFYING IN COURT
Once a person is arrested they will be arraigned, during
which time the
court will make sure the suspect has an attorney. For a
felony a grand
jury hearing or preliminary hearing will be scheduled.
States do differ
somewhat in this process.
In a grand jury hearing the defendant nor their attorney
can be
present. A grand jury hearing is considerably faster.
In a preliminary hearing the prosecution must show that a
crime has
been committed and there is probable cause to believe that
the
defendant committed the crime.
If the defendant is held to answer in a preliminary
hearing or the grand
jury returns an indictment, a trial will be scheduled.
If the case goes to trial, interviews with witnesses will
be necessary.
You may have to assign someone to work with law
enforcement as a
liaison. Key employees will have to spend time away from
work at the
court as the prosecution is required to have another
witness ready as
soon as the current witness is excused.
If you are called as a witness, you should be given
instructions prior
to trial by the prosecutor about the type of questions to
expect and how
you will be allowed to answer questions. Remember the
prosecutor does
not know what the defense attorney will ask. The
prosecution is
required to furnish the defense with copies of all
reports, evidence,
and witnesses names prior to the trial.
Listen to the question carefully to get the fully meaning
and the
determine that is not a multiple part question or
contradictory. Most
defense attorney are going to want you to answer only yes
or no.
However if you can not answer with a yes or no, let the
court know that
it is necessary to answer with an explanation.
Do not answer immediately and make sure you understand the
question. This pause will give the prosecutor time to
object to
defense questions that are inappropriate, confusing, or
vague.
If you do not totally understand the question, ask for an
explanation or start your answer by stating: "I
understand your
question to be... (give an explanation) and thus my answer
would be
this....."
You can not give hearsay answers, only information that
you have seen or
done. This means that you can generally not testify as to
what someone
has told you.
Engineers are generally poor witnesses. They tend to see
things in
absolutes. Often times it is necessary to explain or
request
clarification so that a witness is not always answering
no.
In one case we called a woman engineer as a witness. On
the first
day she answered no so often everyone thought she was
committing
perjury. That evening I explain that she should begin
explaining
rather than just saying no. This worked for her.
EXPERT WITNESS - Based on your education, training, and
experience, you
may qualify to testify as an expert witness. This will
allow you to
give explanations about how computer systems or networks
function. In
order to give an opinion you have to be qualified as an
expert witness.
I have testified as an expert on fingerprints, drugs,
alcohol, and
prostitutes. It has taken up to an hour to go through this
process
as the defense can also challenge your expertise.
RECOVERY OF DAMAGES
To recover the cost of damages, such as reconstructing
data,
re-installing an uncontaminated system, or repairing a
system, you can
file a civil lawsuit against a person.
You can hire an attorney or you could consider filing a
claim in
small claims court. In California, neither you or the
person you
are suing can take an attorney into court. Small claims is
heard
only by a Judge. In California the maximum that you can
sue for in
Small Claims is $5,000.00. Check with your local court to
learn
the small claim maximum
THINGS TO REMEMBER DURING AN INVESTIGATION
To remember this think of Smith's Splendid / Silly /
Superfluous System
SPEED
STEALTH
SYSTEM SECURITY
SECURE EVIDENCE
SUSPICIOUS / SCREWY EMPLOYEES
SHOW & EXPLAIN - REPORTING
SEARCH WARRANT - PREPARE AND SERVE
SPEED
Obtain a copy of any unauthorized program or data quickly
before it is
moved or erased. This copy could be valuable evidence.
Notify law
enforcement and try to get a search warrant to find any
additional data
or seize any personal computers associated with the crime.
There is
likely to be additional information in the computers that
may tell you
about other intrusion into your systems as well as other
companies.
In one case I found 10 etc/passwd files, most with cracked
passwords. In recent cases I have found a backdoor login
program
and a trojan horse. I was able to show these programs to
the
systems operator so they could more effectively check
their
systems.
If you have a theft of a trade secret, you should talk
with your law
enforcement representative to find out what they can and
will do to
help. Can the secret be stopped before it is removed from
the United
States and what can be done if it is removed. We are
presently
prosecuting a company based in Taiwan.
STEALTH
Don't alert intruder that law enforcement is involved. In
several cases
it has taken several weeks to complete the investigation
and obtain a
search warrant. Very few people in the victim company knew
who I was,
they merely viewed me as another consultant. As a result
we recovered
computers and other data from the victims.
SYSTEM SECURITY
This will most likely be your major concern, but law
enforcement's role
is to catch the bad guys. Explain to law enforcement what
the intruder
can do with any data they may have taken or from just
gaining access.
Remember the law enforcement officer may not understand
the potential
damage to your system or the over ramifications to
"merely having an
unauthorized person connecting to your system."
Explain what an intruder can do if they can get root
access and
what it will take for you to correct the problem.
Even under the ECPA you can take steps to protect your
system, if you do
tell law enforcement what you found without a proper
search warrant.
If you think you need to examine someone's account to
protect your
system, you should document the reasons that you took the
action.
SECURE EVIDENCE
Remember the Chain of Evidence. This is critical as we can
not
introduce evidence in court unless we can prove the chain
of possession.
Make or obtain tapes of data when possible.
Try to determine the motive of the intruder. This will
help with the
prosecution
In cases of theft, a showing of probable cause will have
to be made that
the product being sought in the search warrant is the same
as the victim
companies. I have made comparison of the victims printed
manual with
the manual or manual pages from a suspect's software
program. A victim
company engineers statement that the functionality is the
same is not
sufficient, this statement must be corroborated with
evidence like the
manual pages.
SUSPICIOUS EMPLOYEES
If an employee with system knowledge leaves your company,
consider
changing passwords. We investigated a case where a
manufacturing
database was erased twice. The first time was with use of
a current
employees password that the suspect learned while employed
with the
victim.
Most of Santa Clara County District Attorney's office
cases of trade
secret theft have involved employee embezzlement. Several
examples
include:
WBS - a disgruntled engineer who carried out thousands of
pages of
proprietary information and tried to use them to get
another job after
he was terminated.
M Goldberg - a young man from France who was sent to the
United States
to work in American software companies rather than serve
his French
military draft obligations. When his 2 year obligation
expired he was
stopped from getting on an airplane with enough
proprietary information
to duplicate the software program he had been working on.
He said he
want to get a job when he returned to France.
CVD - The manager of a computer support group that had his
employees
rewrite his company's major database program from an IBM
mainframe
language to a C for Sun workstations. He then sold it for
several
million dollars. He was also trying to do business with
other
countries. A Sun Employee was also convicted for
commercial bribery
for helping CVD sell the stolen software to Sun. He was
also trying to
sell computer programs in other countries.
Raj - an Indian engineer who went to work as a security
guard at a
computer company's R&D building while at the same time
he was working
for other companies doing the same type of development.
Foreign companies - One tactic is to hire one employee
from a company so
that person can help determine who else to hire.
SHOW & EXPLAIN FOR LAW ENFORCEMENT
When you think you have a problem you should ask your
local law
enforcement whether they are required to take a report if
you talk to
them about a problem. If you decide you are going to file
a report
designate someone to work with law enforcement.
Remember a report and diagrams are helpful.
On a case of software theft, I worked with a customer
support software
engineer who was very good at explaining the company
product.
Law enforcement will have to talk directly with
development engineers,
financial officers, and other company officials. You can
not just have
your attorney relate the information. We require a
commitment from a
high ranking company official that they will support a
criminal trial
before we will start a search warrant.
SEARCH WARRANT
A search warrant to check a suspect's home and computers
is the only way
to know the extent of an intrusion into your computer
system or to learn
if any programs were modified or programs left in you your
system.
A search warrant is also often the only way to recover
stolen
proprietary information.
A phone trap also requires a search warrant.
FEDERAL AGENCIES
FBI has a computer crime team in Washington DC and some
trained agents
in various field offices
Secret Service, has experts in areas around the USA.
Customs tracks money exchanges.
U. S. Commerce Department - can keep companies who have
stolen products
from doing business in the USA such as in the case of the
Taiwanese
company charged with theft of trade secrets.
IRS sometimes even if you can not prove a crime the IRS
can tax people
who have stolen products, made money, and not paid taxes.
ECPA - TITLE 18 U S CODE 2500/2700
Electronic Communications Privacy Act Title 18 US Code
Chapters 2500 &
2700 as it relates to keystroke monitoring or system
administrators
looking in other people accounts. If you do not have a
banner or the
account holder has not been properly notified, the system
administrator
can be guilty of a crime and liable for civil penalties
from a law suit
for key stroke monitoring or looking in someone's account.
ATTACHMENTS
SEARCH WARRANT EXAMPLES:
Page 16 - For a Commerial E-Mail account
Page 20 - Illegally accessing a company network and
destroying data
Page 27 - Broken University account
Page 38 - Number Search & Trap and Trace for long
distance connections
Page 45 - Trap & Trace for attempted contact to system
Page 50 - Example of new language for describing computer
data and
computer equipment to be seized with a search warrant.
Page 52 - Section 1030 Title 18 U.S. Code
Page 55 - Section 499c California Penal Code
Page 56 - Section 502 California Penal Code
Page 61 - Article on 1061 California Evidence Code
The following three (3) Search Warrant Affidavits on file
with the
Superior Court were used to obtain a conviction in a case
where the
defendant was charged with the theft of passwords and for
shutting down
a computer.:
Page 65 - For account information from commerial provider,
conforms to
ECPA.
Page 81 - For computers and other records to show network
intrusion.
Page 89 - For computers after a computer was shut down.
This affidavit deals with obtaining a copy of a suspect
electronic mail
account at a commerial account provider for the Internet
SUPERIOR COURT OF CALIFORNIA
SANTA CLARA COUNTY JUDICIAL DISTRICT
STATE OF CALIFORNIA - COUNTY OF SANTA CLARA
AFFIDAVIT IN SUPPORT OF SEARCH WARRANT
JOHN C. SMITH being sworn, says that on the basis of the
information contained within this Affidavit and any
attachments thereto,
he has probable cause to believe and does believe that the
property
described below is lawfully seizable pursuant to Penal
Code Section
1524, as indicated below, in that it:
( ) was stolen or embezzled;
(X) was used as the means of committing a felony;
( ) is possessed by a person with the intent to use same
as a means of
committing a public offense, or in the possession of
another to
whom he/she may have delivered same for the purpose of
concealing
or preventing its discovery;
(X) constitutes evidence tending to show that a felony has
been
committed or that a particular person has committed a
felony;
and that he has probable cause to believe and does believe
that the
described property is now located at, and will be found
at, the
location(s) set forth below and thus requests a warrant to
search
THE FOLLOWING LOCATION(S):
The premises at Blvd, Suite City of Town, County of Santa
Clara,
State of California, further described as Commercial
Communications a
commercial on-line computer service communication company
that provides
access to the Internet for subscribers. The Internet is a
world wide
network coordinated by National Science Foundation.
The premises to be searched also include any and all
electronic
mailboxes, directories, or accounts on Commercial
Communications's
computer system, registered to or containing data placed
in that
directory by Brendan Gomez.
