Computer Crime and Digital Evidence Legal Issues Ivan Orton Complex Prosecutions & Investigations Division King County Pro...
Legal Issues that Arise in Three Situations <ul><li>Warrants for searching computers </li></ul><ul><li>Warrants for tracin...
Fixing a Bad Warrant,  Already Executed
Legal Problems in Computer Searches <ul><li>Warrant does not establish PC to search (or seize) computer </li></ul><ul><li>...
Legal Problems in Computer Searches (cont) <ul><li>Consent searches </li></ul><ul><li>Search incident to arrest  </li></ul...
Legal Problems in Computer Searches <ul><li>Warrant does not establish PC to search (or seize) computer </li></ul>
General Search Law for Containers <ul><li>United States v. Ross (US Supreme - 1982) </li></ul><ul><ul><li>“ A lawful searc...
It is axiomatic that when a search warrant properly describes the things to be searched and seized, it also authorizes law...
The Grow House
The Card Reader
The Unpublished Opinions <ul><li>Mazzaferro </li></ul><ul><li>Dunn </li></ul>
Issues <ul><li>Other than naming computer, how can we make sure computer records are covered? </li></ul><ul><li>“Records” ...
Legal Problems in Computer Searches <ul><li>Getting a second warrant  </li></ul>
Legal Problems in Computer Searches <ul><li>Using general custom or habit information to establish PC </li></ul>
Legal Problems in Computer Searches <ul><li>Taking computer offsite for searching </li></ul>
Content of the Affidavit: Issues <ul><li>Can Police take a computer offsite for examination? </li></ul>
Content of the Affidavit: Issues <ul><li>What about if you request and receive permission in the warrant? </li></ul><ul><l...
Legal Problems in Computer Searches <ul><li>Consent searches </li></ul>
Consent Exception <ul><li>Crucial Requirement is Common Authority </li></ul><ul><li>Parent </li></ul><ul><li>Spouse </li><...
Password Protected Files … <ul><li>US v. Trulock , 275 F.3d 391 (4th Cir., 2001) </li></ul><ul><li>Although housemate had ...
Workplace Searches
Facts  <ul><li>Employer contacts police </li></ul><ul><li>Police ask employer to retain copies of hard drive </li></ul><ul...
Evidence Suppressed?
More Facts  <ul><li>Dispute as to whether police directed employees to seize hard drive </li></ul><ul><ul><li>Employees sa...
Now Should Evidence be Suppressed?
4 th  Amendment Primer  <ul><li>Fourth Amendment applies: </li></ul><ul><ul><li>Reasonable expectation of privacy </li></u...
Difference between Public and Private Employer Searches  <ul><li>PRIVATE </li></ul><ul><li>Search by employer is not gover...
Public Employer Searches  <ul><li>O’Connor v. Ortega  (1987) </li></ul><ul><ul><li>There is a reasonable expectation of pr...
Public Employer Searches  <ul><li>O’Connor v. Ortega  (1987) </li></ul><ul><ul><li>There is a reasonable expectation of pr...
Back to the Scenario What are the Issues  <ul><li>Is there a REP? </li></ul><ul><ul><li>Tech people had complete access to...
Back to the Scenario What are the Issues  <ul><li>Was there government action? </li></ul><ul><li>Was there valid consent? ...
Ziegler 1  <ul><li>Court ruled that policies and procedures means there was no reasonable expectation of privacy </li></ul...
Remember O’Connor  <ul><li>O’Connor v. Ortega  (1987) </li></ul><ul><ul><li>There is a reasonable expectation of privacy (...
Was Ziegler Correctly Decided?  <ul><li>Difference Between Expectation of Privacy from Employer Search as opposed to From ...
Ziegler 2  <ul><li>Court ruled that no expectation of privacy from employer searches did not mean no expectation of privac...
Where Does that Leave Us?  <ul><li>PRIVATE </li></ul><ul><li>Search by employer is not government action (unless) </li></u...
Refinement of Public Search Law  <ul><li>Warrentless Search </li></ul><ul><li>Search must be work-related </li></ul><ul><u...
Legal Problems in Computer Searches <ul><li>Search incident to arrest </li></ul>
Legal Problems in Computer Searches (cont) <ul><li>Out of State warrants </li></ul>
Out of State Providers -  A New Law Requires compulsory process recipient to produce records within 20 days Applies to any...
Legal Problems in Computer Searches (cont) <ul><li>Time limits on execution of search </li></ul>
Time to Conduct Search <ul><li>Computer is properly seized for offsite search </li></ul><ul><li>Computer is turned over to...
Time to Conduct Search <ul><li>Same Scenario - search done 3 weeks later </li></ul><ul><li>Warrant requires service within...
