S. G. R. MacMillan For the defence of serious criminal cases
  Vancouver                                         Toronto


120 Adelaide Street West, Suite 2110, Toronto, Ontario M5H 1T1
(416) 363-0100

355 Burrard Street, Suite 1300, Vancouver, British Columbia V6C 2G8
Toll Free in North America: 1-877-363-0100


 

 INVESTIGATING AND PROSECUTING NETWORK INTRUSIONS

 

JOHN C. SMITH, SENIOR INVESTIGATOR

HI TECH / COMPUTER CRIME UNIT

SANTA CLARA COUNTY DISTRICT ATTORNEY'S OFFICE

70 WEST HEDDING STREET

SAN JOSE, CALIFORNIA 95110

408/299-8411 email jsmith@netcom.com

 

 

The Santa Clara County District Attorney's Office Hi Tech /

Computer Crime Team has had years of experience investigating and

prosecuting trade secret thefts, network intrusions, chip thefts, and

other types of high technology thefts in Silicon Valley. The Unit is

composed of two Deputy District Attorneys and one Investigator.

Some of the cases we have handled include:

Theft of Source code to manufacture computer chips.

Theft of manufacturing processes to make computer chips.

Theft of password files from computers (hacking).

Sending harassing e-mail over networks (Internet).

Theft of software by rewriting into another computer language.

Shutting down computers via telephone access.

Theft of Source Code to develop competing software program.

Intrusion into computer systems using random number dialers.

Theft of Source code via modems and cellular phone.

Intrusion into systems via the Internet using bugs such as rdist.

Illegal intrusion into networks to destroy data.

Theft of hardware and computer chips.

THIS PRESENTATION WILL COVER

Network intrusions.

Theft of proprietary material

How to conduct your investigation and gather evidence.

How to gather and safeguard the evidence necessary for prosecution.

How to get the appropriate law enforcement support.

How to work with law enforcement so they understand the problem.

What is required for a search warrant.

How a Search Warrant Raid is conducted (You may be asked to go.).

What is required for a telephone trap.

What is required for an arrest.

What to expect from the court process.

How to prepare to testify in court if necessary.

How to recover damages civilly or from probation.

Impact of the Electronic Communications Privacy Act.

Examples of Search Warrants and Telephone Traps are attached.

Actual cases will be discussed and used as examples. The search warrant

affidavits and telephone traps attached to this outline are exactly as

I took them to court with the exception of the name changes. By

thoroughly reading the affidavits, the reader will have the opportunity

to see what probable cause to obtain a search warrant.

HAS A CRIME BEEN COMMITTED

Under most circumstances, For Federal or local law enforcement to assist

you there has to be a violation of the law.

United States Code, Title 18, Section 1030, "Fraud and related

Activity in Connection with Computers", is the section relied upon

by the FBI. (A COPY OF THIS SECTION IS ATTACHED.) The FBI will

also attempt to use sections dealing with theft by wire and

interstate theft.

Each State has their own laws. These laws vary widely and most

states have not yet enacted appropriate laws for dealing with

computer or network intrusion.

California Penal Code Section 502, "Unauthorized Access to

Computers, Computer Systems, and Computer Data." (A COPY IS

ATTACHED.) Some of the subsections are felonies. A person

who is convicted of this section is subject to having their

computer forfeited under Penal Code Section 502.01.

California Penal Code Section 499c, "Trade Secrets" covers the

theft of trade secrets. This has to be scientific or

technical information, computer programs, or information

stored in a computer.

If local law enforcement decides that they do not have

sufficient information to file a crime report, conduct a

search warrant, or issue and arrest warrant, they may be able

to phone or contact your suspect and warn them to stop. This

does sometimes work.

WHEN A CRIME HAS BEEN COMMITTED

DO NOT CONFRONT OR TALK WITH THE SUSPECT.

This gives them the opportunity to hide or destroy evidence.

Law enforcement probably will not help you if this occurs because

of the slim chance of making a case.

If necessary call law enforcement and ask what the law is.

Many times executive of victims companies are hesitant to file a

crime report until they know and understand what law enforcement

will do. Can you discuss what your options are with the

appropriate law enforcement agency without having to make an

official report?

You should be able to discuss your options without having to file

an official crime report. Under most circumstances our office will

not file a criminal case for theft of data or proprietary

information (Industrial Espionage) unless the company/victim wants

to file a criminal charge. These cases are complex and require the

willing cooperation of the victim. We make sure they understand

what will be required of them before we will start an

investigation.

Many times both the FBI and local law enforcement will have jurisdiction

over a network intrusion or theft. You may want to talk to both about

how long their investigation will take and what they expect from you.

Will their reports be available for your review and use in civil

actions?

Law Enforcement does not like a company "shopping" for the best

deal so be careful how you deal with agencies. Remember the

agencies talk and work with each other.

Local law enforcement may have trouble conducting the investigation

outside of their jurisdiction. Police Departments and Sheriff's

Offices will work with their local prosecutors.

Will the FBI conduct an investigation? They have to work with

the U. S. Attorney's Office to obtain a search warrant or

investigate a case.

SHOULD YOU REQUEST LAW ENFORCEMENT ASSISTANCE

This can be DAMAGE CONTROL, the only way you may ever know the extent of

your loss or network penetration is from the evidence collected from a

search warrant.

DO NOT WAIT TOO LONG TO CALL. It is best to notify law enforcement

right way. In one case we worked, the backup tapes from a system an

intruder was using were kept only a short time and then reused.

In a civil action, you will demand discovery to obtain evidence and

learn what document or data the defendant may have, but it is up to the

person being sued to turn over the documents you are accusing them of

stealing or using to penetrate your network.

Working with law enforcement is a time consuming and demanding task.

For us to assist you with an investigation we require your assistance

and cooperation. We need:

A commitment of your time and resources. You will have to work

with law enforcement at almost every step of the process.

Interviews to prepare crime reports and the affidavit for a

search warrant.

Engineers or computer operators to accompany law enforcement on the

search warrant to assist with operation of computer system and

identification of data or property.

Assistance the victim company to identify and describe documents,

source code, and other evidence found.

A company expert may need to be available for explanations and

assistance during a trial.

Documents may need to be provided to the defendant's attorneys for

discovery. They may ask for more than you want to provide. Your

attorney will have to argue against broad ranging discovery.

Defendant's are entitled to seek evidence they need for their

defense.

You and other company employees will be subpoenaed to testify.

This is time-consuming in that witnesses may have to wait their

turn in court

Very few cases actually go to trial! Approximately 5 % go to trial in

Superior Court in Santa Clara County, California.

There will generally be plea bargaining and negotiations so that an

agreed upon sentence can be reached. Both prosecutors and defense

attorneys know what sentences can be expected from certain cases.

White collar crimes are not usually prison crimes.

You should be able to access law enforcement's reports. This will help

you understand your situation. You can then use those reports for civil

proceedings.

If you are going to initiate civil litigation, it is a good idea to wait

until you decide whether you are going to make a report to law

enforcement. You do not want to alert the suspect to criminal action in

the event a search warrant is issued.

Law enforcement does not (or should not) care if civil actions are

filed. In most of our cases there have been parallel civil actions

and they have not affected our cases.

In some cases the victim's attorneys have used our Search Warrant

Affidavit to apply to the court for a TRO (temporary restraining

order) to prohibit a suspect from using materials or data they have

taken.

HOW TO GET LAW ENFORCEMENT'S ASSISTANCE

CORPORATE SECURITY - If your company has corporate security or a

corporate investigator, talk with them. They may know the capability of

law enforcement in your area. They may have contacts with law

enforcement. They may know the best way to get assistance.

The High Technology Crime Investigation Association (HTCIA) is a group

of local and federal law enforcement officers, corporate investigators

and private investigators who have an interest in or work in the area of

computer or high technology crime. HTCIA provides training to its

members. I can put you in touch with someone from each chapter.

HTCIA has chapters in:

Silicon Valley (San Jose), California

Southern California

Northern (Sacramento), California

Austin Texas

Portland Oregon

Chicago, Illinois

New York, NY

New Mexico

Chapters have begun forming in Netherlands and in Arizona.

(I try to keep up with current contacts and phone Numbers.)

 

If you call local law enforcement, I recommend calling the

investigations or detective bureau directly.

If you call 911 or a regular police department reporting number,

they will send a uniformed officer, and log the call on a public

log. It is the uniformed officers job to write a report which will

go through a review process, be logged in by records, and then sent

to investigations for assignment to the appropriate investigator.

This can some times take a week.

Try to get the direct assistance of an investigator. You will

usually get a more experienced officer and faster assistance.

Call your local prosecutors office. Most District Attorney's Office

have investigators. Ask if there is a computer or hi tech unit. Ask if

they know who would be best to assist you.

Training for law enforcement is becoming better and easier to get.

Don't be surprised if there is a highly trained law enforcement officer

in your local area. You just have to find them and cultivate their

friendship. Interested law enforcement officers would probably be

interested in talking with you or touring your facilities.

If your company will allow (many will not), consider volunteering

to provide advice and assistance to local law enforcement. I have

started a volunteer program of computer knowledgeable individuals

who help me on search warrants and help retrieve data from

computers. If you work for someone you should get permission

first. Many corporations see this type of volunteer work as being

a conflict of interest. If this is the case, see if they will let

you provide advice or training to law enforcement. This will pay

dividends because it gives you direct access to law enforcement for

advice if and when you need it.

The FBI has a highly trained computer crime team stationed in Washington

D.C. They can be reached at (202)324-9168.

WORKING WITH LAW ENFORCEMENT

Remember there is a very good chance the law enforcement officer is not

going understand the technical aspects what you are talking about. Most

cannot work PC's much less understand a network problem.

You should have been making notes of your activities as you track an

intruder. Put this is some type of a report or memo format. This

report can be given to the officer. It can also be used as part of the

report or as an attachment for a search warrant. You can then use this

report to help you recall what you did if the case goes to trial many

months later.

As you write your report remember WHO, WHAT, WHEN, WHERE, WHY, and

HOW. If you and law enforcement can show this you can make a case.

Diagrams are very helpful in understanding systems. A diagram can be

attached to the report to help others who have to read and understand

the report. Diagrams are frequently used in court.

EVIDENCE

In these types of cases evidence may consist of such things as back up

tapes, printouts of computer programs, suspect's accounts and the

contents, computer disks.

In one case we used an article found online that had been written

by our suspect regarding activities he had been involved in. We

attached this to our affidavit requesting a search warrant.

In a intrusion case, you will be looking for evidence that will show who

commit the violation and that can be used to obtain a search warrant to

seize the suspect's personal computers at his home or business.

A suspect would have a good defense if you only found evidence in

an online account. The defense will claim that someone else put

the evidence there. We would not charge a person with a crime on

the basis of evidence found in an online account.

We investigated and obtained a conviction on a suspect that

used someone else's account (after they broke the password) to

shut down a computer. I later found the broken password in

the original suspects home computer. (I CAN EMAIL YOU THE

JUDGE'S RULING FROM THE APPEAL WHERE HE DISCUSSES THIS.)

You would use the evidence in the online account to seize the

suspect computers. Law enforcement will then search the suspect's

personal computers for evidence. You often find printed material

at suspect's home that can be used as evidence.

Evidence must be gathered by law enforcement officers in accordance

court guideline governing search and seizure or it will be excluded.

This is referred to as the Exclusionary Rule. It does not apply to

ordinary citizens such as you. You do have to remember that if you do

something illegally you could be sued.

If you gather evidence at the request or suggestion of a law

enforcement officer and the gathering does not meet the legal

requirement, that evidence will be excluded.

Remember the provisions of the Electronic Communications Privacy Act,

Chapters 2500 & 2700 of Title 18 of the United States Code.

CHAIN OF POSSESSION - This means that for evidence to be admitted in

court, the prosecution has to be able to show who obtained it, who

secured it, anyone who has had control. It will probably be necessary

to have anyone in this category testify. This applies to anything you

may secure such as a disk or backup tape.

Evidence should be properly marked by placing your initials on items

like tapes, printouts, documents, or equipment. Items can be sealed in

envelopes or bags which should be signed, dated, and sealed.

Evidence should be stored and locked, so that you can testify that no

one other than yourself or those people that you can name have had

access to it.

The defense may maintain that an item has been tampered with or

changed.

Read the attached Search Warrant Affidavits for ideas on what can be

evidence. These are actual warrants I have written and served, but with

name changes.

The affidavit on page 27 is a good illustration of what can be evidence.

OBTAINING AND SERVING SEARCH WARRANTS

The search warrant should be done as quickly as possible before the

intruder can do further damage. It has been my experience that this

type of person does not destroy data unless they are threatened.

It is important that you keep information about the investigation

limited to as few people as possible. This limits the possibility

of the investigation being leaked.