DESCRIPTION OF PROPERTY TO BE SEIZED
1.2. Any and all documents and records, whether on paper
or stored on
magnetic media (including information stored within a
computer),
within the account of Brendan Gomez, which show the
unauthorized
entry or attempted entry or connection to other computer
systems
that connect to the Internet or were done
2. Any and all programs or computer instructions that
reside in the
account of Brendan Gomez at Commercial Communications that
would be
used for the unauthorized connections to other accounts on
the
Internet and would be used for the automatic transfer of
information or programs in any other account or systems on
the
Internet (hacking).
3. Documents and/or magnetic media showing the identity of
users,
owners, or lessees of the computer account managed by
Commercial
Communications and registered Brendan Gomez.
STATEMENT OF PROBABLE CAUSE
Your affiant declares that the facts in support of
issuance of this
search warrant are as follows:
Your affiant, John C. Smith, is a Senior Criminal
Investigator
(Peace Officer) employed by the Santa Clara County
District Attorney's
Office in Santa Clara County, California. Your affiant has
been
assigned to the High Technology / Computer Crime Unit of
that office
since December 1989. He has been a California Peace
Officer since June
1965. He is a member and past President of the High
Technology Crime
Investigators Association (HTCIA), and the Santa Clara
Valley Industrial
Security Managers Association. He has been a Macintosh
computer user
since about 1986 and an IBM PC user since 1990 and owns
both types of
computers. He is a regular user of the Internet and has
had classes on
the Unix/Workstation operating environment. He has over
274 hours of
training in the High Technology field. He has worked at
least eight (8)
prior network/intrusion type cases and given several talks
to computer
professionals on investigating intrusions. He has
conversed with experts
in federal law enforcement corporate network security who
have
specialized in these cases, and who have considerable
experience in
investigating and interacting with persons who have
illegally accessed
computers.
Your affiant was contacted by President of Commercial
Communications Company, Blvd., Suite 200 , Town,
California, on Friday,
June 17, 1994. President told affiant that Commercial had
received a
communication from the Computer Emergency Response Team
(CERT) that
detailed a break-in of a computer system at OutOfState
University from
an account at Commercial. (CERT is the federally funded
agency
responsible for monitoring security issues on the
Internet). This
communication is attached as Exhibit A. (NOTE FOR SUN USER
GROUP - This
attachment listed the dates, times, and computer systems
that were
illegally accessed. I attached it as part of the affidavit
so I would
not have to type the same information.)
Your affiant started his investigation by interviewing
John Little,
President of Commercial Communications and opening Santa
Clara County
District Attorney's Office Case #94-O-0889. Little gave
your affiant
the following information: He started Commercial
Communication,
(hereafter referred to as Commerical) in 1986. Commercial
is an on line
communications services, setup to provide customers with
access to the
Internet. Commercial has two T-1 leased lines, one to
BARRNET and the
other to CIX, Commercial Internet Exchange, in Santa
Clara.
President explained that the message from CERT detailed a
break-in
to an account and a computer system at OutOfState
University on June 9,
1994. In this intrusion the intruder achieved root access
and then broke
into five (5) OutOfState computers. (Root or superuser
status is the
privileged or upper level used by the systems administer.
At the root
level a user is allowed to do anything on the system such
as to look,
use or change any regular account and to create in files
under other
names that may run programs not normally allowed on a
system.) President
said that Commercial did not know which customer account
was being used
to reach OutOfState and Commercial was concerned that
Commercial's
computer systems may have been or be compromised.
Commercial employees
Brain Brown and Rich Black began checking the Commercial
system to make
sure Commercial's system had not compromised. They traced
the activity
from OutOfState back to Brenden Gomez's account. They open
the account
to see if Commercial's system was being compromised and
saw tools for
breaking into computer systems.
Your affiant interviewed BRIAN T. Brown, Commercial
Technical
Support staff member. Brown gave affiant the following
information: He
has worked at Commercial for 3 years and has been working
with UNIX for
about 6 years. Brown explained that after Commercial
received the
message from CERT, Exhibit A, he and Black matched IP
(Internet)
addresses from OutOfState with outgoing logs generated
automatically by
Commercial's computers. Commercial has a logging program
that captures
outgoing ftp (file transfer process) and telnet
connections, i.e.,
connections to computers at other locations. At about the
same time
the connections were made to the computer accessed at
OutOfState, Brown
saw three connections to OutOfState from a Commercial
account labeled
"brendan". Brown said there were no other
connections made to
OutOfState during this time period. Brown and Black opened
this account
to ensure that Commercial's system was not being
compromised and in the
account they observed a Sniffer program. The
"sniffer" program was not
operating at that time. A "sniffer" is a program
that captures the data
sent from a user to other users as the data is transmitted
over a
network. Login and password information can be pulled from
the data and
used to illegally access other accounts.
Brown believes Brendan is 21 yrs old and a 1991 graduate
of High
School in Santa Clara. Brown has met Gomez through a
friend and has
talked with Gomez on network chat lines.
Gomez has only paid $40.00 towards the monthly costs of
his
"brendan" account while he should have paid
$240. Gomez opened the
account in 1993. Gomez's account was automatically
suspended, probably
in Aug 93, because of non payment. Gomez somehow got
around the
suspension closure and into his account. On Friday
6-17-94, Brown
closed the security hole for billing suspensions.
Your affiant would note that neither Black or Brown
actually
intercepted communications made by the person using he
"brendan" account
and that the copy of the "brendan" directory
made by Brown consisted
of data that was not stored temporarily as an incident of
an electronic
transmission. Your affiant specifically does not seek
authority to
intercept wire communications made by "brendan"
in the future.
Affiant contacted Robin Huxley, an employee of OutOfState
University. Huxley is responsible for security on the
computer system
that was compromised from Commercial Communications.
Huxley verified
the information in the report he sent to CERT and copied
to Commercial
Communications, attached as Exhibit A.
Based on these facts, you affiant is of the opinion that
it is
probable that Brendan Gomez has committed violations of
Penal Code
Sections 484 and 502c(2), which violations are punishable
by terms of
imprisonment of longer than one year, and that evidence
thereof exists
on the data tape of the Brendan Gomez directory made by
Commercial
communications.
WHEREFORE your affiant prays that a search warrant be
issued with
respect to the above locations for the seizure of said
property at any
time of the day and that the same be held under Penal Code
section 1536
and disposed of according to law.
___________________________
JOHN C. SMITH, Investigator
District Attorney's Office
Santa Clara County
Subscribed and sworn to before me
this 28 day of June 1994.
___________________________
Judge of the Superior Court
EXHIBITS:
A - Three page electronic Message From: huxley-
robin@CS.OutOfState.EDU, Date: 17 Jun 1994, TO:
cert@cert.org.
B - Three page report prepared by Brian Brown dated
94/06/22 containing
portions of outgoing message logs from Commercial
Communications.
This search warrant was used to search the residence and
computers of a
former employee suspected of illegally accessing and the
erasing a
company's database.
SUPERIOR COURT OF CALIFORNIA
SANTA CLARA COUNTY JUDICIAL DISTRICT
STATE OF CALIFORNIA - COUNTY OF SANTA CLARA
AFFIDAVIT IN SUPPORT OF SEARCH WARRANT
JOHN C. SMITH being sworn, says that on the basis of the
information contained within this Affidavit and any
attachments thereto,
he has probable cause to believe and does believe that the
property
described below is lawfully seizable pursuant to Penal
Code Section
1524, as indicated below, in that it:
( ) was stolen or embezzled;
(X) was used as the means of committing a felony;
( ) is possessed by a person with the intent to use same
as a means of
committing a public offense, or in the possession of
another to
whom he/she may have delivered same for the purpose of
concealing
or preventing its discovery;
(X) constitutes evidence tending to show that a felony has
been
committed or that a particular person has committed a
felony;
and that he has probable cause to believe and does believe
that the
described property is now located at, and will be found
at, the
location(s) set forth below and thus requests a warrant to
search
THE FOLLOWING LOCATION(S):
The residence of Joe Suspect described as the premises at
18
Street, City of , County of Santa Clara, State of
California, further
described as being a two (2) story structure, a tan color
with gray
trim, with the numbers 18 on a lone mailbox across the
street from the
residence; including any and all yards, outbuildings,
storage areas,
garages, carports, sheds, or mailboxes assigned to the
described
premises, including but not limited to those listed above.
FOR THE FOLLOWING PROPERTY:
1. Any and all documents and records, whether on paper or
stored on
magnetic media (including information stored within a
computer),
which show the unauthorized entry or attempted entry or
connection
to the computer systems at MfgCompany Inc, including but
not
limited to passwords, password files, security holes,
backdoor
logins, telephone numbers for modem connections, and
Software that
creates ZY Computer terminal emulation in a personal
computer.
2. Any and all programs or computer instructions that
would be used
for the unauthorized connections to the computer system at
MfgCompany Inc and would be used for the unauthorized
transfer of
information or programs.
3. Any and all documents and records, whether on paper or
stored on
magnetic media, that contain any portion of files from the
computer
systems of MfgCompany Navigtation
4. Computer hardware, software, and data including, but
not limited to
central processing units (CPUs), hard disks, hard disk
drives,
floppy disk drives, tape drives, CD-ROM drives, display
screens,
keyboards, printers, modems, magnetic tapes, cassette
tapes, and
floppy disks, found together or separately from one
another.
5. Written documentation, whether typed or handwritten,
including, but
not limited to, computer manuals and instructions for the
use of
any computers and their accessories found at the premises.
6. Evidence of occupancy and control of said premises and
work areas,
including but not limited to, utility company bills,
cancelled mail
envelopes, and personal papers.
STATEMENT OF PROBABLE CAUSE
I declare that the facts in support of issuance of this
search
warrant are as follows:
I, John C. Smith, am a Senior Criminal Investigator (Peace
Officer)
employed by the Santa Clara County District Attorney's
Office in Santa
Clara County, California. I have been assigned to the High
Technology
/ Computer Crime Unit of that office since December 1989.
I have been
a California Peace officer since June 1965. I am a member
and past
President of the High Technology Crime Investigators
Association
(HTCIA), and the Santa Clara Valley Industrial Security
Managers
Association. I have been a Macintosh computer user since
about 1986
and an IBM PC user since 1990 and owns both types of
computers. I am a
regular user of the Internet and has had classes on the
Unix/Workstation
operating environment. I have over 274 hours of training
in the High
Technology field. I have worked at least nine (9) prior
network/intrusion type cases and given several talks to
computer
professionals on investigating intrusions. I have
conversed with
experts in federal law enforcement and corporate network
security who
have specialized in these cases, and who have considerable
experience in
investigating and interacting with persons who have
illegally accessed
computers. I am a member the Santa Clara County Network
Security
Working Group responsible for developing and overseeing
the security of
the County's wide area network.
I began case #94-0-1102 on Monday, July 18,1994, by
interviewing
Alan Albert, Director of Information Systems, MfgCompany
Inc, Community,
California, and, Jonathon A., a private investigator hired
by
MfgCompany. I again met with Albert and A. on August 5,
1994 and with
Albert on August 8, 1994. Albert told me that someone
illegally gained
access to MfgCompany's corporate computer network on June
12, 1994 and
again on July 26, 1994. On these occasions the intruder
erased the
files from MfgCompany's manufacturing database, modified
key files that
allow data to be moved between computers for company use
and caused the
password file on an ZY Computer 4 computer (named Pacific)
to become
void so that the 400 to 500 users of that system could not
log on.