Time to Conduct Search <ul><li>How long do you have to examine the computer? </li></ul><ul><ul><li>Constitutional Standard...
Time to Conduct Search <ul><li>How about a preliminary search within deadline and a more detailed search later </li></ul><...
Time to Conduct Search <ul><li>How about lab analysis of drugs seized under warrant? </li></ul><ul><li>How about DNA analy...
Time to Conduct Search Washington Court Rule CrR 2.3(c) [The warrant] shall command the officer to search, within a specif...
Time to Conduct Search State v. Kern 81 Wn.App. 308 <ul><li>Police obtain warrant for bank records </li></ul><ul><li>Serve...
Time to Conduct Search State v. Kern 81 Wn.App. 308 <ul><li>Court says warrant was executed when served </li></ul><ul><li>...
Time to Conduct Search  State v. Grenning COA No. 32426-1-II (Jan. 8, 2008) A forensic examination of information stored o...
Tracing Electronic Communications <ul><li>Never forget the goal of tracing email, etc. </li></ul><ul><li>The goose and the...
Fourth Amendment  US Constitution No Expectation of Privacy in Records Held by Third Parties U.S. v. Miller (1976)
WA Constitution Article One, Section 7 No person shall be disturbed in his private affairs or his home invaded without aut...
<ul><li>ECPA governs access to stored communications (including customer information) </li></ul>Electronic Communications ...
<ul><li>Extremely Complex Statute </li></ul><ul><li>Governs Holders of Third Party Records Relating to Electronic Communic...
<ul><li>Can’t Use Warrant to obtain records from a publisher - must use subpoena </li></ul><ul><li>Applies to computer pub...
<ul><li>Prohibits Recording or Interception of Real Time Private Communications without Consent of All Parties to Communic...
<ul><li>Records Stored on Victim or Suspect’s Computer not Covered by ECPA or Privacy Act </li></ul><ul><li>Governed by Tr...
E-Mail Spoofing <ul><li>Spoofing - a simple definition </li></ul><ul><li>Changing e-mail so that it looks like it came fro...
E-Mail Spoofing <ul><li>Simple (and easy to detect) spoofing </li></ul><ul><li>Changing the name in the FROM line of the m...
<ul><ul><li>Network Solutions Registration Services </li></ul></ul><ul><ul><li>E-mail: hostmaster@internic net </li></ul><...
E-Mail Spoofing <ul><li>Most e-mail programs allow you to specify what name will be shown on the FROM line </li></ul><ul><...
E-Mail Spoofing -  A More Sophisticated Method <ul><li>Where did this message originate </li></ul>
<ul><li>Return-Path: <mickey@mouse.com> </li></ul><ul><li>Received: from Mail ([12.228.157.210]) by sccrmhc01.attbi.com </...
SpoofMail 1.17
SpoofMail 1.17 <ul><li>Return-Path: <craig.r.heyamoto@boeing.com> </li></ul><ul><li>Received: from blv-smtpout-01.boeing.c...
SpoofMail 1.17
<ul><li>Return-Path: <mickey@mouse.com> </li></ul><ul><li>Received: from fMail ([12.228.157.210]) by sccrmhc01.attbi.com <...
E-Mail Spoofing -  Other Sophisticated Methods <ul><li>Using an anonymous remailer </li></ul><ul><li>Using an open e-mail ...
Problems in Electronic Communications Cases <ul><li>Defendant produces email from victim in which she admits she made it a...
Computer Trespass <ul><li>A person is guilty of computer trespass . . . if the person, without authorization, intentionall...
Ivan Orton Complex Prosecutions & Investigations Division King County Prosecutor’s Office 500 Fourth Ave., Rm. 840 Seattle...