When I go to a victim company to conduct my investigation, I

usually do not identify myself as law enforcement to company

receptionists and others not involved in an investigation.

You should ask law enforcement to merely request to speak with

you when they come to your office to start the investigation.

Probable cause is the criteria required for the issuance of a Search

Warrant. You have to establish that a crime has been committed and show

why there is cause to enter someone's home or business. The law

enforcement officer, probably a local prosecutor, and a judge all have

to believe that there is probable cause. For a conviction you have to

prove that someone is guilty beyond a reasonable doubt, much stronger

that probable cause.

If you have property or data stolen and probable cause can be

established, a search warrant can be issued for both building and

computer systems. Comparisons of data recovered can be made with data

allegedly stolen.

You may be asked to accompany law enforcement on the search warrant as

a technical assistant or to identify property.

If it is necessary for you carry documents in on a search warrant,

consider copying them onto colored paper. This will prevent the

defense from inferring that what might have been found was left by

you.

Once law enforcement has served the search warrant and examined the

seized computers and disks, you will start to be aware of the extent of

your problem. You will probably be asked to help evaluate and identify

programs found on computers.

This will probably lead to other victims.

Any evidence gathered during the search warrant, even though maintained

by law enforcement, is legally under the control of the court. Even

though a seized item may have your name on a document, it will not be

returned to you unless the suspect signs a release or after a hearing by

the court.

Many victims just want to get their property back after a search

warrant has been completed. They may not want to go to trial for

fear of disclosing information and think that if they drop charges

they will get their property returned to them.

TELEPHONE TRAPS

(SEE ATTACHED EXAMPLES)

This requires the equivalent of a search warrant. You will have to file

a crime report with law enforcement. The prosecutor or U.S. Attorney's

office will have to approve the request before it is taken to a judge

for signature.

The form will be different from State to State, but it usually

always take probable cause.

Once you have information regarding where calls are coming from, this

will be the probable cause needed to obtain a search warrant for that

location.

Modifying and illegally using cellular phones has become big business.

It is impossible to track and locate if a suspect has used someone

else's id or cellular phone number. In one case the suspect social

engineered a modem access number and then used a cellular phone to

illegally access a companies network.

If you belong to any type of an association, invite a local telephone

company representative to meet and talk with your group.

Most of the telephone companies are charging for these types of

services. You will be required to pay the costs.

DISCOVERY AND PROTECTIVE ORDERS

Discovery is where the prosecution (not the defense) provides all

reports, information on evidence, list of potential witnesses, any

criminal history of witnesses, and any information except how the

prosecution is going to present the case in court.

Any property or data recovered by law enforcement and will be subject to

discovery if a person is charged with a crime. However a protective

order can limit who has access, who can copy, and the disposition of the

documents.

A protective order allows you to protect proprietary or trade secret

documents related to the case.

California Evidence Code Sections 1061, 1062, & 1063, deal with

protecting proprietary information, how to obtain protective orders, and

how to close courtrooms during discussion of propriety information. It

also limits who the defense can hire to use as an expert witness.

If your State does not have such a law, you and members of your

association should work to have one passed.

(AN ARTICLE ON THIS SECTION IS ATTACHED)

CRIMINAL TRIALS AND TESTIFYING IN COURT

Once a person is arrested they will be arraigned, during which time the

court will make sure the suspect has an attorney. For a felony a grand

jury hearing or preliminary hearing will be scheduled. States do differ

somewhat in this process.

In a grand jury hearing the defendant nor their attorney can be

present. A grand jury hearing is considerably faster.

In a preliminary hearing the prosecution must show that a crime has

been committed and there is probable cause to believe that the

defendant committed the crime.

If the defendant is held to answer in a preliminary hearing or the grand

jury returns an indictment, a trial will be scheduled.

If the case goes to trial, interviews with witnesses will be necessary.

You may have to assign someone to work with law enforcement as a

liaison. Key employees will have to spend time away from work at the

court as the prosecution is required to have another witness ready as

soon as the current witness is excused.

If you are called as a witness, you should be given instructions prior

to trial by the prosecutor about the type of questions to expect and how

you will be allowed to answer questions. Remember the prosecutor does

not know what the defense attorney will ask. The prosecution is

required to furnish the defense with copies of all reports, evidence,

and witnesses names prior to the trial.

Listen to the question carefully to get the fully meaning and the

determine that is not a multiple part question or contradictory. Most

defense attorney are going to want you to answer only yes or no.

However if you can not answer with a yes or no, let the court know that

it is necessary to answer with an explanation.

Do not answer immediately and make sure you understand the

question. This pause will give the prosecutor time to object to

defense questions that are inappropriate, confusing, or vague.

If you do not totally understand the question, ask for an

explanation or start your answer by stating: "I understand your

question to be... (give an explanation) and thus my answer would be

this....."

You can not give hearsay answers, only information that you have seen or

done. This means that you can generally not testify as to what someone

has told you.

Engineers are generally poor witnesses. They tend to see things in

absolutes. Often times it is necessary to explain or request

clarification so that a witness is not always answering no.

In one case we called a woman engineer as a witness. On the first

day she answered no so often everyone thought she was committing

perjury. That evening I explain that she should begin explaining

rather than just saying no. This worked for her.

EXPERT WITNESS - Based on your education, training, and experience, you

may qualify to testify as an expert witness. This will allow you to

give explanations about how computer systems or networks function. In

order to give an opinion you have to be qualified as an expert witness.

I have testified as an expert on fingerprints, drugs, alcohol, and

prostitutes. It has taken up to an hour to go through this process

as the defense can also challenge your expertise.

RECOVERY OF DAMAGES

To recover the cost of damages, such as reconstructing data,

re-installing an uncontaminated system, or repairing a system, you can

file a civil lawsuit against a person.

You can hire an attorney or you could consider filing a claim in

small claims court. In California, neither you or the person you

are suing can take an attorney into court. Small claims is heard

only by a Judge. In California the maximum that you can sue for in

Small Claims is $5,000.00. Check with your local court to learn

the small claim maximum

 

THINGS TO REMEMBER DURING AN INVESTIGATION

To remember this think of Smith's Splendid / Silly / Superfluous System

SPEED

STEALTH

SYSTEM SECURITY

SECURE EVIDENCE

SUSPICIOUS / SCREWY EMPLOYEES

SHOW & EXPLAIN - REPORTING

SEARCH WARRANT - PREPARE AND SERVE

SPEED

Obtain a copy of any unauthorized program or data quickly before it is

moved or erased. This copy could be valuable evidence. Notify law

enforcement and try to get a search warrant to find any additional data

or seize any personal computers associated with the crime. There is

likely to be additional information in the computers that may tell you

about other intrusion into your systems as well as other companies.

In one case I found 10 etc/passwd files, most with cracked

passwords. In recent cases I have found a backdoor login program

and a trojan horse. I was able to show these programs to the

systems operator so they could more effectively check their

systems.

If you have a theft of a trade secret, you should talk with your law

enforcement representative to find out what they can and will do to

help. Can the secret be stopped before it is removed from the United

States and what can be done if it is removed. We are presently

prosecuting a company based in Taiwan.

STEALTH

Don't alert intruder that law enforcement is involved. In several cases

it has taken several weeks to complete the investigation and obtain a

search warrant. Very few people in the victim company knew who I was,

they merely viewed me as another consultant. As a result we recovered

computers and other data from the victims.

SYSTEM SECURITY

This will most likely be your major concern, but law enforcement's role

is to catch the bad guys. Explain to law enforcement what the intruder

can do with any data they may have taken or from just gaining access.

Remember the law enforcement officer may not understand the potential

damage to your system or the over ramifications to "merely having an

unauthorized person connecting to your system."

Explain what an intruder can do if they can get root access and

what it will take for you to correct the problem.

Even under the ECPA you can take steps to protect your system, if you do

tell law enforcement what you found without a proper search warrant.

If you think you need to examine someone's account to protect your

system, you should document the reasons that you took the action.

SECURE EVIDENCE

Remember the Chain of Evidence. This is critical as we can not

introduce evidence in court unless we can prove the chain of possession.

Make or obtain tapes of data when possible.

Try to determine the motive of the intruder. This will help with the

prosecution

In cases of theft, a showing of probable cause will have to be made that

the product being sought in the search warrant is the same as the victim

companies. I have made comparison of the victims printed manual with

the manual or manual pages from a suspect's software program. A victim

company engineers statement that the functionality is the same is not

sufficient, this statement must be corroborated with evidence like the

manual pages.

SUSPICIOUS EMPLOYEES

If an employee with system knowledge leaves your company, consider

changing passwords. We investigated a case where a manufacturing

database was erased twice. The first time was with use of a current

employees password that the suspect learned while employed with the

victim.

Most of Santa Clara County District Attorney's office cases of trade

secret theft have involved employee embezzlement. Several examples

include:

WBS - a disgruntled engineer who carried out thousands of pages of

proprietary information and tried to use them to get another job after

he was terminated.

M Goldberg - a young man from France who was sent to the United States

to work in American software companies rather than serve his French

military draft obligations. When his 2 year obligation expired he was

stopped from getting on an airplane with enough proprietary information

to duplicate the software program he had been working on. He said he

want to get a job when he returned to France.

CVD - The manager of a computer support group that had his employees

rewrite his company's major database program from an IBM mainframe

language to a C for Sun workstations. He then sold it for several

million dollars. He was also trying to do business with other

countries. A Sun Employee was also convicted for commercial bribery

for helping CVD sell the stolen software to Sun. He was also trying to

sell computer programs in other countries.

Raj - an Indian engineer who went to work as a security guard at a

computer company's R&D building while at the same time he was working

for other companies doing the same type of development.

Foreign companies - One tactic is to hire one employee from a company so

that person can help determine who else to hire.

SHOW & EXPLAIN FOR LAW ENFORCEMENT

When you think you have a problem you should ask your local law

enforcement whether they are required to take a report if you talk to

them about a problem. If you decide you are going to file a report

designate someone to work with law enforcement.

Remember a report and diagrams are helpful.

On a case of software theft, I worked with a customer support software

engineer who was very good at explaining the company product.

Law enforcement will have to talk directly with development engineers,

financial officers, and other company officials. You can not just have

your attorney relate the information. We require a commitment from a

high ranking company official that they will support a criminal trial

before we will start a search warrant.

 

SEARCH WARRANT

A search warrant to check a suspect's home and computers is the only way

to know the extent of an intrusion into your computer system or to learn

if any programs were modified or programs left in you your system.

A search warrant is also often the only way to recover stolen

proprietary information.

A phone trap also requires a search warrant.

FEDERAL AGENCIES

FBI has a computer crime team in Washington DC and some trained agents

in various field offices

Secret Service, has experts in areas around the USA.

Customs tracks money exchanges.

U. S. Commerce Department - can keep companies who have stolen products

from doing business in the USA such as in the case of the Taiwanese

company charged with theft of trade secrets.

IRS sometimes even if you can not prove a crime the IRS can tax people

who have stolen products, made money, and not paid taxes.

ECPA - TITLE 18 U S CODE 2500/2700

Electronic Communications Privacy Act Title 18 US Code Chapters 2500 &

2700 as it relates to keystroke monitoring or system administrators

looking in other people accounts. If you do not have a banner or the

account holder has not been properly notified, the system administrator

can be guilty of a crime and liable for civil penalties from a law suit

for key stroke monitoring or looking in someone's account.

 

 

 

ATTACHMENTS

SEARCH WARRANT EXAMPLES:

Page 16 - For a Commerial E-Mail account

Page 20 - Illegally accessing a company network and destroying data

Page 27 - Broken University account

Page 38 - Number Search & Trap and Trace for long distance connections

Page 45 - Trap & Trace for attempted contact to system

Page 50 - Example of new language for describing computer data and

computer equipment to be seized with a search warrant.

 

Page 52 - Section 1030 Title 18 U.S. Code

Page 55 - Section 499c California Penal Code

Page 56 - Section 502 California Penal Code

Page 61 - Article on 1061 California Evidence Code

The following three (3) Search Warrant Affidavits on file with the

Superior Court were used to obtain a conviction in a case where the

defendant was charged with the theft of passwords and for shutting down

a computer.:

Page 65 - For account information from commerial provider, conforms to

ECPA.

Page 81 - For computers and other records to show network intrusion.

Page 89 - For computers after a computer was shut down.

