[ISN] A Palmtop for the Prosecution

From: InfoSec News (isnat_private)
Date: Fri Oct 25 2002 - 01:43:48 PDT

  • Next message: InfoSec News: "Re: [ISN] Hack Smackdown"

    Forwarded from: William Knowles <wkat_private>
    October 24, 2002  
    The Sony Clié was as good a smoking gun as investigators could get in
    a white-collar crime.
    When the police in San Jose, Calif., broke up an identity-theft crime
    ring two weeks ago, they used search warrants to seize and examine the
    hand-held organizers of the suspects, including that of the man the
    police said had been the ringleader, Julian Torres, 21.
    Stored on Mr. Torres's Clié, investigators said, were the names of
    more than 20 victims along with their Social Security, bank account
    and credit card numbers and other personal information. Mr. Torres's
    To-Do list included tasks like picking up materials at the local
    office supply store to make fake checks, the police said. E-mail
    messages contained confirmations of transfers from victims' bank
    accounts. He had even used the Clié's digital camera to take pictures
    of his partners in crime. It was hard for Mr. Torres to deny the Clié
    was his, the police said, given that he had entered his parents' phone
    numbers under "Dad" and "Mom."
    "This was the tool he used to perpetrate his crimes," said Alan Lee, a
    detective from the San Jose high-tech-crime unit who helped on the
    case. "Everything is there." Information on the Clié helped
    investigators find another two of Mr. Torres's accomplices, he said.  
    Mr. Torres is being held in jail on $1 million bail.
    As hand-held organizers like the Clié and Palm have soared in
    popularity, it's not just law-abiding citizens who appreciate their
    usefulness in managing appointments, contacts and schedules.  
    Criminals, too, are using them to coordinate their activities. And the
    rise of the organizer as a criminal tool has bred a new category of
    forensic scientist: the Palm reader.
    Drug dealers use contact lists to track buyers and suppliers,
    investigators say, while drug makers, like those who run clandestine
    methamphetamine laboratories, use memos to keep recipes and ingredient
    lists. Pimps use the devices to keep track of clients, revenues and
    expenses. Smugglers and money launderers track their transactions on
    spreadsheets. Stalkers have been known to store their fantasies and
    victims' schedules on their Palms.
    Even spies have used them. Corporate spies have downloaded sensitive
    documents to their hand-helds and quietly walked off with them. Robert
    P. Hanssen, the F.B.I. agent who was sentenced to life in prison in
    May for selling secrets to Moscow, used his Palm III to keep track of
    his schedule to pass information to his Russian contacts. (He also
    asked them for an upgrade to a Palm VII because of its wireless
    Police officials are beginning to seize and analyze personal digital
    devices in their investigations (a warrant allowing search of a
    suspect's electronic devices is usually required). What they often
    find is a trove of detailed, intimate, up-to-date information. That
    data has been used to prosecute criminals, penetrate their networks
    and better understand their methods.
    The data contained in a hand-held says a lot about its owner, whether
    that person is a corporate tycoon or a petty thief. "It's an alter
    ego," said Larry Leibrock, who teaches at the University of Texas at
    Austin and has been a consultant in many forensic cases involving
    hand-helds. "It represents their aspirations, who their contacts are,
    where they spend their time, their tasks and objectives, and how they
    completed those."
    Even sensitive information is rarely password protected, demonstrating
    a general naïveté that many people have about the security of their
    digital devices.
    Hand-held users often believe - wrongly, investigators say - that what
    is personal is also private. "People assume that only they can have
    access," Dr. Leibrock said.
    As the criminals are discovering, that isn't the case. The simplicity
    of a hand-held makes information easily retrievable - not only by the
    owner, but by whoever has physical access to the device.
    "The natural consequence of the information revolution is that our
    lives are centered around processes and equipment whose sole purpose
    is to collect data," said David Aucsmith, a security architect for
    Microsoft. "These devices are all trying to make your life easier.''
    While hand-held forensics has mostly been focused on criminal
    investigations, the devices are popping up as evidence in civil cases
    as well - in intellectual property disputes between companies, for
    example, and divorces. A handful of companies, like Guidance Software,
    the Paraben Corporation and AtStake, have made a business of helping
    investigators preserve and analyze data.
    While organizers are used mostly in white-collar crimes, they have
    also been helpful in homicide investigations. When the police were
    investigating the murder of 7-year-old Danielle van Dam near San Diego
    last February, for example, they copied the contents of four computer
    hard drives and a Palm Pilot belonging to the man who was convicted in
    the case, David A. Westerfield.
    In a recent homicide case in Texas, the assailant turned out to be a
    person on the contact list in the victim's organizer. "It was a close