Albert stated that these intrusions have cost MfgCompany
over
$100,000 to repair the damage and hundreds of hours in
lost time
repairing the system so that the manufacturing database
will function
properly. MfgCompany has had to hire a full time
consultant to check
the integrity of the system and ascertain if there are
back door login
programs or other programs hidden in the system that would
allow an
intruder to access MfgCompany's system without
MfgCompany's knowledge.
Albert explained that MfgCompany has offices around the
world and
uses its electronic network to connect operations and
offices.
MfgCompany has employees in 30 countries. MfgCompany's
information
systems and core business systems are headquartered in
Bldg x, Ave.,
Community, California. MfgCompany has its manufacturing
database set up
on three ZY Computer 4 Mini Computers, named Atlantic,
Pacific, &
Baltic, on MfgCompany's ethernet (network connection).
There are
approximately 500 computers, both Unix and personal
computers, on
MfgCompany's network. MfgCompany's manufacturing database
is an
inventory system called "MIP" for Manufacturing
& Inventory Planning.
The ZY Computer 4 operating system is in a language called
MPE and the
database application/program is called "Enhanced
Software", produced by
SoftwareCo Computer Systems of Santa Clara County.
Albert believes that the unauthorized intrusion and damage
to the
system was done by a former MfgCompany employee, Ray
Suspect, who was
the Manager of the Operations Group in the Information
Systems
Department. Albert said that Suspect was only one of two
people who had
all of the information and skills necessary to locate and
change the
files that were changed. Albert explained that MfgCompany
has not cross
trained Information Systems employees so that in some
cases only one
person will know a job or function. In most cases there
will only be
two people who may have the same skills. Suspect was
released by
MfgCompany.
Albert told me the following: Suspect was hired because he
had
worked for (ZY Computer) and was very knowledge able about
the ZY
Computer 4 Computer. Suspect set up the "Enhanced
Software"
communications software that allows communication and file
exchange
between the ZY Computer 4 computers, Pacific & Baltic,
at MfgCompany.
Ray connected to MfgCompany's computer network system from
his home as
part of his job on a daily or regular basis via a modem
into the ZY
Computer 4 and into a modem bank on an X.25 network
(worldwide network)
that is connected to the ethernet (local). He was also
aware of the
modem connections for Unix computers and personal
computers on the
ethernet based network.
An internal investigation preceded Suspect's termination,
so that
he was working at the company while the termination was
discussed. He
has the knowledge to place hidden programs (backdoor
logins) on the
system that would allow him access to the system.
On June 12, 1994, MfgCompany experienced an unauthorized 3
minute
logon to one of the ZY Computer 4 Mini Computers, called
Pacific.
Pacific contains MfgCompany's manufacturing database.
During this
unauthorized intrusion the intruder performed four (4)
actions that have
caused MfgCompany to have to spend many hours and extra
cost to repair
their computer system.
In the first action the intruder erased MfgCompany's data
files in
the manufacturing database but not the executable database
program.
In the second action, two Configuration files were removed
from
Pacific's Enhanced Software application which tell
Enhanced Software how
to use how to obtain data from the other 2 ZY Computer 4s
on the system.
Enhanced Software resided on both Baltic and Pacific, but
with
different sets of data. The data is divided between
Pacific and Baltic
based on demand and location. For MfgCompany to achieve
maximum
utilization of the Enhanced Software database and its
computers, all
three ZY Computer 4's have to be able to communicate and
pass data. The
2 configurations files which were removed are separate
from the Enhanced
Software executable code and do not reside in the same
group
(directory). The intruder had to have expert knowledge of
the ZY
Computer 4 system and the SoftwareCo Enhanced Software
application to
know which files from approx 20,000 files in the
application and
manufacturing database files would stop the computers from
communicating. Once MfgCompany had purchased and installed
Enhanced
Software, it added a feature called Enhanced
Software" to the main
program. The two deleted configuration files that were
deleted were
part of this added feature. Albert stated less than
(Small) percent of
SoftwareCo's customers use this feature. He learned this
from dealing
with SoftwareCo.
In the third action, the intruder moved to the
"ftp" (file transfer
protocol) file in the ZY Computer 4 Operating System of
the computer
Pacific. In this "ftp" file the intruder changed
a small "i" to a
capital "I" in a directory name in a path in the
script which caused the
path to become invalid and not function properly. This
change of case on
the "i" in "mis" was made globally in
this script and thus modified
approximately 30 paths. This in turn affected 30 files
which prohibited
data from being send to Unix computers on the network.
MfgCompany had
purchased this "ftp" feature separately and Ray
Suspect had installed
it. The "ftp" feature is used by the ZY Computer
4's to automatically
transfer certain files that are listed in a script, to
Unix computers on
MfgCompany's ethernet network. This transfer is completed
by the
computer referring to a path (the hierarchy of
files/directories that
lead to a given file) in the script of directions and then
copying the
specified file to the location designated in the path.
Since Unix
computers are sensitive to capital and lower case letters,
every letter
in the path has to be of the same case as it listed in
root (main)
directory of the Unix computer where it is located. If any
one letter
is of a different case the computer will not make the
transfer of the
copy. MfgCompany employees then use the data on the Unix
computers for
business. This failure signaled the corporation that there
has been a
failure in the Information Systems. Ray Suspect created
this ftp script
for MfgCompany when it was set up and them maintained it.
In the fourth action, the intruder voided passwords on the
ZY
Computer 4 computer named Pacific by causing the password
expiration
program to expire several hours later on Monday May 13,
1994, at 0001
hours. Thus when MfgCompany employees tried to logon on
Monday morning
they could not use the computer system as all of the
passwords had
became invalid.
The intrusion was made through the account of Employee4.
Network
system log's indicated that Employee4's password was used
to make the
connection. The passwords for the network were not changed
after
Suspect left MfgCompany. While at MfgCompany, Suspect had
authorization
to review and copy the password file as he was one of
three system
administrators with "root" privileges.
Only two people in the company, Employee2 and JoeSuspect,
had the
total level of knowledge to complete the above actions.
Employee2 is
the senior applications engineer in Information Systems.
Albert said
that Employee2 and Suspect did not work together and were
only speaking
acquaintances. Employee2 was on a canoeing trip on June
12, 1994, and
it was Albert's belief that this trip was out of State.
On July 26, 1994, MfgCompany discovered that its computer
network
had again been illegal accessed and files erased. This
came to
MfgCompany's attention because production schedules
stopped working on
the ZY Computer 4 as a result of database files having
been erased. No
other modifications. This intrusion took 8 minutes. On
this occasion
both Pacific and Baltic ZY Computer 4s had files erased.
This
intrusion was possible as security for whole system went
down on July
26, 1994, as a result of a hardware upgrade.
On Friday, 8-12-94, I spoke with Jonathon A. and Robert
Burns,
Private Investigators. Burns told me that he works for A.
and was
checking the trash of Suspect. Burns said that on 8-12-94,
at about
12:30 a.m., he checked the trash of JoeSuspect, 1111 Rd.,
The trash
was located in a trash can next to the street for
collection. There are
no sidewalks or curbs in this area. In the trash he found
piece of
yellow lined paper approximate 3 X 5 inches. The paper had
the
following numbers written on it:
123-1111
1112
1113
1114
444-5555
During a conference call between Alan Albert, A., and
myself, as A.
read the numbers, Albert told us the 123 numbers connect
to a modem pool
in the computer room of the Information Service's office
in Community
where the ZY Computer 4 computers are maintained. This
modem pool
allows a connection to MfgCompany's ethernet/local network
in Community.
Information services uses this modem pool as a connection
to
MfgCompany's network when they need to check the system.
Albert went on
to say that the 444-5555 telephone number is a San Jose
telephone number
that serves as a connection point to MfgCompany's world
wide X.25
network. A. faxed me a copy of the paper with numbers.
Your affiant seeks permission to bring MfgCompany employee
Alan
Albert and Jonathon A., private investigator under
contract to
MfgCompany, along on the search to assist with the
identification of the
files. Albert will be under the direct supervision and
control of your
affiant or another peace officer assisting your affiant in
the service
of this warrant.
Your affiant is aware that such a procedure was approved
in People
v. Superior Court (Moore) (1980) 104 Cal. App. 3d 1001.
Albert will be
closely supervised by members of the District Attorney's
office staff or
other law enforcement officers.
Computers:
Your affiant requests permission to search and seize any
computer
systems and magnetic media found at the scene.
Your affiant knows from his training and experience that
computer
systems commonly consist of central processing units
(CPUs), hard disks,
hard disk drives, floppy disk drives, tape drives, display
screens,
keyboards, printers, modems (used to communicate with
other computers),
electronic cables, cassette tapes, floppy disks, and other
forms of
magnetic media containing computer information.
Your affiant knows from his training and experience that
computer
users will commonly keep computer hardware and software in
their homes,
garages, carports, outbuildings, storage areas and sheds
assigned to
their premises.
Your affiant requests permission to seize computer systems
and
magnetic media found at the scene without first conducting
an
examination of each and every hard and floppy disk to
determine if such
systems and media contain the items requested by this
affidavit.
Computer users frequently collect a great deal of software
on disks or
other magnetic media. Searching that media within a
reasonable amount
of time to determine which material is relevant to this
investigation
would be difficult and could risk destruction of the
evidence.
Your affiant may also need to examine at another location
any
computer(s) found at the scene because most hard disks
contain so much
data that an on-site inspection is impractical. The
examination
required to determine whether the hard disk contains the
items requested
by this affidavit could take days or weeks. Furthermore
there may be
too many tapes and or disks to allow a thorough search of
such disks
within a reasonable period.
Finally, the computer and magnetic media is the best
evidence
available. Magnetic media is easily erased or destroyed.
Leaving
magnetic media behind may result in the loss of that
magnetic media as
evidence. Your affiant believes that it is better to seize
the original
evidence than to rely solely on copies which have not been
authenticated
in the presence of counsel for persons who could face
criminal charges
based on material found pursuant to this warrant.
Your affiant also seeks to seize documentation associated
with the
computer(s) found at the scene. Your affiant may need that
documentation to search the computer. Moreover, that
documentation may
well contain information identifying the owner and/or user
of that
computer.
Occupancy:
Based on your affiant's training and experience, your
affiant knows
that occupants of dwellings usually receive correspondence
addressed to
the occupants at that particular dwelling. Such
correspondence usually
includes, but is not limited to, phone bills, utility
bills, rental
agreements, rent receipts, identification papers, canceled
mail
envelopes, and personal letters. Additionally, your
affiant knows that
other evidence of ownership and control of said dwellings
can usually be
found on the occupants of said dwellings and may include,
but is not
limited to, keys, rent receipts and photographic
identification
documents, with names and addresses on them. Your affiant
seeks
permission to seize those items.
Based on these facts, you affiant is of the opinion that
it is
probable that Suspect has committed violations of Penal
Code Section
502c(2), the violation of which is punishable by terms of
imprisonment
of longer than one year.