 

 

 

 

 

 

This affidavit deals with obtaining a copy of a suspect electronic mail

account at a commerial account provider for the Internet

SUPERIOR COURT OF CALIFORNIA

SANTA CLARA COUNTY JUDICIAL DISTRICT

 

STATE OF CALIFORNIA - COUNTY OF SANTA CLARA

AFFIDAVIT IN SUPPORT OF SEARCH WARRANT

JOHN C. SMITH being sworn, says that on the basis of the

information contained within this Affidavit and any attachments thereto,

he has probable cause to believe and does believe that the property

described below is lawfully seizable pursuant to Penal Code Section

1524, as indicated below, in that it:

( ) was stolen or embezzled;

(X) was used as the means of committing a felony;

( ) is possessed by a person with the intent to use same as a means of

committing a public offense, or in the possession of another to

whom he/she may have delivered same for the purpose of concealing

or preventing its discovery;

(X) constitutes evidence tending to show that a felony has been

committed or that a particular person has committed a felony;

and that he has probable cause to believe and does believe that the

described property is now located at, and will be found at, the

location(s) set forth below and thus requests a warrant to search

THE FOLLOWING LOCATION(S):

The premises at Blvd, Suite City of Town, County of Santa Clara,

State of California, further described as Commercial Communications a

commercial on-line computer service communication company that provides

access to the Internet for subscribers. The Internet is a world wide

network coordinated by National Science Foundation.

The premises to be searched also include any and all electronic

mailboxes, directories, or accounts on Commercial Communications's

computer system, registered to or containing data placed in that

directory by Brendan Gomez.

DESCRIPTION OF PROPERTY TO BE SEIZED

1.2. Any and all documents and records, whether on paper or stored on

magnetic media (including information stored within a computer),

within the account of Brendan Gomez, which show the unauthorized

entry or attempted entry or connection to other computer systems

that connect to the Internet or were done

2. Any and all programs or computer instructions that reside in the

account of Brendan Gomez at Commercial Communications that would be

used for the unauthorized connections to other accounts on the

Internet and would be used for the automatic transfer of

information or programs in any other account or systems on the

Internet (hacking).

3. Documents and/or magnetic media showing the identity of users,

owners, or lessees of the computer account managed by Commercial

Communications and registered Brendan Gomez.

STATEMENT OF PROBABLE CAUSE

Your affiant declares that the facts in support of issuance of this

search warrant are as follows:

Your affiant, John C. Smith, is a Senior Criminal Investigator

(Peace Officer) employed by the Santa Clara County District Attorney's

Office in Santa Clara County, California. Your affiant has been

assigned to the High Technology / Computer Crime Unit of that office

since December 1989. He has been a California Peace Officer since June

1965. He is a member and past President of the High Technology Crime

Investigators Association (HTCIA), and the Santa Clara Valley Industrial

Security Managers Association. He has been a Macintosh computer user

since about 1986 and an IBM PC user since 1990 and owns both types of

computers. He is a regular user of the Internet and has had classes on

the Unix/Workstation operating environment. He has over 274 hours of

training in the High Technology field. He has worked at least eight (8)

prior network/intrusion type cases and given several talks to computer

professionals on investigating intrusions. He has conversed with experts

in federal law enforcement corporate network security who have

specialized in these cases, and who have considerable experience in

investigating and interacting with persons who have illegally accessed

computers.

Your affiant was contacted by President of Commercial

Communications Company, Blvd., Suite 200 , Town, California, on Friday,

June 17, 1994. President told affiant that Commercial had received a

communication from the Computer Emergency Response Team (CERT) that

detailed a break-in of a computer system at OutOfState University from

an account at Commercial. (CERT is the federally funded agency

responsible for monitoring security issues on the Internet). This

communication is attached as Exhibit A. (NOTE FOR SUN USER GROUP - This

attachment listed the dates, times, and computer systems that were

illegally accessed. I attached it as part of the affidavit so I would

not have to type the same information.)

Your affiant started his investigation by interviewing John Little,

President of Commercial Communications and opening Santa Clara County

District Attorney's Office Case #94-O-0889. Little gave your affiant

the following information: He started Commercial Communication,

(hereafter referred to as Commerical) in 1986. Commercial is an on line

communications services, setup to provide customers with access to the

Internet. Commercial has two T-1 leased lines, one to BARRNET and the

other to CIX, Commercial Internet Exchange, in Santa Clara.

President explained that the message from CERT detailed a break-in

to an account and a computer system at OutOfState University on June 9,

1994. In this intrusion the intruder achieved root access and then broke

into five (5) OutOfState computers. (Root or superuser status is the

privileged or upper level used by the systems administer. At the root

level a user is allowed to do anything on the system such as to look,

use or change any regular account and to create in files under other

names that may run programs not normally allowed on a system.) President

said that Commercial did not know which customer account was being used

to reach OutOfState and Commercial was concerned that Commercial's

computer systems may have been or be compromised. Commercial employees

Brain Brown and Rich Black began checking the Commercial system to make

sure Commercial's system had not compromised. They traced the activity

from OutOfState back to Brenden Gomez's account. They open the account

to see if Commercial's system was being compromised and saw tools for

breaking into computer systems.

Your affiant interviewed BRIAN T. Brown, Commercial Technical

Support staff member. Brown gave affiant the following information: He

has worked at Commercial for 3 years and has been working with UNIX for

about 6 years. Brown explained that after Commercial received the

message from CERT, Exhibit A, he and Black matched IP (Internet)

addresses from OutOfState with outgoing logs generated automatically by

Commercial's computers. Commercial has a logging program that captures

outgoing ftp (file transfer process) and telnet connections, i.e.,

connections to computers at other locations. At about the same time

the connections were made to the computer accessed at OutOfState, Brown

saw three connections to OutOfState from a Commercial account labeled

"brendan". Brown said there were no other connections made to

OutOfState during this time period. Brown and Black opened this account

to ensure that Commercial's system was not being compromised and in the

account they observed a Sniffer program. The "sniffer" program was not

operating at that time. A "sniffer" is a program that captures the data

sent from a user to other users as the data is transmitted over a

network. Login and password information can be pulled from the data and

used to illegally access other accounts.

Brown believes Brendan is 21 yrs old and a 1991 graduate of High

School in Santa Clara. Brown has met Gomez through a friend and has

talked with Gomez on network chat lines.

Gomez has only paid $40.00 towards the monthly costs of his

"brendan" account while he should have paid $240. Gomez opened the

account in 1993. Gomez's account was automatically suspended, probably

in Aug 93, because of non payment. Gomez somehow got around the

suspension closure and into his account. On Friday 6-17-94, Brown

closed the security hole for billing suspensions.

Your affiant would note that neither Black or Brown actually

intercepted communications made by the person using he "brendan" account

and that the copy of the "brendan" directory made by Brown consisted

of data that was not stored temporarily as an incident of an electronic

transmission. Your affiant specifically does not seek authority to

intercept wire communications made by "brendan" in the future.

Affiant contacted Robin Huxley, an employee of OutOfState

University. Huxley is responsible for security on the computer system

that was compromised from Commercial Communications. Huxley verified

the information in the report he sent to CERT and copied to Commercial

Communications, attached as Exhibit A.

Based on these facts, you affiant is of the opinion that it is

probable that Brendan Gomez has committed violations of Penal Code

Sections 484 and 502c(2), which violations are punishable by terms of

imprisonment of longer than one year, and that evidence thereof exists

on the data tape of the Brendan Gomez directory made by Commercial

communications.

WHEREFORE your affiant prays that a search warrant be issued with

respect to the above locations for the seizure of said property at any

time of the day and that the same be held under Penal Code section 1536

and disposed of according to law.

___________________________

JOHN C. SMITH, Investigator

District Attorney's Office

Santa Clara County

Subscribed and sworn to before me

this 28 day of June 1994.

 

___________________________

Judge of the Superior Court

EXHIBITS:

A - Three page electronic Message From: huxley-

robin@CS.OutOfState.EDU, Date: 17 Jun 1994, TO: cert@cert.org.

B - Three page report prepared by Brian Brown dated 94/06/22 containing

portions of outgoing message logs from Commercial Communications.

This search warrant was used to search the residence and computers of a

former employee suspected of illegally accessing and the erasing a

company's database.

SUPERIOR COURT OF CALIFORNIA

SANTA CLARA COUNTY JUDICIAL DISTRICT

 

STATE OF CALIFORNIA - COUNTY OF SANTA CLARA

AFFIDAVIT IN SUPPORT OF SEARCH WARRANT

JOHN C. SMITH being sworn, says that on the basis of the

information contained within this Affidavit and any attachments thereto,

he has probable cause to believe and does believe that the property

described below is lawfully seizable pursuant to Penal Code Section

1524, as indicated below, in that it:

( ) was stolen or embezzled;

(X) was used as the means of committing a felony;

( ) is possessed by a person with the intent to use same as a means of

committing a public offense, or in the possession of another to

whom he/she may have delivered same for the purpose of concealing

or preventing its discovery;

(X) constitutes evidence tending to show that a felony has been

committed or that a particular person has committed a felony;

and that he has probable cause to believe and does believe that the

described property is now located at, and will be found at, the

location(s) set forth below and thus requests a warrant to search

THE FOLLOWING LOCATION(S):

The residence of Joe Suspect described as the premises at 18

Street, City of , County of Santa Clara, State of California, further

described as being a two (2) story structure, a tan color with gray

trim, with the numbers 18 on a lone mailbox across the street from the

residence; including any and all yards, outbuildings, storage areas,

garages, carports, sheds, or mailboxes assigned to the described

premises, including but not limited to those listed above.

FOR THE FOLLOWING PROPERTY:

1. Any and all documents and records, whether on paper or stored on

magnetic media (including information stored within a computer),

which show the unauthorized entry or attempted entry or connection

to the computer systems at MfgCompany Inc, including but not

limited to passwords, password files, security holes, backdoor

logins, telephone numbers for modem connections, and Software that

creates ZY Computer terminal emulation in a personal computer.

2. Any and all programs or computer instructions that would be used

for the unauthorized connections to the computer system at

MfgCompany Inc and would be used for the unauthorized transfer of

information or programs.

3. Any and all documents and records, whether on paper or stored on

magnetic media, that contain any portion of files from the computer

systems of MfgCompany Navigtation

4. Computer hardware, software, and data including, but not limited to

central processing units (CPUs), hard disks, hard disk drives,

floppy disk drives, tape drives, CD-ROM drives, display screens,

keyboards, printers, modems, magnetic tapes, cassette tapes, and

floppy disks, found together or separately from one another.

5. Written documentation, whether typed or handwritten, including, but

not limited to, computer manuals and instructions for the use of

any computers and their accessories found at the premises.

6. Evidence of occupancy and control of said premises and work areas,

including but not limited to, utility company bills, cancelled mail

envelopes, and personal papers.

STATEMENT OF PROBABLE CAUSE

I declare that the facts in support of issuance of this search

warrant are as follows:

I, John C. Smith, am a Senior Criminal Investigator (Peace Officer)

employed by the Santa Clara County District Attorney's Office in Santa

Clara County, California. I have been assigned to the High Technology

/ Computer Crime Unit of that office since December 1989. I have been

a California Peace officer since June 1965. I am a member and past

President of the High Technology Crime Investigators Association

(HTCIA), and the Santa Clara Valley Industrial Security Managers

Association. I have been a Macintosh computer user since about 1986

and an IBM PC user since 1990 and owns both types of computers. I am a

regular user of the Internet and has had classes on the Unix/Workstation

operating environment. I have over 274 hours of training in the High

Technology field. I have worked at least nine (9) prior

network/intrusion type cases and given several talks to computer

professionals on investigating intrusions. I have conversed with

experts in federal law enforcement and corporate network security who

have specialized in these cases, and who have considerable experience in

investigating and interacting with persons who have illegally accessed

computers. I am a member the Santa Clara County Network Security

Working Group responsible for developing and overseeing the security of

the County's wide area network.

I began case #94-0-1102 on Monday, July 18,1994, by interviewing

Alan Albert, Director of Information Systems, MfgCompany Inc, Community,

California, and, Jonathon A., a private investigator hired by

MfgCompany. I again met with Albert and A. on August 5, 1994 and with

Albert on August 8, 1994. Albert told me that someone illegally gained

access to MfgCompany's corporate computer network on June 12, 1994 and

again on July 26, 1994. On these occasions the intruder erased the

files from MfgCompany's manufacturing database, modified key files that

allow data to be moved between computers for company use and caused the

password file on an ZY Computer 4 computer (named Pacific) to become

void so that the 400 to 500 users of that system could not log on.

Albert stated that these intrusions have cost MfgCompany over

$100,000 to repair the damage and hundreds of hours in lost time

repairing the system so that the manufacturing database will function

properly. MfgCompany has had to hire a full time consultant to check

the integrity of the system and ascertain if there are back door login

programs or other programs hidden in the system that would allow an

intruder to access MfgCompany's system without MfgCompany's knowledge.

Albert explained that MfgCompany has offices around the world and

uses its electronic network to connect operations and offices.