Upcoming SlideShare
Loading in...5
×

Computer Searchs, Electronic Communication, Computer Trespass

3,087

Published on

Published in: Technology, Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
3,087
On Slideshare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Transcript of "Computer Searchs, Electronic Communication, Computer Trespass"

  1. 1. Computer Crime and Digital Evidence Legal Issues Ivan Orton Complex Prosecutions & Investigations Division King County Prosecutor’s Office 500 Fourth Ave., Rm. 840 Seattle, WA 98104 [email_address] 206 296-9082
  2. 2. Legal Issues that Arise in Three Situations <ul><li>Warrants for searching computers </li></ul><ul><li>Warrants for tracing electronic communications </li></ul><ul><li>What constitutes a computer trespass </li></ul>
  3. 3. Fixing a Bad Warrant, Already Executed
  4. 4. Legal Problems in Computer Searches <ul><li>Warrant does not establish PC to search (or seize) computer </li></ul><ul><li>Getting a second warrant </li></ul><ul><li>Using general custom or habit information to establish PC </li></ul><ul><li>Taking computer offsite for searching </li></ul>
  5. 5. Legal Problems in Computer Searches (cont) <ul><li>Consent searches </li></ul><ul><li>Search incident to arrest </li></ul><ul><li>Out of State warrants </li></ul><ul><li>Time limits on execution of search </li></ul>
  6. 6. Legal Problems in Computer Searches <ul><li>Warrant does not establish PC to search (or seize) computer </li></ul>
  7. 7. General Search Law for Containers <ul><li>United States v. Ross (US Supreme - 1982) </li></ul><ul><ul><li>“ A lawful search of fixed premises generally extends to the entire area in which the object of the search may be found and is not limited by the possibility that separate acts of entry or opening may be required to complete the search” </li></ul></ul><ul><li>United States v. Hunter (D. Vt. 1998) </li></ul><ul><ul><li>“ A finding of probable cause is not predicated on the government’s knowing precisely how certain records are stored.” </li></ul></ul>
  8. 8. It is axiomatic that when a search warrant properly describes the things to be searched and seized, it also authorizes law enforcement officers to search inside any container in which the items could reasonably be found. State v. Mazzaferro, Div I, 2007 UNPUBLISHED OPINION
  9. 9. The Grow House
  10. 10. The Card Reader
  11. 11. The Unpublished Opinions <ul><li>Mazzaferro </li></ul><ul><li>Dunn </li></ul>
  12. 12. Issues <ul><li>Other than naming computer, how can we make sure computer records are covered? </li></ul><ul><li>“Records” means those items in whatever form created or stored. </li></ul>
  13. 13. Legal Problems in Computer Searches <ul><li>Getting a second warrant </li></ul>
  14. 14. Legal Problems in Computer Searches <ul><li>Using general custom or habit information to establish PC </li></ul>
  15. 15. Legal Problems in Computer Searches <ul><li>Taking computer offsite for searching </li></ul>
  16. 16. Content of the Affidavit: Issues <ul><li>Can Police take a computer offsite for examination? </li></ul>
  17. 17. Content of the Affidavit: Issues <ul><li>What about if you request and receive permission in the warrant? </li></ul><ul><li>Some 9th Circuit law suggesting that must justify in each instance </li></ul>
  18. 18. Legal Problems in Computer Searches <ul><li>Consent searches </li></ul>
  19. 19. Consent Exception <ul><li>Crucial Requirement is Common Authority </li></ul><ul><li>Parent </li></ul><ul><li>Spouse </li></ul><ul><li>Co-User </li></ul><ul><li>Workplace </li></ul><ul><ul><li>Private v. Public </li></ul></ul>
  20. 20. Password Protected Files … <ul><li>US v. Trulock , 275 F.3d 391 (4th Cir., 2001) </li></ul><ul><li>Although housemate had general authority to consent to search of their shared computer, housemate lacked authority to consent to search of defendant’s private, password-protected files. </li></ul><ul><li>In other words, same as roommate, shared apartment/house rule - if door is locked or otherwise indications that space is not shared, roommate can’t consent </li></ul>
  21. 21. Workplace Searches
  22. 22. Facts <ul><li>Employer contacts police </li></ul><ul><li>Police ask employer to retain copies of hard drive </li></ul><ul><li>Employer provides hard drive to police </li></ul>
  23. 23. Evidence Suppressed?
  24. 24. More Facts <ul><li>Dispute as to whether police directed employees to seize hard drive </li></ul><ul><ul><li>Employees said police did (and their actions were consistent with this belief) </li></ul></ul><ul><ul><li>Police said they only asked them to retain what they had copied </li></ul></ul><ul><li>Trial court believed employee version </li></ul>
  25. 25. Now Should Evidence be Suppressed?