WHEREFORE your affiant prays that a search warrant be
issued with
respect to the above locations for the seizure of said
property at any
time of the day and that the same be held under Penal Code
section 1536
and disposed of according to law.
___________________________
JOHN C. SMITH, Investigator
District Attorney's Office
Santa Clara County
Subscribed and sworn to before me
this 16th day of August 1994.
___________________________
Judge of the Superior Court
This affidavit was used to get into the residence
and personal computers
of a part time university employee who broke an other
employees account
and used that account.
SUPERIOR COURT OF CALIFORNIA
SANTA CLARA COUNTY JUDICIAL DISTRICT
STATE OF CALIFORNIA AFFIDAVIT IN SUPPORT
COUNTY OF SANTA CLARA OF SEARCH WARRANT
JOHN C. SMITH, Sr. Criminal Investigator, Santa Clara
County
District Attorney's Office being sworn, says that on the
basis of the
information contained within this Affidavit and any
attachments thereto,
he has probable cause to believe and does believe that the
property
described below is lawfully seizable pursuant to Penal
Code Section
1524, as indicated below, in that it:
( ) was stolen or embezzled;
(X) was used as the means of committing a felony;
( ) is possessed by a person with the intent to use same
as a means of
committing a public offense, or in the possession of
another to
whom he/she may have delivered same for the purpose of
concealing
or preventing its discovery;
(X) constitutes evidence tending to show that a felony has
been
committed or that a particular person has committed a
felony;
and that he has probable cause to believe and does believe
that the
described property is now located at, and will be found
at, the
location(s) set forth below and thus requests a warrant to
search
THE FOLLOWING FOUR (4) LOCATION(S):
LOCATION A:
1. The three (3) electronic mail accounts, including the
information
from these accounts on the system backup tapes, belonging
to Joe
Suspect: #1 suspect@rome.univ.ede (Unix System);
#2 suspect@univvm1.univuniv.edu (IBM system); and
#3 guard@univvm1.univ.edu (IBM system). These accounts are
on
computers maintained and housed in the Information Systems
and
Communications Department, University, Information Systems
and
Communications("ISC") Department, California.
AND
2. The desk and work space of Joe Suspect at the Computer
Information
Center, Information Systems & Computing Department,
FOR THE FOLLOWING PROPERTY:
1. Any and all documents and records, whether on paper or
stored on
magnetic media (including information stored within a
computer)
that contain any of the network electronic mail addresses,
hertz@Rome.Univ.Edu, jeanc@college-ca.edu (Jean Clinton),
or
carol@college-ca.edu.
2. Any and all documents and records, whether on paper or
stored on
magnetic media which contain the code or computer
instructions that
are used for the automatic transfer of information or
email from
one account to another and directing the transfer of email
to or
from supect2nd@rome, hertz@rome, jeanc@college-ca, or
carol@college-ca
3. Any and all programs or computer instructions that
would be used
for the cracking, matching, or discovering encrypted
passwords for
computer accounts.
4. Any and all documents and records, whether on paper or
stored on
magnetic media which contain the code or computer
instructions that
create or operate a computer program commonly known as a
"TROJAN
HORSE", a shell or program that purports to have a
valid purpose,
but contains hidden in its code instructions that start
another job
such as automatically capturing a user's log-on
identification and
password and sends it to another location.
LOCATION B:
SUSPECT'S Apartment B, Drive, in the City of _________.
This
residence is a duplex type residence, that is painted gray
and has a
detached open carport. The residence is on the south side
of Drive
between Streets. There are two street address number
plaques attached
to the front of the house. The plaque with 732B is nearest
the corner
of the west side, where there is a door that appears to be
the front
door for Apartment B. The premises to be searched also
include any and
all yards, outbuildings, storage areas, garages, carports,
sheds, or
mailboxes assigned to the described premises, including
but not limited
to those listed above.
LOCATION C:
The person of Joe Suspect and any personal affects such as
but not
limited to books, binders, backpacks, or briefcases where
papers or
computer disks may be carried.
LOCATION D:
A gray, Ford, bearing California license ________
registered to Joe
Suspect City of __________, wherever it maybe located in
the County of
Santa Clara.
STATEMENT OF PROBABLE CAUSE
Your affiant declares that the facts in support of
issuance of this
search warrant and court order are as follows:
Your affiant, John C. Smith, is a Senior Criminal
Investigator
(Peace Officer) employed by the Santa Clara County
District Attorney's
Office in Santa Clara County, California. Your affiant has
been
assigned to the High Technology Unit of that office since
December 1989.
He has been a California Peace Officer since June 1965. He
is a member
and past President of the High Technology Crime Prevention
Association
(HTCIA), and a member of the Santa Clara Valley Industrial
Security
Managers Association. He has been a Macintosh computer
user since
about 1986 and an IBM PC user since 1990 and owns both
types of
computers. He is a regular user of the Internet and has
had classes on
the Unix/Workstation operating environment. He has over
274 hours of
training in the High Technology field. He has been
involved in at least
five (5) prior intrusion type cases and given several
talks to computer
professionals on investigating intrusions. He has
conversed and worked
with experts in federal law enforcement who have
specialized in these
cases, and who have considerable experience in
investigating and
interacting with persons who have illegally accessed
computers.
Your affiant is currently investigating violations of
Penal Code
Sections 502 (Unlawful Access to Computer Systems).
Your affiant knows from training and experience that
individuals
who "hack" or access computers without
authorization often do so from
their own computer systems and maintain cracking or
password matching
programs which may include dictionary or word lists.
Your affiant knows that persons who hack computers
services by
fraudulent means maintain notes and ledgers which document
the accesses
that are valid, passwords which have been used or tried,
and their
written notes on how to bypass systems security measures
installed.
They also make notes of what systems are accessed, what
files were down
loaded or uploaded and who else they have been in contact
with regarding
the access codes being used.
Your affiant knows from training and experience that
persons who
have passwords on their computer system usually maintain a
record of
that password on a piece of paper, card, book, etc. so
that it may be
retrieved in case the persons fails to recall a password.
Your affiant
knows the above information may be in the form of hard
copy printouts,
paper notes, notes in a ledger, or files maintained on a
computer system
itself in the form of electronic media.
Your affiant knows from training and experience that a
computer
system used to communicate with other systems via modem
and the
telephone lines will be attached to a modem and a phone
line that is
installed in the residence.
On May 10, 1994, your affiant was contacted by Detective
_______, University Police Department, and provided with
police reports
for case number 94- alleging a violation of California
Penal Code
Section 502, Computer Crime. Affiant opened SSCCDA case
#94-0-0661.
Your affiant interviewed Dept Head, Associate Vice
President, in charge
of the Information Systems and Computing (ISC) Department
at AnyCity
State University (Univ); Bill Sysop, Staff Systems
Software Specialist,
ISC, ; and Timothy J. Sysadmin, Network Systems
Programmer, ISC. To the
best of your affiant's knowledge, these three individuals
are reliable
and trustworthy citizens without involvement in criminal
activity.
The following chronology of events prepared by your
affiant after
reading the police reports and interviewing the three
individuals named
above, was prepared for convenient review:
CHRONOLOGY OF EVENTS:
3-21-94 to 4-1-94 - Joe Suspect and Jason Student workers
are suspended
from the jobs at the Computer Information Center (CIC),
ISC, Univ and
are told not to use their network accounts for two weeks
for verbally
fighting and arguing via their electronic mail accounts on
Univ's system
and on America Online, a commercial system.
3-21-94 - A message is sent from "Patricia
Hertz" to ten people, "From:
Suspect!", stating that he had been suspended and to
send any email to
hertz@.univ.edu.
4-12-94 - The email message to "Hello John",
attached as Exhibit #1,
accusing systems operators Sam Sysadmin and another
employee of
maintaining pornographic GIFs (graphic or photographic
computer files)
on the university system was sent to the mailing list on
another system
maintained by Univ
4-14-94 - Univ President Ferris receives an email message
from
jeanc@college-ca.edu (St Mary's College) regarding Univ
computer
administrators holding pornographic pictures on the Univ
system,
attached as Exhibit #2.
4-15-94 - Dept Head assigns Bill Sysop to investigate this
matter.
4-15-94 - Bill Sysop learns that there is no issued
account to "Patricia
Hertz", but he knows a Professor Hertz and contacts
him. Professor
Hertz states he was issued the account but does not use
it.
- Bill Sysop checks logs on the IBM computer network and
finds that
(a) the message, Exhibit #2, sent to Univ President Evens
was received
from jeanc@college-ca.edu on 4/14/94, at 17:49:14 hrs and
that (b)
suspect@univvm1.univ.edu sent a message to
jeanc@college-ca.edu at
4/14/94 17:39:02 hrs, Exhibit #9.
4-27-94 - Univ Police report 94-117-0705 was taken by
Officer Laws. The
suspect named was Joe Suspect.
- Sysadmin examines data in the broken "hertz
account" obtained
from the backup tapes of April 11, 1994, and observes a
".forward" file
used by the Unix mail system to forward mail to another
computer. The
forwarding address listed was supect2nd@.univ.edu, Exhibit
#11.
5-4-94 Front page article appears in Univ newspaper
written by
regarding pornography on the Univ computer system.
*
On 5-11-94 your affiant began his investigation by talking
with
Dept Head at his office at Univ. Dept Head related the
following
information:
In March 1994, Suspect and another student, Jason Student
, were
verbally fighting and arguing. This disagreement spilled
into
electronic mail. American OnLine sent a message to
Supervisor and Bill
in the Computing Information Center, the supervisor of
Suspect and
Student , asking if something could be done to stop the
bickering.
Suspect and Student were then suspended from their jobs
for two weeks
by the Director of Information Services (a division of the
ISC) after he
investigated and concluded that they have behaved
inappropriately.
Supervisor also told Suspect and Student not to use their
computer
network accounts during their suspension.
The suspension was from March 21, 1994 to April 1, 1994.
Sometime during this two weeks, Dept Head suspects that
Joe Suspect
hacked into the "hertz account". The "hertz
account" belongs to Univ
Professor Hertz who was assigned the account 2 yrs ago and
has never
used it. The Identifier that is printed when electronic
mail is sent
from the hertz account was changed from Professor to
Patricia.
On 5-11-94 and 5-12-94, your affiant interviewed Bill
Sysop, Staff
Systems Software Specialist, Technical Services,
Information System &
Computing Department, Univ, at the ISC. Sysop provide
affiant with the
following information:
The Information Systems and Computing Department (ISC) is
assigned
the task of providing general academic and computing
services and
Administrative services to the University. Administrative
services
include student scheduling, records, grades, and other
student
information as well as purchasing, and assorted
administrative
functions. The campus has an IP (Internet Protocol) type
network that
has both Unix and IBM computers attached to it.The Unix
system was
installed three years ago. ISC has an Internet connection.
Sysop was assigned to investigate this matter by Dept Head
after
Ferris, the President of Univ, received an email message
from a Jean
Clinton, St Mary's College, dated 14 Apr 94, 17:49:13 PDT,
stating in
relevant part, "your university computer
administrators are using the
system as a holding area for pornographic pictures."
A copy of the
messages is attached as Exhibit #2.