MfgCompany has employees in 30 countries. MfgCompany's information

systems and core business systems are headquartered in Bldg x, Ave.,

Community, California. MfgCompany has its manufacturing database set up

on three ZY Computer 4 Mini Computers, named Atlantic, Pacific, &

Baltic, on MfgCompany's ethernet (network connection). There are

approximately 500 computers, both Unix and personal computers, on

MfgCompany's network. MfgCompany's manufacturing database is an

inventory system called "MIP" for Manufacturing & Inventory Planning.

The ZY Computer 4 operating system is in a language called MPE and the

database application/program is called "Enhanced Software", produced by

SoftwareCo Computer Systems of Santa Clara County.

Albert believes that the unauthorized intrusion and damage to the

system was done by a former MfgCompany employee, Ray Suspect, who was

the Manager of the Operations Group in the Information Systems

Department. Albert said that Suspect was only one of two people who had

all of the information and skills necessary to locate and change the

files that were changed. Albert explained that MfgCompany has not cross

trained Information Systems employees so that in some cases only one

person will know a job or function. In most cases there will only be

two people who may have the same skills. Suspect was released by

MfgCompany.

Albert told me the following: Suspect was hired because he had

worked for (ZY Computer) and was very knowledge able about the ZY

Computer 4 Computer. Suspect set up the "Enhanced Software"

communications software that allows communication and file exchange

between the ZY Computer 4 computers, Pacific & Baltic, at MfgCompany.

Ray connected to MfgCompany's computer network system from his home as

part of his job on a daily or regular basis via a modem into the ZY

Computer 4 and into a modem bank on an X.25 network (worldwide network)

that is connected to the ethernet (local). He was also aware of the

modem connections for Unix computers and personal computers on the

ethernet based network.

An internal investigation preceded Suspect's termination, so that

he was working at the company while the termination was discussed. He

has the knowledge to place hidden programs (backdoor logins) on the

system that would allow him access to the system.

On June 12, 1994, MfgCompany experienced an unauthorized 3 minute

logon to one of the ZY Computer 4 Mini Computers, called Pacific.

Pacific contains MfgCompany's manufacturing database. During this

unauthorized intrusion the intruder performed four (4) actions that have

caused MfgCompany to have to spend many hours and extra cost to repair

their computer system.

In the first action the intruder erased MfgCompany's data files in

the manufacturing database but not the executable database program.

In the second action, two Configuration files were removed from

Pacific's Enhanced Software application which tell Enhanced Software how

to use how to obtain data from the other 2 ZY Computer 4s on the system.

Enhanced Software resided on both Baltic and Pacific, but with

different sets of data. The data is divided between Pacific and Baltic

based on demand and location. For MfgCompany to achieve maximum

utilization of the Enhanced Software database and its computers, all

three ZY Computer 4's have to be able to communicate and pass data. The

2 configurations files which were removed are separate from the Enhanced

Software executable code and do not reside in the same group

(directory). The intruder had to have expert knowledge of the ZY

Computer 4 system and the SoftwareCo Enhanced Software application to

know which files from approx 20,000 files in the application and

manufacturing database files would stop the computers from

communicating. Once MfgCompany had purchased and installed Enhanced

Software, it added a feature called Enhanced Software" to the main

program. The two deleted configuration files that were deleted were

part of this added feature. Albert stated less than (Small) percent of

SoftwareCo's customers use this feature. He learned this from dealing

with SoftwareCo.

In the third action, the intruder moved to the "ftp" (file transfer

protocol) file in the ZY Computer 4 Operating System of the computer

Pacific. In this "ftp" file the intruder changed a small "i" to a

capital "I" in a directory name in a path in the script which caused the

path to become invalid and not function properly. This change of case on

the "i" in "mis" was made globally in this script and thus modified

approximately 30 paths. This in turn affected 30 files which prohibited

data from being send to Unix computers on the network. MfgCompany had

purchased this "ftp" feature separately and Ray Suspect had installed

it. The "ftp" feature is used by the ZY Computer 4's to automatically

transfer certain files that are listed in a script, to Unix computers on

MfgCompany's ethernet network. This transfer is completed by the

computer referring to a path (the hierarchy of files/directories that

lead to a given file) in the script of directions and then copying the

specified file to the location designated in the path. Since Unix

computers are sensitive to capital and lower case letters, every letter

in the path has to be of the same case as it listed in root (main)

directory of the Unix computer where it is located. If any one letter

is of a different case the computer will not make the transfer of the

copy. MfgCompany employees then use the data on the Unix computers for

business. This failure signaled the corporation that there has been a

failure in the Information Systems. Ray Suspect created this ftp script

for MfgCompany when it was set up and them maintained it.

In the fourth action, the intruder voided passwords on the ZY

Computer 4 computer named Pacific by causing the password expiration

program to expire several hours later on Monday May 13, 1994, at 0001

hours. Thus when MfgCompany employees tried to logon on Monday morning

they could not use the computer system as all of the passwords had

became invalid.

The intrusion was made through the account of Employee4. Network

system log's indicated that Employee4's password was used to make the

connection. The passwords for the network were not changed after

Suspect left MfgCompany. While at MfgCompany, Suspect had authorization

to review and copy the password file as he was one of three system

administrators with "root" privileges.

Only two people in the company, Employee2 and JoeSuspect, had the

total level of knowledge to complete the above actions. Employee2 is

the senior applications engineer in Information Systems. Albert said

that Employee2 and Suspect did not work together and were only speaking

acquaintances. Employee2 was on a canoeing trip on June 12, 1994, and

it was Albert's belief that this trip was out of State.

On July 26, 1994, MfgCompany discovered that its computer network

had again been illegal accessed and files erased. This came to

MfgCompany's attention because production schedules stopped working on

the ZY Computer 4 as a result of database files having been erased. No

other modifications. This intrusion took 8 minutes. On this occasion

both Pacific and Baltic ZY Computer 4s had files erased. This

intrusion was possible as security for whole system went down on July

26, 1994, as a result of a hardware upgrade.

On Friday, 8-12-94, I spoke with Jonathon A. and Robert Burns,

Private Investigators. Burns told me that he works for A. and was

checking the trash of Suspect. Burns said that on 8-12-94, at about

12:30 a.m., he checked the trash of JoeSuspect, 1111 Rd., The trash

was located in a trash can next to the street for collection. There are

no sidewalks or curbs in this area. In the trash he found piece of

yellow lined paper approximate 3 X 5 inches. The paper had the

following numbers written on it:

123-1111

1112

1113

1114

444-5555

During a conference call between Alan Albert, A., and myself, as A.

read the numbers, Albert told us the 123 numbers connect to a modem pool

in the computer room of the Information Service's office in Community

where the ZY Computer 4 computers are maintained. This modem pool

allows a connection to MfgCompany's ethernet/local network in Community.

Information services uses this modem pool as a connection to

MfgCompany's network when they need to check the system. Albert went on

to say that the 444-5555 telephone number is a San Jose telephone number

that serves as a connection point to MfgCompany's world wide X.25

network. A. faxed me a copy of the paper with numbers.

Your affiant seeks permission to bring MfgCompany employee Alan

Albert and Jonathon A., private investigator under contract to

MfgCompany, along on the search to assist with the identification of the

files. Albert will be under the direct supervision and control of your

affiant or another peace officer assisting your affiant in the service

of this warrant.

Your affiant is aware that such a procedure was approved in People

v. Superior Court (Moore) (1980) 104 Cal. App. 3d 1001. Albert will be

closely supervised by members of the District Attorney's office staff or

other law enforcement officers.

Computers:

Your affiant requests permission to search and seize any computer

systems and magnetic media found at the scene.

Your affiant knows from his training and experience that computer

systems commonly consist of central processing units (CPUs), hard disks,

hard disk drives, floppy disk drives, tape drives, display screens,

keyboards, printers, modems (used to communicate with other computers),

electronic cables, cassette tapes, floppy disks, and other forms of

magnetic media containing computer information.

Your affiant knows from his training and experience that computer

users will commonly keep computer hardware and software in their homes,

garages, carports, outbuildings, storage areas and sheds assigned to

their premises.

Your affiant requests permission to seize computer systems and

magnetic media found at the scene without first conducting an

examination of each and every hard and floppy disk to determine if such

systems and media contain the items requested by this affidavit.

Computer users frequently collect a great deal of software on disks or

other magnetic media. Searching that media within a reasonable amount

of time to determine which material is relevant to this investigation

would be difficult and could risk destruction of the evidence.

Your affiant may also need to examine at another location any

computer(s) found at the scene because most hard disks contain so much

data that an on-site inspection is impractical. The examination

required to determine whether the hard disk contains the items requested

by this affidavit could take days or weeks. Furthermore there may be

too many tapes and or disks to allow a thorough search of such disks

within a reasonable period.

Finally, the computer and magnetic media is the best evidence

available. Magnetic media is easily erased or destroyed. Leaving

magnetic media behind may result in the loss of that magnetic media as

evidence. Your affiant believes that it is better to seize the original

evidence than to rely solely on copies which have not been authenticated

in the presence of counsel for persons who could face criminal charges

based on material found pursuant to this warrant.

Your affiant also seeks to seize documentation associated with the

computer(s) found at the scene. Your affiant may need that

documentation to search the computer. Moreover, that documentation may

well contain information identifying the owner and/or user of that

computer.

Occupancy:

Based on your affiant's training and experience, your affiant knows

that occupants of dwellings usually receive correspondence addressed to

the occupants at that particular dwelling. Such correspondence usually

includes, but is not limited to, phone bills, utility bills, rental

agreements, rent receipts, identification papers, canceled mail

envelopes, and personal letters. Additionally, your affiant knows that

other evidence of ownership and control of said dwellings can usually be

found on the occupants of said dwellings and may include, but is not

limited to, keys, rent receipts and photographic identification

documents, with names and addresses on them. Your affiant seeks

permission to seize those items.

Based on these facts, you affiant is of the opinion that it is

probable that Suspect has committed violations of Penal Code Section

502c(2), the violation of which is punishable by terms of imprisonment

of longer than one year.

WHEREFORE your affiant prays that a search warrant be issued with

respect to the above locations for the seizure of said property at any

time of the day and that the same be held under Penal Code section 1536

and disposed of according to law.

___________________________

JOHN C. SMITH, Investigator

District Attorney's Office

Santa Clara County

Subscribed and sworn to before me

this 16th day of August 1994.

___________________________

Judge of the Superior Court

This affidavit was used to get into the residence

and personal computers

of a part time university employee who broke an other employees account

and used that account.

SUPERIOR COURT OF CALIFORNIA

SANTA CLARA COUNTY JUDICIAL DISTRICT

STATE OF CALIFORNIA AFFIDAVIT IN SUPPORT

COUNTY OF SANTA CLARA OF SEARCH WARRANT

 

JOHN C. SMITH, Sr. Criminal Investigator, Santa Clara County

District Attorney's Office being sworn, says that on the basis of the

information contained within this Affidavit and any attachments thereto,

he has probable cause to believe and does believe that the property

described below is lawfully seizable pursuant to Penal Code Section

1524, as indicated below, in that it:

( ) was stolen or embezzled;

(X) was used as the means of committing a felony;

( ) is possessed by a person with the intent to use same as a means of

committing a public offense, or in the possession of another to

whom he/she may have delivered same for the purpose of concealing

or preventing its discovery;

(X) constitutes evidence tending to show that a felony has been

committed or that a particular person has committed a felony;

and that he has probable cause to believe and does believe that the

described property is now located at, and will be found at, the

location(s) set forth below and thus requests a warrant to search

THE FOLLOWING FOUR (4) LOCATION(S):

LOCATION A:

1. The three (3) electronic mail accounts, including the information

from these accounts on the system backup tapes, belonging to Joe

Suspect: #1 suspect@rome.univ.ede (Unix System);

#2 suspect@univvm1.univuniv.edu (IBM system); and

#3 guard@univvm1.univ.edu (IBM system). These accounts are on

computers maintained and housed in the Information Systems and

Communications Department, University, Information Systems and

Communications("ISC") Department, California.

AND

2. The desk and work space of Joe Suspect at the Computer Information

Center, Information Systems & Computing Department,

FOR THE FOLLOWING PROPERTY:

1. Any and all documents and records, whether on paper or stored on

magnetic media (including information stored within a computer)

that contain any of the network electronic mail addresses,

hertz@Rome.Univ.Edu, jeanc@college-ca.edu (Jean Clinton), or

carol@college-ca.edu.

2. Any and all documents and records, whether on paper or stored on

magnetic media which contain the code or computer instructions that

are used for the automatic transfer of information or email from

one account to another and directing the transfer of email to or

from supect2nd@rome, hertz@rome, jeanc@college-ca, or

carol@college-ca

3. Any and all programs or computer instructions that would be used

for the cracking, matching, or discovering encrypted passwords for

computer accounts.