    personal friend who did it for financial gain," said Amber Schroader,
    who is director of forensics for Paraben, in Orem, Utah, and helped
    with the investigation.
    The police will often seize a suspect's organizers to establish a link
    with the victim, check on alibis or determine motivation. In an
    attempted homicide case that Dr. Leibrock recently worked on, the
    suspect planned his day around his victim's schedule, which he kept in
    his Palm. The man, whom Dr. Leibrock described as obsessive
    compulsive, also kept detailed notes of his fantasies about the woman
    on the device. "He was going to capture this woman, tie her up and
    have his way with her," Dr. Leibrock said.
    People are remarkably truthful on their personal digital devices -
    even when they are lying elsewhere. Federal investigators from the
    Department of Health and Human Services will use doctors' own
    organizer schedules to catch them for falsely billing for Medicaid and
    Medicare patients they have never seen. (Investigators don't need a
    warrant for these searches, since doctors agree to make records
    available as a term of their participation in the programs.)
    Organizers are rarely encrypted or password-protected - even when
    criminals take similar precautions in other electronic formats. "If
    you went to their desktop machine they would have a good 5 to 10
    passwords," Ms. Schroader said. "But when it came to their P.D.A. they
    felt it was so close to them that they didn't need it."
    In fact, investigators often find passwords for protected desktop or
    laptop computer files stored on suspects' hand-helds.
    Even when Palms are encrypted, they are remarkably easy to crack, said
    Joe Grand, the principal engineer at Grand Idea Studio, a product
    design firm in Boston, who has analyzed the security flaws in the Palm
    operating system.
    Organizers are easy to locate, because they are almost always found
    with individuals or in their cars. As a result, the devices themselves
    even help in identifying bodies. In a suicide case in Virginia in
    March, for example, a decomposing body was found on the Appalachian
    Trail with a hand-held but no wallet or other identification. When the
    device was cleaned off and powered up, it revealed the name of the
    55-year-old Maryland man who had shot himself.
    Previously the information now found in one place may have been
    scattered in various locations - wallets, desks, cars and even
    "It gets a little disgusting sometimes when you have to dig through
    their trash for their bank statements," said John Holzer, a special
    agent with the Commerce Department's Office of Export Enforcement,
    which is responsible for preventing certain goods from being exported
    to countries like Libya and Iran. In tracing suspicious American
    companies, the agents often search for account numbers to subpoena
    bank information to look for money transfers from foreign banks.
    But now, Agent Holzer and fellow investigators have begun to find
    account numbers stored neatly on the hand-helds of suspected export
    violators. "It saves us from the white spaceman suits and jumping into
    the big Dumpster," he said.
    As with computer hard drives, deleting something on a hand-held
    doesn't make it really gone.
    "Things people think are deleted are still retrievable," said Larry
    Gagnon, a detective with the Peel Regional Police in Ontario. "Whereas
    if you rip up a piece of paper and throw it out, it's gone for good."
    Investigators say that organizers have also been used to commit
    crimes. In a case in Texas, a government employee was caught using his
    Handspring Treo to transfer child pornography. "When we pulled the guy
    in to do an interview, what does he have on his pocket but the
    wireless device," said Jamey Tubbs, a federal law enforcement agent
    who worked on the case. "We seized it right then and there."
    In another case earlier this year, a Fortune 500 company in the
    Chicago area discovered that an employee was using his company-issued
    Palm to steal patent applications bit by bit. "It totally blew their
    mind," said Thomas Rude, a security consultant from Atlanta who was
    called in to investigate the case.
    Hand-held analysis may become even more fruitful over the next few
    years as the devices become more sophisticated and gain wireless
    capabilities. A person's movements can often become a critical issue
    in civil and criminal investigations.
    Michael Burnette, director of information technology at an Atlanta law
    firm, Rogers & Hardin, made an interesting discovery when he was asked
    to do forensic analysis on a BlackBerry, the popular wireless device.  
    Because BlackBerries are always on to receive e-mail, they constantly
    communicate with the network around them and create an internal ledger
    of the nodes they have recently talked with. "It's moving around with
    you and telling a story about you," Mr. Burnette said. "But then
    again, it has to be intimately intertwined with who you are in order
    to be as useful as it is."
    "Communications without intelligence is noise;  Intelligence 
    without communications is irrelevant." Gen Alfred. M. Gray, USMC
    C4I.org - Computer Security, & Intelligence - http://www.c4i.org
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Fri Oct 25 2002 - 04:14:22 PDT