Sysop began his investigation by trying to find
"Patricia Hertz".
He asked the CIC (Computer Information Center) and learned
there was no
record of "Patricia Hertz". Sysop had worked
with Professor Hertz,
Univ, on prior occasions. Thinking it might be Patrick
rather than
Professor, Sysop phoned Professor Hertz, on April 15,
1994. Professor
Hertz told Sysop that he did have a Unix account but, that
he did not
use it. Professor Hertz told Sysop that he recalled being
told that he
needed a UNIX account to receive email and so about 2
years ago he
signed up with Univ and was given a Unix account that was
named hertz.
He did not use the Unix account because he found he could
use email
facilities directly through the Unix Workstation he has on
his desk.
On Friday April 15, 1994, Bill Sysop examined the SMTP
(Mail
Transfer) log for April 14, 94, on the Univ IBM computer
system,
attached as Exhibit #9. He did this because Ferris's email
account is
on the IBM system. Sysop checked the log for the time that
Ferris had
received Exhibit #2 Jean Clinton. Sysop then looked
through the log and
found that on 4/14/94, 17:39:02 hours, ten minutes before
Exhibit #2 was
sent, Suspect had been connected to jeanc@college-ca.edu.
Your affiant
has obtained a list of log-ins to the jeanc@college-ca
account and
verified this information. One of the log-ins was from
17:55 to 18:06
hours. The message to President Ferris from
jeanc@college-ca was
received at Univ at 18:05 hours.
Sysop knows Joe Suspect to be a paid Student Assistant at
CIC,
Computing Information Center, a division of ISC. CIC is
assigned the
task of providing with computer support to the academic
computing
community at Univ and to provide assistance to
administrative computer
users. Suspects' supervisor is -------- who reports to
__Director of
CIC. Sysop believes Suspect has worked there for about 2
years.
On May 12, 1994, your affiant interviewed Bill J.
Sysadmin, Network
Systems Programmer, ISC, at the computer center. Sysadmin
maintains the
Unix network. Sysadmin related the following information
to your
affiant:
The hertz account resides on a computer server called
"" which is
the primary Unix server at Univ. Sysadmin made the
printout labeled
"Apr 17 23:27 1994 hertz.last Page 1.", attached
as Exhibit #10. This
printout, Exhibit #10, is a list of connections to the
hertz account and
shows that someone was connecting to the hertz account on
from a
terminal server that houses the public modem pool. The
entry, "isc-
ts1.Univ.EDU", on the log indicates that the
connection to hertz was
most likely made through a dial-in telephone modem hooked
to the
terminal server.
The original message "Hello John" was sent to
1.BITNET, which
distributed the message to a number of systems users. This
message is
attached as Exhibit #1. At that time there were 30 faculty
members and
students from the Univ campus on the mailing list to
receive messages
sent to the UnivSER account on UnivSER on the IBM system.
This account
serves as a general computer information source for asking
questions and
disseminating information regarding the computer system.
After seeing the message to President Ferris (Exhibit #2),
Sysadmin opined that the hertz account had been broken
into. His
opinion was based on a number of factors. He recognized
that the hertz
account had a low user id number (meaning that it was an
older account)
and the wording of the message in Exhibit #1 caused him to
infer the
sender was a new user also, the sender described him or
herself as a
student. Finally, faculty and staff are in one file system
and students
in another. The hertz account was a faculty account.
Sysadmin made a "last" print out that shows
where the user logged
in from and the date & time. A "last log"
shows the account where the
connection was made, the name of the computer or device
where the
connection came from, the date, the time, and the duration
of the
connection. On this "last log" printout Exhibit
# 10, the log shows log-
ins from College and a log-in from the Univ CIC, which is
in the
form of a network numerical address, IP address
130.65.55.26. This
number shows up on the log since the computer at that
location has not
been given a name.
Sysadmin went to the backup tapes from April 11, 1994, for
the
server on the Unix system and recovered the home directory
from the
hertz account onto his (Sysadmin's) workstation. Sysadmin
printed the
stored mail messages recovered from the backup tape in the
hertz account
and gave your affiant the 56 pages that he printed. What
appears to be
the first message from the hertz account is attached as
Exhibit #3.
That message reads as follows:
Date: Mon, 21 Mar 1994 15:11:36
From: Patricia Hertz <hertz@.Univ.EDU>
Subject: From Suspect!
To: people <bart@>, (list of his friend'e email
addresses)
"Hello everybody,
I'm sure you're wondering why I'm not using my account to
mail this
to all of you, well the reason is I got suspended for two
weeks
from work. Actually it was me and Jason "May I sniff
your
buttcheeks?" Student that got suspended. It's a very
long story,
but suffice to say I got screwed royally on this one and
as such,
it is only right that I screw back. Student is toast.
I'm not too sure how much mail is going to pile up on my
system in
14 days, but let's do the simple math: I get about 45
pieces of
mail a day on EACH of my accounts, and I have three, count
'em
three, accounts. Let's see 45 times 14 times 3. Shit. 1890
pieces of mail. I think I'll forward all of it to Jason
"I'm, the
Weenie Genie" Student . Anyway, if for any reason you
need to get
a hold of me via e-mail, please use hertz@.univ.edu.
I'll send you all the gory details later.
-Suspect"
Another message that Sysadmin found in the hertz account
deals with
Trojan Horses, attached as Exhibit #4. This message is
addressed as
follows:
Date: Tue, 22 Mar 1994 15:29:44 PST
From: fly <cartert@.com>
To: hertz@.univ.edu
Subject: The Trojan Horse (For Suspect)
In this message, a "Trojan Horse Program" is
discussed. Dfly
states, "Here's what the code *might*(sic) look
like", and describes
what the code would be. Also in this message is a
description of a
Trojan Horse, which is a fake shell. That paragraph is as
follows:
When a user attempts to login on the Trojan Horse their
login name
and password are mailed to a specific user (defined in the
code).
The process then terminates and the user is left with the
*REAL*
login prompt. You now have a password and login for a
specific
user, in other words you have full access to their
account.
How this happens is defined here:
When Sysadmin looked at the data in the broken hertz
account, which
obtained from the backup tapes of April 11, 1994, he
observed a
".forward" filed used by the Unix mail system to
forward mail to another
computer. The forwarding address listed was
supect2nd@.univ.edu. The
file listing shows that the .forward file was last
modified on April 6.
On May 19, 1994, Sysadmin printed a copy of the .forward
file from the
hertz April 11 backup and gave it to your affiant. As
indicated this
printout is attached as Exhibit #11.
Sysadmin told your affiant that he called the network
system
administrator at College, College Sysadmin, and advised
College
Sysadmin that someone seemed to have broken into (the name
of the
primary Unix server for the .univ.edu system) from
College's Network.
Subsequently, College Sysadmin told Sysadmin that the
"jeanc" and
"carol" accounts had been broken into. College
Sysadmin sent Sysadmin
a list of log-ins to the computer "galileo" at
St Mary's where the jeanc
and carol accounts are located, (Exhibit #6). Roy College
Sysadmin in
his message of April 26, 1994, (Exhibit #6) states:
The owner of the carol, account found that someone has
tampered
with her account. The user hertz@.univ.edu re-routed her
e-mail
using a .forward file. This has gone on about 2 weeks. She
is
understandably very upset and has lost some very important
messages."
On May 15, 1994, your affiant attempted to contact College
Sysadmin
and learned that he is out of town for several days.
Affiant spoke on
the telephone with College's 2nd Sysop, Ph.D., Computer
Science,
College, California, who also serves as a systems
administrator with
College Sysadmin. Dr. College's 2nd Sysop said he was
familiar with the
situation with Univ. Dr. College's 2nd Sysop told affiant
that Carol is
a teacher at College. Mrs. Carol was using her child's
name as a
password; the password thus would have been on a standard
word list or
dictionary used by a cracker or password matching program.
Sysadmin made printouts from the "last" log for
both accounts
"hertz" and "suspect" from the Unix
workstation named "homerun", which
uses as a server. The printout for the supect2nd account
is attached
as Exhibit #7 and the printout for hertz account is
attached as Exhibit
#8. Sysadmin found log entries on March 17 between 16:34
hours and
18:15 hours which appear to indicate that someone logged
out of the
supect2nd account and immediately into the hertz account.
The following
are entries of log-in and log out time from the
"last" logs if the two
accounts:
supect2nd Mar 17 16:43 - 16:40
hertz Mar 17 16:40 - 16:52
supect2nd Mar 17 16:52 - 18:07
supect2nd Mar 17 18:07 - 18:09
hertz Mar 17 18:09 - 18:15
On May 19, 1994, your affiant talked with Bill Sysop and
Sam
Sysadmin at their office. They both informed affiant that
it would be
highly unusual for Joe Suspect to have his supect2nd
account broken into
without Suspect not being ware of it and for cortes not to
make a
report. Suspect' "vigil" account was set up to
subscribe to various
mailing lists dealing specifically with network security.
Suspect is
supposed to review any material that is received and
distribute any
relevant material to CIC employees. Sysadmin has never
received any
complaints from Suspect about problems with the cortes
account being
compromised. Sysop told affiant that when he interviewed
Suspect, he
asked Suspect if he was having any problems with his
(Suspect) IBM
accounts. Suspect said he was not having any problems with
his
accounts.
On April 19, 1994, Sysadmin said he copied the contents of
the
supect2nd@ account from the backup tapes into his
(Sysadmin's),
workstation. Sysadmin also said that he had not looked at
or examined
the contents of that account until the legality of such
examination can
be determined.
Your affiant seeks permission to bring Bill Sysop and Sam
Sysadmin
along on the search to the four locations to assist with
identifying the
computer programs described in this affidavit that are to
be searched
and seized, and to them operate the Univ computer system
to search for
the items listed in the Search Warrant. Sysop and Sysadmin
will be
acting under the direct supervision and control of your
affiant or
another peace officer assisting your affiant in the
service of this
warrant. Your affiant is aware that such a procedure was
approved in
People v. Superior Court (Moore) (1980) 104 Cal. App. 3d
1001.
Residence Information:
Joe Suspect told Officer Laws of the AnyCity State
University
Police Department that his home address is 732 E. Taylor
Street,
AnyCity, California. Dept Head checked Payroll records and
found that
Suspect' address is listed as 732. E. Taylor Street,
Apartment 2,
AnyCity, California. Dept Head has also seen a business
card for a
business maintained by Joe Suspect that listed an address
of _______.
Your affiant checked the California Department of Motor
Vehicle
records for the drivers license information on Joe Suspect
based on the
date of birth, 11-18-66, and drivers license number,
C1111111, on the
police report and found that Joe Suspect Jr has a valid
California
Drivers License that expires on his birthday in 1987. This
record
states that his residence address is ______
California DMV records checked by affiant also show that
Joe
Suspect Jr., ___ the registered owner of a Ford, license
number Affiant
drove by the residence and saw a gray Ford California
license number
XXXin the carport of ___
Computers:
Your affiant requests permission to search and seize any
computer
systems and magnetic media found at the scene.