4. Any and all documents and records, whether on paper or stored on

magnetic media which contain the code or computer instructions that

create or operate a computer program commonly known as a "TROJAN

HORSE", a shell or program that purports to have a valid purpose,

but contains hidden in its code instructions that start another job

such as automatically capturing a user's log-on identification and

password and sends it to another location.

LOCATION B:

SUSPECT'S Apartment B, Drive, in the City of _________. This

residence is a duplex type residence, that is painted gray and has a

detached open carport. The residence is on the south side of Drive

between Streets. There are two street address number plaques attached

to the front of the house. The plaque with 732B is nearest the corner

of the west side, where there is a door that appears to be the front

door for Apartment B. The premises to be searched also include any and

all yards, outbuildings, storage areas, garages, carports, sheds, or

mailboxes assigned to the described premises, including but not limited

to those listed above.

LOCATION C:

The person of Joe Suspect and any personal affects such as but not

limited to books, binders, backpacks, or briefcases where papers or

computer disks may be carried.

LOCATION D:

A gray, Ford, bearing California license ________ registered to Joe

Suspect City of __________, wherever it maybe located in the County of

Santa Clara.

STATEMENT OF PROBABLE CAUSE

Your affiant declares that the facts in support of issuance of this

search warrant and court order are as follows:

Your affiant, John C. Smith, is a Senior Criminal Investigator

(Peace Officer) employed by the Santa Clara County District Attorney's

Office in Santa Clara County, California. Your affiant has been

assigned to the High Technology Unit of that office since December 1989.

He has been a California Peace Officer since June 1965. He is a member

and past President of the High Technology Crime Prevention Association

(HTCIA), and a member of the Santa Clara Valley Industrial Security

Managers Association. He has been a Macintosh computer user since

about 1986 and an IBM PC user since 1990 and owns both types of

computers. He is a regular user of the Internet and has had classes on

the Unix/Workstation operating environment. He has over 274 hours of

training in the High Technology field. He has been involved in at least

five (5) prior intrusion type cases and given several talks to computer

professionals on investigating intrusions. He has conversed and worked

with experts in federal law enforcement who have specialized in these

cases, and who have considerable experience in investigating and

interacting with persons who have illegally accessed computers.

Your affiant is currently investigating violations of Penal Code

Sections 502 (Unlawful Access to Computer Systems).

Your affiant knows from training and experience that individuals

who "hack" or access computers without authorization often do so from

their own computer systems and maintain cracking or password matching

programs which may include dictionary or word lists.

Your affiant knows that persons who hack computers services by

fraudulent means maintain notes and ledgers which document the accesses

that are valid, passwords which have been used or tried, and their

written notes on how to bypass systems security measures installed.

They also make notes of what systems are accessed, what files were down

loaded or uploaded and who else they have been in contact with regarding

the access codes being used.

Your affiant knows from training and experience that persons who

have passwords on their computer system usually maintain a record of

that password on a piece of paper, card, book, etc. so that it may be

retrieved in case the persons fails to recall a password. Your affiant

knows the above information may be in the form of hard copy printouts,

paper notes, notes in a ledger, or files maintained on a computer system

itself in the form of electronic media.

Your affiant knows from training and experience that a computer

system used to communicate with other systems via modem and the

telephone lines will be attached to a modem and a phone line that is

installed in the residence.

On May 10, 1994, your affiant was contacted by Detective

_______, University Police Department, and provided with police reports

for case number 94- alleging a violation of California Penal Code

Section 502, Computer Crime. Affiant opened SSCCDA case #94-0-0661.

Your affiant interviewed Dept Head, Associate Vice President, in charge

of the Information Systems and Computing (ISC) Department at AnyCity

State University (Univ); Bill Sysop, Staff Systems Software Specialist,

ISC, ; and Timothy J. Sysadmin, Network Systems Programmer, ISC. To the

best of your affiant's knowledge, these three individuals are reliable

and trustworthy citizens without involvement in criminal activity.

The following chronology of events prepared by your affiant after

reading the police reports and interviewing the three individuals named

above, was prepared for convenient review:

CHRONOLOGY OF EVENTS:

3-21-94 to 4-1-94 - Joe Suspect and Jason Student workers are suspended

from the jobs at the Computer Information Center (CIC), ISC, Univ and

are told not to use their network accounts for two weeks for verbally

fighting and arguing via their electronic mail accounts on Univ's system

and on America Online, a commercial system.

3-21-94 - A message is sent from "Patricia Hertz" to ten people, "From:

Suspect!", stating that he had been suspended and to send any email to

hertz@.univ.edu.

4-12-94 - The email message to "Hello John", attached as Exhibit #1,

accusing systems operators Sam Sysadmin and another employee of

maintaining pornographic GIFs (graphic or photographic computer files)

on the university system was sent to the mailing list on another system

maintained by Univ

4-14-94 - Univ President Ferris receives an email message from

jeanc@college-ca.edu (St Mary's College) regarding Univ computer

administrators holding pornographic pictures on the Univ system,

attached as Exhibit #2.

4-15-94 - Dept Head assigns Bill Sysop to investigate this matter.

4-15-94 - Bill Sysop learns that there is no issued account to "Patricia

Hertz", but he knows a Professor Hertz and contacts him. Professor

Hertz states he was issued the account but does not use it.

- Bill Sysop checks logs on the IBM computer network and finds that

(a) the message, Exhibit #2, sent to Univ President Evens was received

from jeanc@college-ca.edu on 4/14/94, at 17:49:14 hrs and that (b)

suspect@univvm1.univ.edu sent a message to jeanc@college-ca.edu at

4/14/94 17:39:02 hrs, Exhibit #9.

4-27-94 - Univ Police report 94-117-0705 was taken by Officer Laws. The

suspect named was Joe Suspect.

- Sysadmin examines data in the broken "hertz account" obtained

from the backup tapes of April 11, 1994, and observes a ".forward" file

used by the Unix mail system to forward mail to another computer. The

forwarding address listed was supect2nd@.univ.edu, Exhibit #11.

5-4-94 Front page article appears in Univ newspaper written by

regarding pornography on the Univ computer system.

*

On 5-11-94 your affiant began his investigation by talking with

Dept Head at his office at Univ. Dept Head related the following

information:

In March 1994, Suspect and another student, Jason Student , were

verbally fighting and arguing. This disagreement spilled into

electronic mail. American OnLine sent a message to Supervisor and Bill

in the Computing Information Center, the supervisor of Suspect and

Student , asking if something could be done to stop the bickering.

Suspect and Student were then suspended from their jobs for two weeks

by the Director of Information Services (a division of the ISC) after he

investigated and concluded that they have behaved inappropriately.

Supervisor also told Suspect and Student not to use their computer

network accounts during their suspension.

The suspension was from March 21, 1994 to April 1, 1994.

Sometime during this two weeks, Dept Head suspects that Joe Suspect

hacked into the "hertz account". The "hertz account" belongs to Univ

Professor Hertz who was assigned the account 2 yrs ago and has never

used it. The Identifier that is printed when electronic mail is sent

from the hertz account was changed from Professor to Patricia.

On 5-11-94 and 5-12-94, your affiant interviewed Bill Sysop, Staff

Systems Software Specialist, Technical Services, Information System &

Computing Department, Univ, at the ISC. Sysop provide affiant with the

following information:

The Information Systems and Computing Department (ISC) is assigned

the task of providing general academic and computing services and

Administrative services to the University. Administrative services

include student scheduling, records, grades, and other student

information as well as purchasing, and assorted administrative

functions. The campus has an IP (Internet Protocol) type network that

has both Unix and IBM computers attached to it.The Unix system was

installed three years ago. ISC has an Internet connection.

Sysop was assigned to investigate this matter by Dept Head after

Ferris, the President of Univ, received an email message from a Jean

Clinton, St Mary's College, dated 14 Apr 94, 17:49:13 PDT, stating in

relevant part, "your university computer administrators are using the

system as a holding area for pornographic pictures." A copy of the

messages is attached as Exhibit #2.

Sysop began his investigation by trying to find "Patricia Hertz".

He asked the CIC (Computer Information Center) and learned there was no

record of "Patricia Hertz". Sysop had worked with Professor Hertz,

Univ, on prior occasions. Thinking it might be Patrick rather than

Professor, Sysop phoned Professor Hertz, on April 15, 1994. Professor

Hertz told Sysop that he did have a Unix account but, that he did not

use it. Professor Hertz told Sysop that he recalled being told that he

needed a UNIX account to receive email and so about 2 years ago he

signed up with Univ and was given a Unix account that was named hertz.

He did not use the Unix account because he found he could use email

facilities directly through the Unix Workstation he has on his desk.

On Friday April 15, 1994, Bill Sysop examined the SMTP (Mail

Transfer) log for April 14, 94, on the Univ IBM computer system,

attached as Exhibit #9. He did this because Ferris's email account is

on the IBM system. Sysop checked the log for the time that Ferris had

received Exhibit #2 Jean Clinton. Sysop then looked through the log and

found that on 4/14/94, 17:39:02 hours, ten minutes before Exhibit #2 was

sent, Suspect had been connected to jeanc@college-ca.edu. Your affiant

has obtained a list of log-ins to the jeanc@college-ca account and

verified this information. One of the log-ins was from 17:55 to 18:06

hours. The message to President Ferris from jeanc@college-ca was

received at Univ at 18:05 hours.

Sysop knows Joe Suspect to be a paid Student Assistant at CIC,

Computing Information Center, a division of ISC. CIC is assigned the

task of providing with computer support to the academic computing

community at Univ and to provide assistance to administrative computer

users. Suspects' supervisor is -------- who reports to __Director of

CIC. Sysop believes Suspect has worked there for about 2 years.

On May 12, 1994, your affiant interviewed Bill J. Sysadmin, Network

Systems Programmer, ISC, at the computer center. Sysadmin maintains the

Unix network. Sysadmin related the following information to your

affiant:

The hertz account resides on a computer server called "" which is

the primary Unix server at Univ. Sysadmin made the printout labeled

"Apr 17 23:27 1994 hertz.last Page 1.", attached as Exhibit #10. This

printout, Exhibit #10, is a list of connections to the hertz account and

shows that someone was connecting to the hertz account on from a

terminal server that houses the public modem pool. The entry, "isc-

ts1.Univ.EDU", on the log indicates that the connection to hertz was

most likely made through a dial-in telephone modem hooked to the

terminal server.

The original message "Hello John" was sent to 1.BITNET, which

distributed the message to a number of systems users. This message is

attached as Exhibit #1. At that time there were 30 faculty members and

students from the Univ campus on the mailing list to receive messages

sent to the UnivSER account on UnivSER on the IBM system. This account

serves as a general computer information source for asking questions and

disseminating information regarding the computer system.

After seeing the message to President Ferris (Exhibit #2),

Sysadmin opined that the hertz account had been broken into. His

opinion was based on a number of factors. He recognized that the hertz

account had a low user id number (meaning that it was an older account)

and the wording of the message in Exhibit #1 caused him to infer the

sender was a new user also, the sender described him or herself as a

student. Finally, faculty and staff are in one file system and students

in another. The hertz account was a faculty account.

Sysadmin made a "last" print out that shows where the user logged

in from and the date & time. A "last log" shows the account where the

connection was made, the name of the computer or device where the

connection came from, the date, the time, and the duration of the

connection. On this "last log" printout Exhibit # 10, the log shows log-

ins from College and a log-in from the Univ CIC, which is in the

form of a network numerical address, IP address 130.65.55.26. This

number shows up on the log since the computer at that location has not

been given a name.

Sysadmin went to the backup tapes from April 11, 1994, for the

server on the Unix system and recovered the home directory from the

hertz account onto his (Sysadmin's) workstation. Sysadmin printed the

stored mail messages recovered from the backup tape in the hertz account

and gave your affiant the 56 pages that he printed. What appears to be

the first message from the hertz account is attached as Exhibit #3.

That message reads as follows:

Date: Mon, 21 Mar 1994 15:11:36

From: Patricia Hertz <hertz@.Univ.EDU>

Subject: From Suspect!

To: people <bart@>, (list of his friend'e email addresses)

"Hello everybody,

I'm sure you're wondering why I'm not using my account to mail this

to all of you, well the reason is I got suspended for two weeks

from work. Actually it was me and Jason "May I sniff your

buttcheeks?" Student that got suspended. It's a very long story,

but suffice to say I got screwed royally on this one and as such,

it is only right that I screw back. Student is toast.

I'm not too sure how much mail is going to pile up on my system in

14 days, but let's do the simple math: I get about 45 pieces of

mail a day on EACH of my accounts, and I have three, count 'em

three, accounts. Let's see 45 times 14 times 3. Shit. 1890

pieces of mail. I think I'll forward all of it to Jason "I'm, the

Weenie Genie" Student . Anyway, if for any reason you need to get

a hold of me via e-mail, please use hertz@.univ.edu.