Your affiant knows from his training and experience that
computer
systems commonly consist of central processing units
(CPUs), hard disks,
hard disk drives, floppy disk drives, tape drives, display
screens,
keyboards, printers, modems (used to communicate with
other computers),
electronic cables, cassette tapes, floppy disks, and other
forms of
magnetic media containing computer information.
Your affiant knows from his training and experience that
such
computers and magnetic media are used to store
information. Your
affiant believes that, based on the information related
above, that
computers and magnetic media located at the place to be
searched contain
telephone numbers, access codes and the software necessary
to access
such computer codes.
Your affiant knows from his training and experience that
computer
users will commonly keep computer hardware and software in
their homes,
garages, cars, carports, outbuildings, storage areas and
sheds assigned
to their premises.
Your affiant requests permission to seize computer systems
and
magnetic media found at the scene without first conducting
a detailed
examination of each and every hard and floppy disk to
determine if such
systems and media contain the items requested by this
affidavit.
Computer users frequently collect a great deal of software
on disks or
other magnetic media. Searching that media within a
reasonable amount
of time to determine which material is relevant to this
investigation
would be difficult and could risk destruction of the
evidence.
Your affiant may also need to examine at another location
any
computer(s) found at the scene because most hard disks
contain so much
data that an on-site inspection is impractical. The
examination
required to determine whether the hard disk contains the
items requested
by this affidavit could take days or weeks. Furthermore
there may be
too many tapes and or disks to allow a thorough search of
s uch disks
within a reasonable time.
Finally, the computer and magnetic media is the best
evidence
available. Magnetic media is easily erased or destroyed.
Leaving
magnetic media behind may result in the loss of that
magnetic media as
evidence. Your affiant believes that it is better to seize
the original
evidence than to rely solely on copies which have not been
authenticated
in the presence of counsel for persons who could face
criminal charges
based on material found pursuant to this warrant.
Your affiant also seeks to seize documentation associated
with the
computer(s) found at the scene. Your affiant may need that
documentation to search the computer. Moreover, that
documentation may
well contain information identifying the owner and/or user
of that
computer.
Occupancy:
Based on your affiant's training and experience, your
affiant knows
that occupants of dwellings usually receive correspondence
addressed to
the occupants at that particular dwelling. Such
correspondence usually
includes, but is not limited to, phone bills, utility
bills, rental
agreements, rent receipts, identification papers, canceled
mail
envelopes, and personal letters. Additionally, your
affiant knows that
other evidence of ownership and control of said dwellings
can usually be
found on the occupants of said dwellings and may include,
but is not
limited to, keys, rent receipts and photographic
identification
documents, with names and addresses on them. Your affiant
seeks
permission to seize those items.
Your affiant will not intercept electronic mail or examine
electronic mail that has not been read and stored. To the
best
knowledge of your affiant, this Affidavit and Search
Warrant complies
with the requirements of Section 2703, of Title 18 United
States Code
dealing with the disclosure of by a provider of electronic
communications services of the contents of an electronic
communication
that is in electronic storage.
On the basis of the foregoing, your affiant believes that
evidence
of the commission of felony violations of California Penal
Code section
502 will be found upon the premises and in the records
heretofore
described.
That based upon the above facts, your affiant prays that a
search
warrant be issued with respect to the above location for
the seizure of
said property, and that the same be held under Penal Code
section 1536
and disposed of according to law.
___________________________
AFFIANT John C. Smith
Criminal Investigator
Subscribed and sworn to before me
this 23rd day of January 1994.
___________________________
JUDGE OF THE SUPERIOR COURT
Exhibits:
1 Message "Hello John", from Patricia Hertz,
April 14, 94.
2. Message to ferris@univ from jeanc@college-ca, April 14,
94.
3. Message from Patricia Hertz, Subj: From Suspect, March
21, 94, with
Suspect explaining why he is using this account.
4. Message from fly <carter@.com>, to hertz@univ,
Subj: THE TROJAN
HORSE (for Suspect). March 22, 94.
5. Dept Head's report/chronology of this event. April 20,
94.
6. Message from Systemop@college-ca.edu, To:
Sysadmin@isc.univ, Subj:
last list. April 20, 94.
7. "last" log from supect2nd (Unix) account
showing activity on 3-17-
94.
8. "last" log from hertz (Unix) account showing
activity on 3-17-94.
9. SMTP, mail log, from IBM network showing message to
jeanc@college-
ca on April 14. 94.
10. hertz@.univ "last" log showing connections
and dates, this includes
modem connections.
11. Copy of the ".forward" file from the hertz@
account on the April
11 backup tape.
This is a request for tracing a long distance call
GEORGE W. KENNEDY
DISTRICT ATTORNEY
FRANK D. BERRY JR.
DEPUTY DISTRICT ATTORNEY
70 West Hedding Street
San Jose, California 95110
Attorneys for PEOPLE of the State of California
SUPERIOR COURT OF CALIFORNIA, COUNTY OF SANTA CLARA
In re Order authorizing
"trap and trace" device.
)
)
)
)
)
)
)
)
NO.
APPLICATION FOR ORDER
AUTHORIZING "TRAP AND TRACE"
DEVICE AND NUMBER SEARCH [18
USC _3123]Personally appeared before me this 20th day of
January 1994,
Investigator John C. Smith who requests an order
authorizing the
installation of a "trap and trace" device and
number search and on oath,
deposes and says that there is just, probable, and
reasonable cause to
believe, and that he does believe, that the telephone
number(s) from
which incoming calls are to be trapped/number searched and
identified
are being used in connection with criminal activity and
that the
information likely to be obtained by such installation and
use is
relevant to an ongoing criminal investigation.
Your affiant is requesting that this Court authorize a
"trap and
trace" device by Pacific Bell, the American Telegraph
and Telephone
Company, and any other provider of electronic or wire
communication
service for the following telephone numbers: (408)
999-1111 and (408)
999-1112.
Affiant is seeking to determine the origin of all
telephone calls
made to the aforesaid telephone numbers as well as records
showing the
date, time, and length of call, together with the area
code, telephone
number, subscriber identification information (including
name and
address), and location of the calling telephone device.
STATEMENT OF PROBABLE CAUSE
Your affiant declares that the facts in support of
issuance of this
court order are as follows:
Your affiant, John C. Smith, is a Criminal Investigator
(Peace
Officer) employed by the Santa Clara County District
Attorney's Office
in Santa Clara County, California. Your affiant has been
assigned to
the High Technology Unit of that office since December
1989. He has
been a California Peace Officer since June 1965. He is a
member and past
President of the High Technology Crime Prevention
Association (HTCIA),
and the Santa Clara Valley Industrial Security Managers
Association. He
has been a Macintosh computer user since about 1986 and an
IBM PC user
since 1990 and owns both types of computers. He is a
regular user of
the Internet and has had classes on the Unix/Workstation
operating
environment. He has over 274 hours of training in the High
Technology
field. He has worked at least five (5) prior intrusion
type cases and
given several talks to computer professionals on
investigating
intrusions. He has conversed with experts in federal law
enforcement who
have specialized in these cases, and who have considerable
experience in
investigating and interacting with persons who have
illegally accessed
computers.
Your affiant was contacted by Frank L. Edwards, Brand
Incorportated, Security Services Department, Street,
FarState. on
January 19, 1994. Your affiant knows Brand Systems to be a
company which
creates and sells software which enables users to create
and maintain
Mr. Edwards told affiant that the Brand corporate network
had been
penetrated by an unauthorized intruder who had then gained
superuser
status on numerous Brand computer systems, reviewed
proprietary data and
transferred copies of proprietary data to a computer
outside the Brand
network. Your affiant started his investigation case
#94-0-0109, on
January 19, 1994 by interviewing Brand employees Frank
Edwards; Davis
Investigator; Employee2, Investigative Technician; and
Employee3,
Network Security Manager for Security Services. These
interviews were
conducted by telephone.
Employee 3 has a Degree in Electrical from College. He has
worked
in the computer industry since 1979. Employee3 has been
working in
security at Brand for about 15 months. Employee2 started
with Brand
about 1986. He became a Brand Engineer about 1989, and has
held several
jobs of a technical nature. The last four years he has
worked as an
Investigative Technician for Brand Security. Frank L.
Edwards spent 7
years with the FBI, 2 1/2 years with FarState xxxx
Department and four
years with Brand as Manager of Investigations.
The information in this affidavit was furnished to affiant
by these
Brand investigators and Michael Houser, a Brand Manager.
Your Affiant
has worked with Brand Security on previous occasions, and
knows the
personnel to be experienced and reliable. A report in Memo
form from
Scott Employee3 is attached as Exhibit A. To the best of
your affiant's
knowledge, these Brand employees are reliable and
trustworthy citizens
without involvement in criminal activity.
Brand's internal corporate network is designed to link
Brand
facilities with electronic mail, transfers of data and
source code, and
phone system messaging. Brand Security personnel describe
it as one of
the largest in the world. The network links facilities
such as the major
products research & development sites at Texas;
FarState; San Jose, Ca.;
Ca.; sites in the United Kingdom, smaller development
sites, (which do
not do major product development), and Brand sales
offices. There are
over 40 connections on the network worldwide.
Your affiant was informed by these Brand Security
investigators
that the problem with the network intruder first came to
Brand's
attention, on December 20, 1993, when an unkown individual
called a
Brand employee posing as a Novel engineer named John Cash.
The person
posing as Cash asked the Brand employee for his password
to a Brand
computer file server, a 486 Personal Computer named
"Money", located at
the Engineering Department in FarState. The computer file
server named
Money contains source for Brand Software, has ever
developed. The
engineer provided the person his password. This password
enabled the
intruder to log into the file server, Money.
Employee 4 one of the administrators for the file server
named
Money, checked the internal logs of Money, and found that
someone had
tried to log in as John Cash through the Brand network
computer located
at the Brand facility at View, FarState. Further
investigation indicated
that the intruder had teleneted into View, FarState from
an unknown
location. (Your affiant knows teleneting to be the method
where a user
connects to a remote computer via his own computer and
directs the
remote computer to perform various functions.) Once the
intrusion had
been verified, Brand started searching intrusion logs on
the Money file
server to ascertain who had attempted to log onto the
computer.
Security and administrators then called the employees
whose names and
accounts had been used by the intruder in attempt to gain
access to the
file server.
Some employees on that list contacted the administrators
and
informed them that they had been contacted by a telephone
caller who
attempted to persuade them to divulge their passwords.
Security
contacted some of the employees who said that the caller
identified
himself as `Doug Smith' from Brand. `Smith' told them he
was working
the on Money file server and needed their password to make
corrections.
Affiant knows this to be a method used by network
intruders to
fraudulently obtain passwords. Security then warned
employees not to
give out passwords on the telephone, but employee
interviews revealed
that intruder was still able to obtain more passwords.
Employee3, working with Michael Houser, Brand Development
Systems
Manager and Employee6 Brand Sr. Service Engineer also
found several
"Trojan Horses" on the entire Brand network. A
Trojan Horse refers to
program covertly placed in a computer system to perform a
function not
authorized by the system administrator or owner. This
Trojan Horse
system was designed to capture passwords and then allow
retrieval by the
intruder. Numerous passwords were captured but only 2
could be used
without having to contact their owner. The owners of these
two
passwords were using the same passwords on the Brand Unix
system as well
as the Brand System, which runs on DOS systems. Money is
on the system
and these two passwords allowed the intruder access to
Money. Logs of
activity on Money, which were provided by one of three
system
administrators, Jason Johnson, are attached as Exhibit B.