I'll send you all the gory details later.

-Suspect"

Another message that Sysadmin found in the hertz account deals with

Trojan Horses, attached as Exhibit #4. This message is addressed as

follows:

Date: Tue, 22 Mar 1994 15:29:44 PST

From: fly <cartert@.com>

To: hertz@.univ.edu

Subject: The Trojan Horse (For Suspect)

In this message, a "Trojan Horse Program" is discussed. Dfly

states, "Here's what the code *might*(sic) look like", and describes

what the code would be. Also in this message is a description of a

Trojan Horse, which is a fake shell. That paragraph is as follows:

When a user attempts to login on the Trojan Horse their login name

and password are mailed to a specific user (defined in the code).

The process then terminates and the user is left with the *REAL*

login prompt. You now have a password and login for a specific

user, in other words you have full access to their account.

How this happens is defined here:

When Sysadmin looked at the data in the broken hertz account, which

obtained from the backup tapes of April 11, 1994, he observed a

".forward" filed used by the Unix mail system to forward mail to another

computer. The forwarding address listed was supect2nd@.univ.edu. The

file listing shows that the .forward file was last modified on April 6.

On May 19, 1994, Sysadmin printed a copy of the .forward file from the

hertz April 11 backup and gave it to your affiant. As indicated this

printout is attached as Exhibit #11.

Sysadmin told your affiant that he called the network system

administrator at College, College Sysadmin, and advised College

Sysadmin that someone seemed to have broken into (the name of the

primary Unix server for the .univ.edu system) from College's Network.

Subsequently, College Sysadmin told Sysadmin that the "jeanc" and

"carol" accounts had been broken into. College Sysadmin sent Sysadmin

a list of log-ins to the computer "galileo" at St Mary's where the jeanc

and carol accounts are located, (Exhibit #6). Roy College Sysadmin in

his message of April 26, 1994, (Exhibit #6) states:

The owner of the carol, account found that someone has tampered

with her account. The user hertz@.univ.edu re-routed her e-mail

using a .forward file. This has gone on about 2 weeks. She is

understandably very upset and has lost some very important

messages."

On May 15, 1994, your affiant attempted to contact College Sysadmin

and learned that he is out of town for several days. Affiant spoke on

the telephone with College's 2nd Sysop, Ph.D., Computer Science,

College, California, who also serves as a systems administrator with

College Sysadmin. Dr. College's 2nd Sysop said he was familiar with the

situation with Univ. Dr. College's 2nd Sysop told affiant that Carol is

a teacher at College. Mrs. Carol was using her child's name as a

password; the password thus would have been on a standard word list or

dictionary used by a cracker or password matching program.

Sysadmin made printouts from the "last" log for both accounts

"hertz" and "suspect" from the Unix workstation named "homerun", which

uses as a server. The printout for the supect2nd account is attached

as Exhibit #7 and the printout for hertz account is attached as Exhibit

#8. Sysadmin found log entries on March 17 between 16:34 hours and

18:15 hours which appear to indicate that someone logged out of the

supect2nd account and immediately into the hertz account. The following

are entries of log-in and log out time from the "last" logs if the two

accounts:

supect2nd Mar 17 16:43 - 16:40

hertz Mar 17 16:40 - 16:52

supect2nd Mar 17 16:52 - 18:07

supect2nd Mar 17 18:07 - 18:09

hertz Mar 17 18:09 - 18:15

On May 19, 1994, your affiant talked with Bill Sysop and Sam

Sysadmin at their office. They both informed affiant that it would be

highly unusual for Joe Suspect to have his supect2nd account broken into

without Suspect not being ware of it and for cortes not to make a

report. Suspect' "vigil" account was set up to subscribe to various

mailing lists dealing specifically with network security. Suspect is

supposed to review any material that is received and distribute any

relevant material to CIC employees. Sysadmin has never received any

complaints from Suspect about problems with the cortes account being

compromised. Sysop told affiant that when he interviewed Suspect, he

asked Suspect if he was having any problems with his (Suspect) IBM

accounts. Suspect said he was not having any problems with his

accounts.

On April 19, 1994, Sysadmin said he copied the contents of the

supect2nd@ account from the backup tapes into his (Sysadmin's),

workstation. Sysadmin also said that he had not looked at or examined

the contents of that account until the legality of such examination can

be determined.

Your affiant seeks permission to bring Bill Sysop and Sam Sysadmin

along on the search to the four locations to assist with identifying the

computer programs described in this affidavit that are to be searched

and seized, and to them operate the Univ computer system to search for

the items listed in the Search Warrant. Sysop and Sysadmin will be

acting under the direct supervision and control of your affiant or

another peace officer assisting your affiant in the service of this

warrant. Your affiant is aware that such a procedure was approved in

People v. Superior Court (Moore) (1980) 104 Cal. App. 3d 1001.

Residence Information:

Joe Suspect told Officer Laws of the AnyCity State University

Police Department that his home address is 732 E. Taylor Street,

AnyCity, California. Dept Head checked Payroll records and found that

Suspect' address is listed as 732. E. Taylor Street, Apartment 2,

AnyCity, California. Dept Head has also seen a business card for a

business maintained by Joe Suspect that listed an address of _______.

Your affiant checked the California Department of Motor Vehicle

records for the drivers license information on Joe Suspect based on the

date of birth, 11-18-66, and drivers license number, C1111111, on the

police report and found that Joe Suspect Jr has a valid California

Drivers License that expires on his birthday in 1987. This record

states that his residence address is ______

California DMV records checked by affiant also show that Joe

Suspect Jr., ___ the registered owner of a Ford, license number Affiant

drove by the residence and saw a gray Ford California license number

XXXin the carport of ___

Computers:

Your affiant requests permission to search and seize any computer

systems and magnetic media found at the scene.

Your affiant knows from his training and experience that computer

systems commonly consist of central processing units (CPUs), hard disks,

hard disk drives, floppy disk drives, tape drives, display screens,

keyboards, printers, modems (used to communicate with other computers),

electronic cables, cassette tapes, floppy disks, and other forms of

magnetic media containing computer information.

Your affiant knows from his training and experience that such

computers and magnetic media are used to store information. Your

affiant believes that, based on the information related above, that

computers and magnetic media located at the place to be searched contain

telephone numbers, access codes and the software necessary to access

such computer codes.

Your affiant knows from his training and experience that computer

users will commonly keep computer hardware and software in their homes,

garages, cars, carports, outbuildings, storage areas and sheds assigned

to their premises.

Your affiant requests permission to seize computer systems and

magnetic media found at the scene without first conducting a detailed

examination of each and every hard and floppy disk to determine if such

systems and media contain the items requested by this affidavit.

Computer users frequently collect a great deal of software on disks or

other magnetic media. Searching that media within a reasonable amount

of time to determine which material is relevant to this investigation

would be difficult and could risk destruction of the evidence.

Your affiant may also need to examine at another location any

computer(s) found at the scene because most hard disks contain so much

data that an on-site inspection is impractical. The examination

required to determine whether the hard disk contains the items requested

by this affidavit could take days or weeks. Furthermore there may be

too many tapes and or disks to allow a thorough search of s uch disks

within a reasonable time.

Finally, the computer and magnetic media is the best evidence

available. Magnetic media is easily erased or destroyed. Leaving

magnetic media behind may result in the loss of that magnetic media as

evidence. Your affiant believes that it is better to seize the original

evidence than to rely solely on copies which have not been authenticated

in the presence of counsel for persons who could face criminal charges

based on material found pursuant to this warrant.

Your affiant also seeks to seize documentation associated with the

computer(s) found at the scene. Your affiant may need that

documentation to search the computer. Moreover, that documentation may

well contain information identifying the owner and/or user of that

computer.

Occupancy:

Based on your affiant's training and experience, your affiant knows

that occupants of dwellings usually receive correspondence addressed to

the occupants at that particular dwelling. Such correspondence usually

includes, but is not limited to, phone bills, utility bills, rental

agreements, rent receipts, identification papers, canceled mail

envelopes, and personal letters. Additionally, your affiant knows that

other evidence of ownership and control of said dwellings can usually be

found on the occupants of said dwellings and may include, but is not

limited to, keys, rent receipts and photographic identification

documents, with names and addresses on them. Your affiant seeks

permission to seize those items.

Your affiant will not intercept electronic mail or examine

electronic mail that has not been read and stored. To the best

knowledge of your affiant, this Affidavit and Search Warrant complies

with the requirements of Section 2703, of Title 18 United States Code

dealing with the disclosure of by a provider of electronic

communications services of the contents of an electronic communication

that is in electronic storage.

On the basis of the foregoing, your affiant believes that evidence

of the commission of felony violations of California Penal Code section

502 will be found upon the premises and in the records heretofore

described.

That based upon the above facts, your affiant prays that a search

warrant be issued with respect to the above location for the seizure of

said property, and that the same be held under Penal Code section 1536

and disposed of according to law.

___________________________

AFFIANT John C. Smith

Criminal Investigator

 

Subscribed and sworn to before me

this 23rd day of January 1994.

 

___________________________

JUDGE OF THE SUPERIOR COURT

Exhibits:

1 Message "Hello John", from Patricia Hertz, April 14, 94.

2. Message to ferris@univ from jeanc@college-ca, April 14, 94.

3. Message from Patricia Hertz, Subj: From Suspect, March 21, 94, with

Suspect explaining why he is using this account.

4. Message from fly <carter@.com>, to hertz@univ, Subj: THE TROJAN

HORSE (for Suspect). March 22, 94.

5. Dept Head's report/chronology of this event. April 20, 94.

6. Message from Systemop@college-ca.edu, To: Sysadmin@isc.univ, Subj:

last list. April 20, 94.

7. "last" log from supect2nd (Unix) account showing activity on 3-17-

94.

8. "last" log from hertz (Unix) account showing activity on 3-17-94.

9. SMTP, mail log, from IBM network showing message to jeanc@college-

ca on April 14. 94.

10. hertz@.univ "last" log showing connections and dates, this includes

modem connections.

11. Copy of the ".forward" file from the hertz@ account on the April

11 backup tape.

This is a request for tracing a long distance call

GEORGE W. KENNEDY

DISTRICT ATTORNEY

FRANK D. BERRY JR.

DEPUTY DISTRICT ATTORNEY

70 West Hedding Street

San Jose, California 95110

Attorneys for PEOPLE of the State of California

 

SUPERIOR COURT OF CALIFORNIA, COUNTY OF SANTA CLARA

 

 

In re Order authorizing

"trap and trace" device.

)

)

)

)

)

)

)

)

NO.

APPLICATION FOR ORDER

AUTHORIZING "TRAP AND TRACE"

DEVICE AND NUMBER SEARCH [18

USC _3123]Personally appeared before me this 20th day of January 1994,

Investigator John C. Smith who requests an order authorizing the

installation of a "trap and trace" device and number search and on oath,

deposes and says that there is just, probable, and reasonable cause to

believe, and that he does believe, that the telephone number(s) from

which incoming calls are to be trapped/number searched and identified

are being used in connection with criminal activity and that the

information likely to be obtained by such installation and use is

relevant to an ongoing criminal investigation.

Your affiant is requesting that this Court authorize a "trap and

trace" device by Pacific Bell, the American Telegraph and Telephone

Company, and any other provider of electronic or wire communication

service for the following telephone numbers: (408) 999-1111 and (408)

999-1112.

Affiant is seeking to determine the origin of all telephone calls

made to the aforesaid telephone numbers as well as records showing the

date, time, and length of call, together with the area code, telephone

number, subscriber identification information (including name and

address), and location of the calling telephone device.

STATEMENT OF PROBABLE CAUSE

Your affiant declares that the facts in support of issuance of this

court order are as follows:

Your affiant, John C. Smith, is a Criminal Investigator (Peace

Officer) employed by the Santa Clara County District Attorney's Office

in Santa Clara County, California. Your affiant has been assigned to

the High Technology Unit of that office since December 1989. He has

been a California Peace Officer since June 1965. He is a member and past

President of the High Technology Crime Prevention Association (HTCIA),

and the Santa Clara Valley Industrial Security Managers Association. He

has been a Macintosh computer user since about 1986 and an IBM PC user

since 1990 and owns both types of computers. He is a regular user of

the Internet and has had classes on the Unix/Workstation operating

environment. He has over 274 hours of training in the High Technology

field. He has worked at least five (5) prior intrusion type cases and

given several talks to computer professionals on investigating

intrusions. He has conversed with experts in federal law enforcement who

have specialized in these cases, and who have considerable experience in

investigating and interacting with persons who have illegally accessed

computers.