Using the passwords gained through contacting the
employees and
from the trojan horses, the intruder was connecting to
various computers
on the Brand corporate network, teleneting from machine to
machine.
On or about December 28, 1993, a male individual
telephoned
Employee 8the Program Manager in the Brand Software
Engineering
Department, FarState, for Brand utility source code. The
man identified
himself as a Brand employee named Richard Hoover and
requested employee8
place a copy of Brand Source Code on the file server
"Flower" into an
account called "Richard" with the password being
"Richard1". employee8
complied with the request.
On January 4, 1994, at 6:18 pm a male phoned Brand
Information
Services Desk, San Jose, California, and left a message on
voice mail,
for employee9, the system administrator, directing him to
set up a modem
access account for Richard Hoover with the password
"goose". This
caller had also previously talked to employee9. This
account was
established on January 5, 1994. The modem access accounts
from this
facility connect to the Brand Corporate Network, allowing
a user to
connect to computers where the user has a password and
user name.
On January 5, 1994, employee8, the program manager for
utility
source code, received a telephone call from a person
identifying
himselves as Richard Hoover. This person asked employee8
to put all of
the Brand Version X Source Code on a file server called
Flower.
employee8 tried to load the software; however, it would
not fit on this
file server. employee8 phoned Brand employee Richard
Hoover, at the
Brand facility in View, FarState and told Hoover that the
enire set or
source code would not fit. The majority of the source code
files were
however transferred to the computer before it became full.
Richard Hoover is a Brand Engineering Manager in the Unix
Systems
Group at View, FarState, who has authorized access to this
utility
source code. Richard Hoover informed employee8 that he did
not know
what employee8 was talking about and denied he had made
such a request.
employee8 then asked Hoover if he had been the person who
had requested
that version Y be placed on the file server
"Flower"the week previously.
Hoover denied that he had ever made such a request.
Richard Hoover
subsequently told Employee3 that he had never requested a
modem access
account through Brand's San Jose Office. employee8 said
that an unknown
person had removed Version X Source Code from the
computer. Brand
security suspects that was done to make room for version
Y.
About January 5, 1994 Michael Houser installed a product
called
LANalyzer, to trouble shoot network problems, on the
network at the
Brand View, FarState facility. The LANalyzer was placed in
that portion
of the Brand network where file server
"Flower"resides so that it could
watch the traffic in and out of Flower. The LANalyzer
captures network
data packets which contain destination and origin data.
Houser reviewed
the data, which showed the intruder retrieving passwords
from the Trojan
Horse and the transfer of Brand Ver X source code for
LogAB and LogCD to
the Colorado Supernet account "Ben".
The captured data from LANalyzer shows commands being
executed by
the intruder to put Brand source code into a computer
account on the
Colorado Supernet in the name of `Ben'.
ame2 is the source code for
the Name 2 file that resides on the operating system in an
installed
Brand networking system on a computer and allows a person
to log into a
Brand system. The estimated value of Name2.exe is worth in
excess of
$1.00.
Richard Hoover e-mailed a message regarding the transfer
of the
data to the systems operator, Trent Hein, at the Colorado
Supernet.
Colorado Supernet is a commercial service provider of
accounts on the
Internet to members of the public. Hein told Hoover that
the account
named "Ben" where the Brand data was being
deposited had been
compromised and the intruder was not authorized to use it.
The logging
system at Colorado Supernet showed FTP (File Transfer
Protocol)
connections being made from 17 different Brand computer
systems on the
Brand Network to the `Ben' account. The FTP command is
used to copy
files to and from computer systems, although it can be
used to look at
a computer directory. Logs from the Colorado Supernet
system, for the
account Ben, from December 24, 1993, to January 7, 1994,
were sent to
Brand and are attached to this affidavit as Exhibit C.
From December
24, 1993 to January 7, 1994 connections from Brand were
made with
Colorado supernet approximately 4 times per day. On
January 7, 1994, 10
connections from 4 different Brand computer systems were
made to the
Colorado Supernet.
Employee 11 a Brand Lead Engineer, in the Software
Engineering
Division, FarState, for a new unpublished Brand project,
has a computer
running the HP Unix operating system. On January 18, 1994,
He installed
a "wrapper" on this computer and changed all of
the users passwords.
Michael Houser explained that a wrapper is a program that
keeps anyone
out of a computer who is not an authorized user trying to
connect from
a computer that has been specifically designated as having
permission to
connect. Employee11 then checked his computer's logs and
found an
intruder trying to access this computer from a computer on
the Brand
network at the Brand facility, San Jose, California. The
computer at
the facility in San Jose is a 3Com computer terminal
server connecting
the inbound modem for telephone numbers (408) 999-1111
& (408)999-1112.
This 3Com terminal server (computer) is designed to allow
remote
connection to Brand's internal corporate network via modem
by calling
these telephone numbers. The Modem connects the caller to
the network
via the 3Com terminal server. Brand Security has
determined that there
have been in excess of 140 logins through this telephone
number using
the fraudulent account of Richard Hoover that had been
established in
San Jose. The intruder used this account and telephone
number
approximately 4 -5 times on January 19, 1994 and left a
message that
read as follows:
"I know you idiots are watching, goodbye
asshole."
On one of these occasions on January 19, 1994, the
intruder using
(408)999-1111 as a connecting point e-mailed all of
Brands's technical
publications to a user on the Colorado Supernet.
Employee3 said the intruder had gained root access at the
beginning
of the intrusions. Root access gives the intruder system
administrator
status which would allow the intruder to change passwords
and to create
methods to gain entry back into the system at some later
time even after
the intrusion has been stopped. Michael Houser said that
the intruder
has obtained root access at least 50 times. The intruder
has put a
hacked program on the root directory on at least 6
commputers on the
Brand network. Five (5) of these computers are at the
Drive facility in
San Jose, California. The hacked program is a modified
version of a
legitimate Sun program called Newgrp. This program at the
root level
allows the intruder to move into other computers and make
changes.
Based on training and experience, it is your affiant's
opinion that
is series of intrusions throughout the Brand Network have
all been
perpetrated by the same individual or individuals, based
on similarity
of methods used, times, interest in Brand source code and
the use of
Brand employee names.
Your affiant is informed and believes based on the
representations of Jim Capili, an Investigator for Pacific
Bell, that
the items requested in this application are the type of
records
obtained, kept, and maintained by Pacific Bell when they
perform a "trap
and trace". On January 19, 1994 your affiant notified
Jim Capili that
he would be making this application to the Court.
Affiant is requesting a further Order authorizing Pacific
Bell,
AT&T and any other provider of electronic or wire
communication service
to the numbers (408) 999-1111 and 1112 install an
appropriate "trap and
trace" device in switches connecting to the aforesaid
numbers in order
that the origin of these calls can be established.
Therefore, your affiant further requests that such an
order be
made.
Your affiant is informed and believes that telephone
companies,
including Pacific Bell and AT&T, are required to
advise subscribers of
telephone service who are identified pursuant to searches
such as here
requested, unless the court ordering the installation of a
"trap and
trace" device makes a specific order to the contrary.
Your affiant
believes that any such disclosure might alert suspects as
to the nature,
scope, and direction of this investigation before it is
completed, and
could therefore impede the investigation and interfere
with the
enforcement of the law. Therefore, your affiant would
request that the
Court issue the following order as part of its Order:
Pacific Bell, AT&T and their agents and employees,
and any other provider of wire or electronic
communication service subject to this Order and its
agents and employees shall not disclose to the
subscriber(s) of the telephone service described
herein, or those subscribers identified as calling
the above mentioned number(s), the existence of
this Order or of this investigation, unless
otherwise ordered by this Court.
That based upon the above facts, your affiant prays that
an order
be issued as requested above.
___________________________
JOHN C. SMITH
Subscribed and sworn to before me
this day of January, 1994.
___________________________
JUDGE OF THE SUPERIOR COURT
Exhibit A - Report by Employee3
Exhibit B - Delyle Johnson's Money activity logs
Exhibit C - Colorado Supernet activity logs
This affidavit was used to trap and trace telephone
numbers calling into
a business. This affidavit would not authorize the
telephone company to
release the subscriber information (name and address),
this would
require another affidavit and order.
GEORGE W. KENNEDY, DISTRICT ATTORNEY
FRANK DUDLEY BERRY, JR., Deputy District Attorney
High Technology Unit
Attorneys for the People
SUPERIOR COURT OF THE STATE OF CALIFORNIA
IN AND FOR THE COUNTY OF SANTA CLARA
In re Order authorizing "trap and
trace" device and a "number/call
search".
)
)
)
)
)
)
)
)
NO.
APPLICATION FOR ORDER
AUTHORIZING "TRAP AND TRACE"
DEVICE, AND "NUMBER/CALL
SEARCH", [18 USC _3123];Personally appeared before me
this 28 day of June 1994,
Investigator John C. Smith who requests an order
authorizing the
installation of a "trap and trace" device,
number/call search, and
release of subscriber information and on oath, deposes and
says that
there is just, probable, and reasonable cause to believe,
and that he
does believe, that the telephone number(s) from which
incoming calls are
to be trapped/number searched and identified are being
used in
connection with criminal activity and that the information
likely to be
obtained by such installation and use is relevant to an
ongoing criminal
investigation.
Your affiant is requesting that this Court authorize a
"trap and
trace" by the American Telegraph and Telephone
Company, Pacific Bell
Telephone Company, and any other provider of electronic or
wire
communication service for the telephone number specified
below.
Affiant is seeking to determine the origin of all
telephone calls
made to Computer Co. nc. Computer Corporation telephone
numbers (415)
222-0000 to and including 222-9999 and (415) 333-0000 to
and including
333-9999, as well as records showing the date, time, and
length of
call, together with the area code, telephone number,
subscriber
identification information (including name and address),
and location of
the calling telephone device.
STATEMENT OF PROBABLE CAUSE
Your affiant declares that the facts in support of
issuance of this
court order are as follows:
Your affiant, John C. Smith, is a Senior Criminal
Investigator
(Peace Officer) employed by the Santa Clara County
District Attorney's
Office in Santa Clara County, California. Your affiant has
been
assigned to the High Technology / Computer Crime Unit of
that office
since December 1989. He has been a California Peace
Officer since June
1965. He is a member and past President of the High
Technology Crime
Investigators Association (HTCIA), and the Santa Clara
Valley Industrial
Security Managers Association. He has been a Macintosh
computer user
since about 1986 and an IBM PC user since 1990 and owns
both types of
computers. He is a regular user of the Internet and has
had classes on
the Unix/Workstation operating environment. He has over
274 hours of
training in the High Technology field. He has worked at
least eight (8)
prior network/intrusion type cases and given several talks
to computer
professionals on investigating intrusions. He has
conversed with experts
in federal law enforcement corporate network security who
have
specialized in these cases, and who have considerable
experience in
investigating and interacting with persons who have
illegally accessed
computers.
Your affiant was contacted by the Police Department on
6-16-94 and
asked to investigate this matter. Designated by the Police
Department
as case # 92-7354.
Your affiant started his investigation case #94-0-0888, on
6-16-94
by interviewing Patrick Jones, Manager of Network
Security, and Manager
of Information Resources Advanced Networking Group,
Computer Co.
Computer Corporation. Computer Co.'s Network Security unit
is
responsible for Computer Co. Network security, policy,
workstation and
system security audits, and intrusions into Computer Co.
computer
systems and networks.
Jones gave your affiant the following information: He has
worked
for Computer Co. for 9 years. He has been the Manager of
Security
(networks) for the last 9 months. He has worked in the
communication
industry for 19 years with the last 15 years being in data
and voice
type network systems. Working in this field required him
to become
knowledgeable about security issues.
Jones advised that it is his opinion that an unknown
person has
been attempting to penetrate Computer Co.'s corporate
computer system by
gaining access through telephone analog lines. Computer
Co. has 10,000
telephone numbers dedicated to their corporation. These
numbers are
designated through two prefixes, (415) 222-0000 thru
222-9999 or (415)
333-0000 thru 333-9999. Jones said that an unauthorized
intruder has
been using some type of an automatic dialer program that
can check a
telephone line for a connection about every six (6)
seconds. The
intruder has narrowed down the attempts to connect to only
analog
telephone lines that have a tone which are use to connect
to computers
and fax machines.
On 6-20-94, affiant was furnished with the report from
Helen
Phillips, Computer Co. Network Support Specialist, dated
6-16-94, and
attached as Exhibit A. In this report Phillips explains
that Computer
Co. has experienced an increase in telephone calls at the
Town Computer
Co. facility from approximately average of 11,000 per day
to the peak of
44,000 call per day on 6-3-94.
On 6-23-94, your affiant went to the Computer Co. facility
in Other
Town and met with Computer Co. employees, Patrick Jones,
Helen Phillips
and Roger Green, Network Security Consultant.
Helen A. Phillips, is a Network Support Specialist, in the
Network
Administration Department. She has worked for Computer Co.
for about 5
years. Prior to working for Computer Co., she was a
telephone
communications technician for Pacific Bell and American
Telephone for
about 9 years. She was trained by Pacific Bell. Phillips's
job is
collecting and billing "Call Detail Recording".
This data shows the
telephone usage by Computer Co. employees on the telephone
PBX.
Phillips watches for unusual activity and follows up by
notifying
management of that activity. Phillips gave affiant the
following
information: Computer Co. leases their telephone system
from
Commmunication Company. As detailed in her report of
6-16-94, she
observed an alarming jump in total number of call records
at certain
locations. She watches five locations. She researched the
calls
coming in and found that the majority of calls were going
to numbers not
in service. (At the present time, only about 1,000 of the
5,000 numbers
are active.) Phillips observed that the duration of the
calls were 6
seconds or less.
Phillips observed that when the calls started on 5-24-94,
all of
Computer Co.'s telephone numbers were being called.
Thereafter the
calls were focused on numbers with that have a tone
signifying a
connection to either a fax machine or computer modem. As
Phillips
examined the logs of the numbers called, she also observed
repeated
calls to the same number. She believe that the intruder
did not know
what telephone numbers to call in the beginning, but then
learned which
telephone numbers were for analog lines to fax machine and
computers.
Some telephone numbers have been hit as many as 300 times
per day and
others 60 times per day. This is not a normal level of
Computer Co.
business activity. She found that one line with a tone
(telephone
number) was hit 27 times in one minute.
Roger Green is a Network Security Consultant in the
Network
Security Department. Green gave affiant the following
information: He
has worked at Computer Co. nc. for 3 years. Prior to
joining Computer
Co., Green worked at Large company from 1986-1989. He has
a Bachelor of
Science Degree from University. Green writes security
policies, does
intrusion investigations, and evaluates software for
enhancing Computer
Co. internal security.
Green explained how modems and computers attach to the
Computer Co.
telephone system. He explained that someone can dial a
telephone number
that is connected to a modem and workstation and, if that
person has the
correct password or can determine the correct password,
they have access
to Computer Co.'s corporate world wide computer network
that connects
their facilities in many countries and Computer Co.'s
6,456 employees.
Computer Co. policy requirements calls for every computer
with a
modem to have it configured with software that sets up a
call back
procedure. Your affiant knows from training and experience
that a
callback procedure requires someone calling a telephone
number to obtain
a connection to a computer to give a password. The
computer being
called has been programmed not to allow a connection, but
to telephone
back to a preprogrammed telephone number. When the
computer telephones
back to the prearranged number, the person requesting the
connection has
to enter a second password. If there is no call back
procedure in
place, an intruder with the right type of software can
call a number and
once a tone is received, the computer/software generates a
number
emulating a password. If the password is incorrect, the
calling
computer hangs up and dials the number again, this time
generating
another number attempting to match the password of the
computer being
called. These password dialer programs are designed to be
left running
indefinitely, recording any telephone numbers and correct
passwords that
are successfully determined.
However, Green knows some people have not complied with
this
policy. Green is concerned that the intruder will hit a
modem number
that is not set up according to Computer Co. policy with a
call back
number. Green also said there are a fair number of modems
that have
been distributed to people thru the Computer Co.
corporation and these
modems are not set up thru Computer Co. modem pools but
hooked directly
to a desk top computer and individual telephone. He knows
of about 50
modems in the corporate headquarters building in Palo Alto
and estimates
that there may be as many as 200 modems through the
Computer Co.
facilities in Santa Clara County. The Computer Co. modem
pools are all
configured with call back software.
When affiant asked Green and Jones what they thought the
motive
would be for an Intruder to gain access to the Computer
Co. computer
network, they gave several reasons. They said that
Computer Co.
operating system (OS) source code is valuable, costing in
the range of
xxx per copy, and can be downloaded from the Computer Co.
network.
Also, if an intruder can learn how to break into Computer
Co., such
knowledge would help the intruder learn how to break into
other sites.
Affiant examined the list of Computer Co. telephone
numbers called
by the intruder and noticed that certain numbers were
being called
multiple times. Affiant is aware of at least one other
instance where
even after an intruder was successful in obtaining a
password for
telephone number, the program continued to try other
numbers to obtain
the password for each number. Intruders continue to look
for other
passwords for specific telephone numbers in the event they
are
discovered and closed out of a telephone number they have
learned.
Your affiant is informed and believes based on the
representations
of Darrell Santos, an Investigator for Pacific Bell, that
the items
requested in this application are the type of records
obtained, kept,
and maintained by Pacific Bell when they perform a
"trap and trace" and
"number/call" search. On June 16, 1994, affiant
notified Darrell Santos
that affiant would be making this application to the
Court.
Affiant is requesting a further Order authorizing
AT&T, Pacific
Bell, and any other provider of electronic or wire
communication service
to install a "trap and trace" and
"number/call search" device.
Therefore, your affiant further requests that such an
order be
made.
Your affiant is informed and believes that telephone
companies,
including AT&T and Pacific Bell, are required to
advise subscribers of
telephone service who are identified pursuant to searches
such as here
requested, unless the court ordering the installation of a
"trap and
trace" device makes a specific order to the contrary.
Your affiant
believes that any such disclosure might alert suspects as
to the nature,
scope, and direction of this investigation before it is
completed, and
could therefore impede the investigation and interfere
with the
enforcement of the law. Therefore, your affiant would
request that the
Court issue the following order as part of its Order:
AT&T, Pacific Bell, and its agents and employees,
and any other provider of wire or electronic
communication service subject to this Order and its
agents and employees shall not disclose to the
subscriber(s) of the telephone service described
herein, or those subscribers identified as calling
the above mentioned number(s), the existence of
this Order or of this investigation, unless
otherwise ordered by this Court.
That based upon the above facts, your affiant prays that
an order
be issued as requested above.
___________________________
JOHN C. SMITH, Investigator
District Attorney's Office
Santa Clara County
Subscribed and sworn to before me
this 28 day of June, 1994.
___________________________
JUDGE OF THE SUPERIOR COURT
EXHIBIT A - Report of 6-16-94 by Helen Phillips.
This is new language for seizing computer equipment.
for the following property:
1. Any and all documents, including documents stored in
computer
readable form, that contain the (NAME OF ITEM) or any
portion
thereof.
2. Any and all documents, including documents stored in
computer
readable form, that contain the words (NAME OF ITEM)
Confidential,
3. Any and all documents, including documents stored in
computer
readable form and computer files, relating to (NAME OF
ITEM)'s
4. Any and all computers, including any peripheral devices
connected thereto, as well as any and all hard disks,
floppy
disks, computer tapes, CD-ROM's, and other computer
storage
devices.
5. Any and all computer manuals and instructions for the
use of
any computers and associated peripheral devices found at
the
premises.
6. Any and all documents showing the identity of persons
occupying and/or in possession of the premises to be
searched
including, but not limited to, utility company bills,
telephone bills, mail and personal papers.
Seizure of computer systems:
Your affiant knows from his training and experience that
computer systems commonly consist of a central processing
unit
(CPU), connected to peripheral devices such as hard disk
drives,
floppy disk drives, tape drives, CD-ROM's, display
screens,
keyboards, printers, and modems (used to communicate with
other
computers). In order to examine a computer system it is
sometimes
necessary to have all original peripheral devices
connected to the
CPU in order for the system to work properly.
Computer users also maintain floppy disks and other forms
of
computer readable media which can store computer data and
can be
moved from one computer system to another. Floppy disks
typically
store up to 1.4 megabytes of data. (A megabyte is one
million
bytes of data. One byte of storage is needed for each text
character stored.) The computer systems currently in use
today
typically come configured with internal hard disk drives
with a
storage capacity of 200 megabytes or more. Hard disk
drives on the
market today can have storage capacities as high as one
gigabyte,
which is one-thousand megabytes of storage. In searching
computer
systems it is not unusual to find a large number floppy
disks along
with the computer system. It would not be unusual to find
hundreds
of floppy disks associated with a computer system.
Your affiant requests permission to seize all computer
systems
and computer readable media found at the scene without
first
conducting an examination of each and every hard and
floppy disk to
determine if such systems and media contain the items
requested in
this affidavit. Computer users frequently collect a great
deal of
software on disks or other computer readable media.
Searching that
media at the search scene within a reasonable amount of
time to
determine which material is relevant to this investigation
is not
usually possible. It can take up to one hour to search
just one
(1) megabyte of computer storage. Given the storage
capabilities
of modern computers and floppy disks it could easily take
upwards
of 200 hours just to search one computer system and its
associated
floppy disks.
Finally, the computer and magnetic media is the best
available. Magnetic media is easily erased or destroyed.
Leaving
magnetic media behind may result in the loss of that
magnetic media
as . Your affiant believes that it is better to seize the
original
than to rely solely on copies which have not been
authenticated in
the presence of counsel for persons who could face
criminal charges
based on material found pursuant to this warrant.
Your affiant also seeks to seize documentation associated
with
the computer(s) found at the scene. Your affiant may need
that
documentation to search the computer. Moreover, that
documentation
may well contain information identifying the owner and/or
user of
that computer.