Your affiant was contacted by Frank L. Edwards, Brand

Incorportated, Security Services Department, Street, FarState. on

January 19, 1994. Your affiant knows Brand Systems to be a company which

creates and sells software which enables users to create and maintain

Mr. Edwards told affiant that the Brand corporate network had been

penetrated by an unauthorized intruder who had then gained superuser

status on numerous Brand computer systems, reviewed proprietary data and

transferred copies of proprietary data to a computer outside the Brand

network. Your affiant started his investigation case #94-0-0109, on

January 19, 1994 by interviewing Brand employees Frank Edwards; Davis

Investigator; Employee2, Investigative Technician; and Employee3,

Network Security Manager for Security Services. These interviews were

conducted by telephone.

Employee 3 has a Degree in Electrical from College. He has worked

in the computer industry since 1979. Employee3 has been working in

security at Brand for about 15 months. Employee2 started with Brand

about 1986. He became a Brand Engineer about 1989, and has held several

jobs of a technical nature. The last four years he has worked as an

Investigative Technician for Brand Security. Frank L. Edwards spent 7

years with the FBI, 2 1/2 years with FarState xxxx Department and four

years with Brand as Manager of Investigations.

The information in this affidavit was furnished to affiant by these

Brand investigators and Michael Houser, a Brand Manager. Your Affiant

has worked with Brand Security on previous occasions, and knows the

personnel to be experienced and reliable. A report in Memo form from

Scott Employee3 is attached as Exhibit A. To the best of your affiant's

knowledge, these Brand employees are reliable and trustworthy citizens

without involvement in criminal activity.

Brand's internal corporate network is designed to link Brand

facilities with electronic mail, transfers of data and source code, and

phone system messaging. Brand Security personnel describe it as one of

the largest in the world. The network links facilities such as the major

products research & development sites at Texas; FarState; San Jose, Ca.;

Ca.; sites in the United Kingdom, smaller development sites, (which do

not do major product development), and Brand sales offices. There are

over 40 connections on the network worldwide.

Your affiant was informed by these Brand Security investigators

that the problem with the network intruder first came to Brand's

attention, on December 20, 1993, when an unkown individual called a

Brand employee posing as a Novel engineer named John Cash. The person

posing as Cash asked the Brand employee for his password to a Brand

computer file server, a 486 Personal Computer named "Money", located at

the Engineering Department in FarState. The computer file server named

Money contains source for Brand Software, has ever developed. The

engineer provided the person his password. This password enabled the

intruder to log into the file server, Money.

Employee 4 one of the administrators for the file server named

Money, checked the internal logs of Money, and found that someone had

tried to log in as John Cash through the Brand network computer located

at the Brand facility at View, FarState. Further investigation indicated

that the intruder had teleneted into View, FarState from an unknown

location. (Your affiant knows teleneting to be the method where a user

connects to a remote computer via his own computer and directs the

remote computer to perform various functions.) Once the intrusion had

been verified, Brand started searching intrusion logs on the Money file

server to ascertain who had attempted to log onto the computer.

Security and administrators then called the employees whose names and

accounts had been used by the intruder in attempt to gain access to the

file server.

Some employees on that list contacted the administrators and

informed them that they had been contacted by a telephone caller who

attempted to persuade them to divulge their passwords. Security

contacted some of the employees who said that the caller identified

himself as `Doug Smith' from Brand. `Smith' told them he was working

the on Money file server and needed their password to make corrections.

Affiant knows this to be a method used by network intruders to

fraudulently obtain passwords. Security then warned employees not to

give out passwords on the telephone, but employee interviews revealed

that intruder was still able to obtain more passwords.

Employee3, working with Michael Houser, Brand Development Systems

Manager and Employee6 Brand Sr. Service Engineer also found several

"Trojan Horses" on the entire Brand network. A Trojan Horse refers to

program covertly placed in a computer system to perform a function not

authorized by the system administrator or owner. This Trojan Horse

system was designed to capture passwords and then allow retrieval by the

intruder. Numerous passwords were captured but only 2 could be used

without having to contact their owner. The owners of these two

passwords were using the same passwords on the Brand Unix system as well

as the Brand System, which runs on DOS systems. Money is on the system

and these two passwords allowed the intruder access to Money. Logs of

activity on Money, which were provided by one of three system

administrators, Jason Johnson, are attached as Exhibit B.

Using the passwords gained through contacting the employees and

from the trojan horses, the intruder was connecting to various computers

on the Brand corporate network, teleneting from machine to machine.

On or about December 28, 1993, a male individual telephoned

Employee 8the Program Manager in the Brand Software Engineering

Department, FarState, for Brand utility source code. The man identified

himself as a Brand employee named Richard Hoover and requested employee8

place a copy of Brand Source Code on the file server "Flower" into an

account called "Richard" with the password being "Richard1". employee8

complied with the request.

On January 4, 1994, at 6:18 pm a male phoned Brand Information

Services Desk, San Jose, California, and left a message on voice mail,

for employee9, the system administrator, directing him to set up a modem

access account for Richard Hoover with the password "goose". This

caller had also previously talked to employee9. This account was

established on January 5, 1994. The modem access accounts from this

facility connect to the Brand Corporate Network, allowing a user to

connect to computers where the user has a password and user name.

On January 5, 1994, employee8, the program manager for utility

source code, received a telephone call from a person identifying

himselves as Richard Hoover. This person asked employee8 to put all of

the Brand Version X Source Code on a file server called Flower.

employee8 tried to load the software; however, it would not fit on this

file server. employee8 phoned Brand employee Richard Hoover, at the

Brand facility in View, FarState and told Hoover that the enire set or

source code would not fit. The majority of the source code files were

however transferred to the computer before it became full.

Richard Hoover is a Brand Engineering Manager in the Unix Systems

Group at View, FarState, who has authorized access to this utility

source code. Richard Hoover informed employee8 that he did not know

what employee8 was talking about and denied he had made such a request.

employee8 then asked Hoover if he had been the person who had requested

that version Y be placed on the file server "Flower"the week previously.

Hoover denied that he had ever made such a request. Richard Hoover

subsequently told Employee3 that he had never requested a modem access

account through Brand's San Jose Office. employee8 said that an unknown

person had removed Version X Source Code from the computer. Brand

security suspects that was done to make room for version Y.

About January 5, 1994 Michael Houser installed a product called

LANalyzer, to trouble shoot network problems, on the network at the

Brand View, FarState facility. The LANalyzer was placed in that portion

of the Brand network where file server "Flower"resides so that it could

watch the traffic in and out of Flower. The LANalyzer captures network

data packets which contain destination and origin data. Houser reviewed

the data, which showed the intruder retrieving passwords from the Trojan

Horse and the transfer of Brand Ver X source code for LogAB and LogCD to

the Colorado Supernet account "Ben".

The captured data from LANalyzer shows commands being executed by

the intruder to put Brand source code into a computer account on the

Colorado Supernet in the name of `Ben'.

ame2 is the source code for

the Name 2 file that resides on the operating system in an installed

Brand networking system on a computer and allows a person to log into a

Brand system. The estimated value of Name2.exe is worth in excess of

$1.00.

Richard Hoover e-mailed a message regarding the transfer of the

data to the systems operator, Trent Hein, at the Colorado Supernet.

Colorado Supernet is a commercial service provider of accounts on the

Internet to members of the public. Hein told Hoover that the account

named "Ben" where the Brand data was being deposited had been

compromised and the intruder was not authorized to use it. The logging

system at Colorado Supernet showed FTP (File Transfer Protocol)

connections being made from 17 different Brand computer systems on the

Brand Network to the `Ben' account. The FTP command is used to copy

files to and from computer systems, although it can be used to look at

a computer directory. Logs from the Colorado Supernet system, for the

account Ben, from December 24, 1993, to January 7, 1994, were sent to

Brand and are attached to this affidavit as Exhibit C. From December

24, 1993 to January 7, 1994 connections from Brand were made with

Colorado supernet approximately 4 times per day. On January 7, 1994, 10

connections from 4 different Brand computer systems were made to the

Colorado Supernet.

Employee 11 a Brand Lead Engineer, in the Software Engineering

Division, FarState, for a new unpublished Brand project, has a computer

running the HP Unix operating system. On January 18, 1994, He installed

a "wrapper" on this computer and changed all of the users passwords.

Michael Houser explained that a wrapper is a program that keeps anyone

out of a computer who is not an authorized user trying to connect from

a computer that has been specifically designated as having permission to

connect. Employee11 then checked his computer's logs and found an

intruder trying to access this computer from a computer on the Brand

network at the Brand facility, San Jose, California. The computer at

the facility in San Jose is a 3Com computer terminal server connecting

the inbound modem for telephone numbers (408) 999-1111 & (408)999-1112.

This 3Com terminal server (computer) is designed to allow remote

connection to Brand's internal corporate network via modem by calling

these telephone numbers. The Modem connects the caller to the network

via the 3Com terminal server. Brand Security has determined that there

have been in excess of 140 logins through this telephone number using

the fraudulent account of Richard Hoover that had been established in

San Jose. The intruder used this account and telephone number

approximately 4 -5 times on January 19, 1994 and left a message that

read as follows:

"I know you idiots are watching, goodbye asshole."

On one of these occasions on January 19, 1994, the intruder using

(408)999-1111 as a connecting point e-mailed all of Brands's technical

publications to a user on the Colorado Supernet.

Employee3 said the intruder had gained root access at the beginning

of the intrusions. Root access gives the intruder system administrator

status which would allow the intruder to change passwords and to create

methods to gain entry back into the system at some later time even after

the intrusion has been stopped. Michael Houser said that the intruder

has obtained root access at least 50 times. The intruder has put a

hacked program on the root directory on at least 6 commputers on the

Brand network. Five (5) of these computers are at the Drive facility in

San Jose, California. The hacked program is a modified version of a

legitimate Sun program called Newgrp. This program at the root level

allows the intruder to move into other computers and make changes.

Based on training and experience, it is your affiant's opinion that

is series of intrusions throughout the Brand Network have all been

perpetrated by the same individual or individuals, based on similarity

of methods used, times, interest in Brand source code and the use of

Brand employee names.

Your affiant is informed and believes based on the

representations of Jim Capili, an Investigator for Pacific Bell, that

the items requested in this application are the type of records

obtained, kept, and maintained by Pacific Bell when they perform a "trap

and trace". On January 19, 1994 your affiant notified Jim Capili that

he would be making this application to the Court.

Affiant is requesting a further Order authorizing Pacific Bell,

AT&T and any other provider of electronic or wire communication service

to the numbers (408) 999-1111 and 1112 install an appropriate "trap and

trace" device in switches connecting to the aforesaid numbers in order

that the origin of these calls can be established.

Therefore, your affiant further requests that such an order be

made.

Your affiant is informed and believes that telephone companies,

including Pacific Bell and AT&T, are required to advise subscribers of

telephone service who are identified pursuant to searches such as here

requested, unless the court ordering the installation of a "trap and

trace" device makes a specific order to the contrary. Your affiant

believes that any such disclosure might alert suspects as to the nature,

scope, and direction of this investigation before it is completed, and

could therefore impede the investigation and interfere with the

enforcement of the law. Therefore, your affiant would request that the

Court issue the following order as part of its Order:

Pacific Bell, AT&T and their agents and employees,

and any other provider of wire or electronic

communication service subject to this Order and its

agents and employees shall not disclose to the

subscriber(s) of the telephone service described

herein, or those subscribers identified as calling

the above mentioned number(s), the existence of

this Order or of this investigation, unless

otherwise ordered by this Court.

That based upon the above facts, your affiant prays that an order

be issued as requested above.

 

___________________________

JOHN C. SMITH

Subscribed and sworn to before me

this day of January, 1994.

___________________________

JUDGE OF THE SUPERIOR COURT

 

Exhibit A - Report by Employee3

Exhibit B - Delyle Johnson's Money activity logs

Exhibit C - Colorado Supernet activity logs

This affidavit was used to trap and trace telephone numbers calling into

a business. This affidavit would not authorize the telephone company to

release the subscriber information (name and address), this would

require another affidavit and order.

GEORGE W. KENNEDY, DISTRICT ATTORNEY

FRANK DUDLEY BERRY, JR., Deputy District Attorney

High Technology Unit

Attorneys for the People

SUPERIOR COURT OF THE STATE OF CALIFORNIA

IN AND FOR THE COUNTY OF SANTA CLARA

 

 

In re Order authorizing "trap and

trace" device and a "number/call

search".

)

)

)

)

)

)

)

)

NO.

APPLICATION FOR ORDER

AUTHORIZING "TRAP AND TRACE"

DEVICE, AND "NUMBER/CALL

SEARCH", [18 USC _3123];Personally appeared before me this 28 day of June 1994,

Investigator John C. Smith who requests an order authorizing the

installation of a "trap and trace" device, number/call search, and

release of subscriber information and on oath, deposes and says that

there is just, probable, and reasonable cause to believe, and that he

does believe, that the telephone number(s) from which incoming calls are

to be trapped/number searched and identified are being used in

connection with criminal activity and that the information likely to be

obtained by such installation and use is relevant to an ongoing criminal

investigation.

Your affiant is requesting that this Court authorize a "trap and

trace" by the American Telegraph and Telephone Company, Pacific Bell

Telephone Company, and any other provider of electronic or wire

communication service for the telephone number specified below.

Affiant is seeking to determine the origin of all telephone calls

made to Computer Co. nc. Computer Corporation telephone numbers (415)

222-0000 to and including 222-9999 and (415) 333-0000 to and including

333-9999, as well as records showing the date, time, and length of

call, together with the area code, telephone number, subscriber

identification information (including name and address), and location of

the calling telephone device.

STATEMENT OF PROBABLE CAUSE

Your affiant declares that the facts in support of issuance of this

court order are as follows:

Your affiant, John C. Smith, is a Senior Criminal Investigator

(Peace Officer) employed by the Santa Clara County District Attorney's

Office in Santa Clara County, California. Your affiant has been

assigned to the High Technology / Computer Crime Unit of that office

since December 1989. He has been a California Peace Officer since June

1965. He is a member and past President of the High Technology Crime

Investigators Association (HTCIA), and the Santa Clara Valley Industrial

Security Managers Association. He has been a Macintosh computer user

since about 1986 and an IBM PC user since 1990 and owns both types of

computers. He is a regular user of the Internet and has had classes on

the Unix/Workstation operating environment. He has over 274 hours of

training in the High Technology field. He has worked at least eight (8)

prior network/intrusion type cases and given several talks to computer

professionals on investigating intrusions. He has conversed with experts

in federal law enforcement corporate network security who have

specialized in these cases, and who have considerable experience in

investigating and interacting with persons who have illegally accessed

computers.

Your affiant was contacted by the Police Department on 6-16-94 and

asked to investigate this matter. Designated by the Police Department

as case # 92-7354.

Your affiant started his investigation case #94-0-0888, on 6-16-94

by interviewing Patrick Jones, Manager of Network Security, and Manager

of Information Resources Advanced Networking Group, Computer Co.

Computer Corporation. Computer Co.'s Network Security unit is

responsible for Computer Co. Network security, policy, workstation and

system security audits, and intrusions into Computer Co. computer

systems and networks.

Jones gave your affiant the following information: He has worked

for Computer Co. for 9 years. He has been the Manager of Security

(networks) for the last 9 months. He has worked in the communication

industry for 19 years with the last 15 years being in data and voice

type network systems. Working in this field required him to become

knowledgeable about security issues.

Jones advised that it is his opinion that an unknown person has

been attempting to penetrate Computer Co.'s corporate computer system by

gaining access through telephone analog lines. Computer Co. has 10,000

telephone numbers dedicated to their corporation. These numbers are

designated through two prefixes, (415) 222-0000 thru 222-9999 or (415)

333-0000 thru 333-9999. Jones said that an unauthorized intruder has

been using some type of an automatic dialer program that can check a

telephone line for a connection about every six (6) seconds. The

intruder has narrowed down the attempts to connect to only analog

telephone lines that have a tone which are use to connect to computers

and fax machines.

On 6-20-94, affiant was furnished with the report from Helen

Phillips, Computer Co. Network Support Specialist, dated 6-16-94, and

attached as Exhibit A. In this report Phillips explains that Computer

Co. has experienced an increase in telephone calls at the Town Computer

Co. facility from approximately average of 11,000 per day to the peak of

44,000 call per day on 6-3-94.

On 6-23-94, your affiant went to the Computer Co. facility in Other

Town and met with Computer Co. employees, Patrick Jones, Helen Phillips

and Roger Green, Network Security Consultant.

Helen A. Phillips, is a Network Support Specialist, in the Network

Administration Department. She has worked for Computer Co. for about 5

years. Prior to working for Computer Co., she was a telephone

communications technician for Pacific Bell and American Telephone for

about 9 years. She was trained by Pacific Bell. Phillips's job is

collecting and billing "Call Detail Recording". This data shows the

telephone usage by Computer Co. employees on the telephone PBX.

Phillips watches for unusual activity and follows up by notifying

management of that activity. Phillips gave affiant the following

information: Computer Co. leases their telephone system from

Commmunication Company. As detailed in her report of 6-16-94, she

observed an alarming jump in total number of call records at certain

locations. She watches five locations. She researched the calls

coming in and found that the majority of calls were going to numbers not

in service. (At the present time, only about 1,000 of the 5,000 numbers

are active.) Phillips observed that the duration of the calls were 6

seconds or less.

Phillips observed that when the calls started on 5-24-94, all of

Computer Co.'s telephone numbers were being called. Thereafter the

calls were focused on numbers with that have a tone signifying a

connection to either a fax machine or computer modem. As Phillips

examined the logs of the numbers called, she also observed repeated

calls to the same number. She believe that the intruder did not know

what telephone numbers to call in the beginning, but then learned which

telephone numbers were for analog lines to fax machine and computers.

Some telephone numbers have been hit as many as 300 times per day and

others 60 times per day. This is not a normal level of Computer Co.

business activity. She found that one line with a tone (telephone

number) was hit 27 times in one minute.

Roger Green is a Network Security Consultant in the Network

Security Department. Green gave affiant the following information: He

has worked at Computer Co. nc. for 3 years. Prior to joining Computer

Co., Green worked at Large company from 1986-1989. He has a Bachelor of

Science Degree from University. Green writes security policies, does

intrusion investigations, and evaluates software for enhancing Computer

Co. internal security.

Green explained how modems and computers attach to the Computer Co.

telephone system. He explained that someone can dial a telephone number

that is connected to a modem and workstation and, if that person has the

correct password or can determine the correct password, they have access

to Computer Co.'s corporate world wide computer network that connects

their facilities in many countries and Computer Co.'s 6,456 employees.

Computer Co. policy requirements calls for every computer with a

modem to have it configured with software that sets up a call back

procedure. Your affiant knows from training and experience that a

callback procedure requires someone calling a telephone number to obtain

a connection to a computer to give a password. The computer being

called has been programmed not to allow a connection, but to telephone

back to a preprogrammed telephone number. When the computer telephones

back to the prearranged number, the person requesting the connection has

to enter a second password. If there is no call back procedure in

place, an intruder with the right type of software can call a number and

once a tone is received, the computer/software generates a number

emulating a password. If the password is incorrect, the calling

computer hangs up and dials the number again, this time generating

another number attempting to match the password of the computer being

called. These password dialer programs are designed to be left running

indefinitely, recording any telephone numbers and correct passwords that

are successfully determined.

However, Green knows some people have not complied with this

policy. Green is concerned that the intruder will hit a modem number

that is not set up according to Computer Co. policy with a call back

number. Green also said there are a fair number of modems that have

been distributed to people thru the Computer Co. corporation and these

modems are not set up thru Computer Co. modem pools but hooked directly

to a desk top computer and individual telephone. He knows of about 50

modems in the corporate headquarters building in Palo Alto and estimates

that there may be as many as 200 modems through the Computer Co.

facilities in Santa Clara County. The Computer Co. modem pools are all

configured with call back software.

When affiant asked Green and Jones what they thought the motive

would be for an Intruder to gain access to the Computer Co. computer

network, they gave several reasons. They said that Computer Co.

operating system (OS) source code is valuable, costing in the range of

xxx per copy, and can be downloaded from the Computer Co. network.

Also, if an intruder can learn how to break into Computer Co., such

knowledge would help the intruder learn how to break into other sites.

Affiant examined the list of Computer Co. telephone numbers called

by the intruder and noticed that certain numbers were being called

multiple times. Affiant is aware of at least one other instance where

even after an intruder was successful in obtaining a password for

telephone number, the program continued to try other numbers to obtain

the password for each number. Intruders continue to look for other

passwords for specific telephone numbers in the event they are

discovered and closed out of a telephone number they have learned.

Your affiant is informed and believes based on the representations

of Darrell Santos, an Investigator for Pacific Bell, that the items

requested in this application are the type of records obtained, kept,

and maintained by Pacific Bell when they perform a "trap and trace" and

"number/call" search. On June 16, 1994, affiant notified Darrell Santos

that affiant would be making this application to the Court.

Affiant is requesting a further Order authorizing AT&T, Pacific

Bell, and any other provider of electronic or wire communication service

to install a "trap and trace" and "number/call search" device.

Therefore, your affiant further requests that such an order be

made.

Your affiant is informed and believes that telephone companies,

including AT&T and Pacific Bell, are required to advise subscribers of

telephone service who are identified pursuant to searches such as here

requested, unless the court ordering the installation of a "trap and

trace" device makes a specific order to the contrary. Your affiant

believes that any such disclosure might alert suspects as to the nature,

scope, and direction of this investigation before it is completed, and

could therefore impede the investigation and interfere with the

enforcement of the law. Therefore, your affiant would request that the

Court issue the following order as part of its Order:

AT&T, Pacific Bell, and its agents and employees,

and any other provider of wire or electronic

communication service subject to this Order and its

agents and employees shall not disclose to the

subscriber(s) of the telephone service described

herein, or those subscribers identified as calling

the above mentioned number(s), the existence of

this Order or of this investigation, unless

otherwise ordered by this Court.

That based upon the above facts, your affiant prays that an order

be issued as requested above.

___________________________

JOHN C. SMITH, Investigator

District Attorney's Office

Santa Clara County

Subscribed and sworn to before me

this 28 day of June, 1994.

___________________________

JUDGE OF THE SUPERIOR COURT

EXHIBIT A - Report of 6-16-94 by Helen Phillips.

 

This is new language for seizing computer equipment.

for the following property:

1. Any and all documents, including documents stored in computer

readable form, that contain the (NAME OF ITEM) or any portion

thereof.

2. Any and all documents, including documents stored in computer

readable form, that contain the words (NAME OF ITEM)

Confidential,

3. Any and all documents, including documents stored in computer

readable form and computer files, relating to (NAME OF ITEM)'s

4. Any and all computers, including any peripheral devices

connected thereto, as well as any and all hard disks, floppy

disks, computer tapes, CD-ROM's, and other computer storage

devices.

5. Any and all computer manuals and instructions for the use of

any computers and associated peripheral devices found at the

premises.

6. Any and all documents showing the identity of persons

occupying and/or in possession of the premises to be searched

including, but not limited to, utility company bills,

telephone bills, mail and personal papers.

Seizure of computer systems:

Your affiant knows from his training and experience that

computer systems commonly consist of a central processing unit

(CPU), connected to peripheral devices such as hard disk drives,

floppy disk drives, tape drives, CD-ROM's, display screens,

keyboards, printers, and modems (used to communicate with other

computers). In order to examine a computer system it is sometimes

necessary to have all original peripheral devices connected to the

CPU in order for the system to work properly.

Computer users also maintain floppy disks and other forms of

computer readable media which can store computer data and can be

moved from one computer system to another. Floppy disks typically

store up to 1.4 megabytes of data. (A megabyte is one million

bytes of data. One byte of storage is needed for each text

character stored.) The computer systems currently in use today

typically come configured with internal hard disk drives with a

storage capacity of 200 megabytes or more. Hard disk drives on the

market today can have storage capacities as high as one gigabyte,

which is one-thousand megabytes of storage. In searching computer

systems it is not unusual to find a large number floppy disks along

with the computer system. It would not be unusual to find hundreds

of floppy disks associated with a computer system.

Your affiant requests permission to seize all computer systems

and computer readable media found at the scene without first

conducting an examination of each and every hard and floppy disk to

determine if such systems and media contain the items requested in

this affidavit. Computer users frequently collect a great deal of

software on disks or other computer readable media. Searching that

media at the search scene within a reasonable amount of time to

determine which material is relevant to this investigation is not

usually possible. It can take up to one hour to search just one

(1) megabyte of computer storage. Given the storage capabilities

of modern computers and floppy disks it could easily take upwards

of 200 hours just to search one computer system and its associated

floppy disks.

Finally, the computer and magnetic media is the best

available. Magnetic media is easily erased or destroyed. Leaving

magnetic media behind may result in the loss of that magnetic media

as . Your affiant believes that it is better to seize the original

than to rely solely on copies which have not been authenticated in

the presence of counsel for persons who could face criminal charges

based on material found pursuant to this warrant.

Your affiant also seeks to seize documentation associated with

the computer(s) found at the scene. Your affiant may need that

documentation to search the computer. Moreover, that documentation

may well contain information identifying the owner and/or user of

that computer.