  26. 26. 4 th Amendment Primer <ul><li>Fourth Amendment applies: </li></ul><ul><ul><li>Reasonable expectation of privacy </li></ul></ul><ul><ul><li>Government action </li></ul></ul><ul><li>If 4 th Amendment applies need a warrant unless . . . </li></ul><ul><ul><li>Consent </li></ul></ul>
  27. 27. Difference between Public and Private Employer Searches <ul><li>PRIVATE </li></ul><ul><li>Search by employer is not government action (unless) </li></ul><ul><li>Employer can consent to police search </li></ul><ul><li>Employees have reasonable expectation of privacy in their workspace </li></ul><ul><li>PUBLIC </li></ul><ul><li>Search by employer is always government action </li></ul><ul><li>Employer cannot consent to police search </li></ul><ul><li>Do public employees have a REP? </li></ul>
  28. 28. Public Employer Searches <ul><li>O’Connor v. Ortega (1987) </li></ul><ul><ul><li>There is a reasonable expectation of privacy (unless actual office practices and procedures or legitimate regulation permit the supervisor or co-workers or the public to enter the employee’s workspace.) </li></ul></ul><ul><ul><li>Even with reasonable expectation of privacy, employer can search for work related reasons or to investigate work related misconduct. </li></ul></ul>
  29. 29. Public Employer Searches <ul><li>O’Connor v. Ortega (1987) </li></ul><ul><ul><li>There is a reasonable expectation of privacy (unless actual office practices and procedures or legitimate regulation permit the supervisor or co-workers or the public to enter the employee’s workspace.) </li></ul></ul><ul><ul><li>Even with reasonable expectation of privacy, employer can search for work related reasons or to investigate work related misconduct. </li></ul></ul>
  30. 30. Back to the Scenario What are the Issues <ul><li>Is there a REP? </li></ul><ul><ul><li>Tech people had complete access to computers </li></ul></ul><ul><ul><li>Firewall monitored all activity </li></ul></ul><ul><ul><li>Firewall Logs reviewed frequently </li></ul></ul><ul><ul><li>Employees were advised of above </li></ul></ul><ul><ul><li>Employees were told computers were company property, to be used for company purposes only </li></ul></ul>
  31. 31. Back to the Scenario What are the Issues <ul><li>Was there government action? </li></ul><ul><li>Was there valid consent? </li></ul>
  32. 32. Ziegler 1 <ul><li>Court ruled that policies and procedures means there was no reasonable expectation of privacy </li></ul><ul><li>Therefore did not need to discuss other issues </li></ul>
  33. 33. Remember O’Connor <ul><li>O’Connor v. Ortega (1987) </li></ul><ul><ul><li>There is a reasonable expectation of privacy (unless actual office practices and procedures or legitimate regulation permit the supervisor or co-workers or the public to enter the employee’s workspace.) </li></ul></ul>
  34. 34. Was Ziegler Correctly Decided? <ul><li>Difference Between Expectation of Privacy from Employer Search as opposed to From Police Search </li></ul><ul><ul><li>O’Connor (and other cases relied on in Ziegler) were public employer searches </li></ul></ul><ul><ul><li>As such there is no difference between an employer and the police </li></ul></ul><ul><ul><li>In private context there is a difference </li></ul></ul>
  35. 35. Ziegler 2 <ul><li>Court ruled that no expectation of privacy from employer searches did not mean no expectation of privacy from police search </li></ul><ul><li>Employees were agents of government in obtaining hard drive </li></ul><ul><li>Employer had common authority over computer and could consent to police search </li></ul>
  36. 36. Where Does that Leave Us? <ul><li>PRIVATE </li></ul><ul><li>Search by employer is not government action (unless) </li></ul><ul><li>Employer can consent to police search if . . . </li></ul><ul><li>REP: </li></ul><ul><ul><li>Almost always have a REP against police action </li></ul></ul><ul><ul><li>May (or may not) have REP against employer search* </li></ul></ul><ul><ul><li>If no REP against employer search, employer can consent </li></ul></ul><ul><li>PUBLIC </li></ul><ul><li>Search by employer is always government action </li></ul><ul><li>Employer cannot consent to police search </li></ul><ul><li>REP </li></ul><ul><ul><li>Have a REP unless policies or practices suggest otherwise </li></ul></ul><ul><ul><li>Even with REP employer can search </li></ul></ul><ul><ul><ul><li>for work related reasons or </li></ul></ul></ul><ul><ul><ul><li>to investigate suspected employee malfeasance </li></ul></ul></ul>
  37. 37. Refinement of Public Search Law <ul><li>Warrentless Search </li></ul><ul><li>Search must be work-related </li></ul><ul><ul><li>Presence or involvement of law enforcement officers will not invalidate the search so long as the employer or his agent participates for legitimate work-related reasons </li></ul></ul><ul><ul><li>Fact that work-related malfeasance being investigated is also a crime will not make search invalid </li></ul></ul><ul><li>Search must be justified at its inception and permissible in its scope </li></ul>
  38. 38. Legal Problems in Computer Searches <ul><li>Search incident to arrest </li></ul>
  39. 39. Legal Problems in Computer Searches (cont) <ul><li>Out of State warrants </li></ul>
  40. 40. Out of State Providers - A New Law Requires compulsory process recipient to produce records within 20 days Applies to any person or corporation who has conducted business or engaged in transactions occurring at least in part in Washington Effective June 12 2008
  41. 41. Legal Problems in Computer Searches (cont) <ul><li>Time limits on execution of search </li></ul>
  42. 42. Time to Conduct Search <ul><li>Computer is properly seized for offsite search </li></ul><ul><li>Computer is turned over to crime lab </li></ul><ul><li>Crime lab searches computer three weeks later </li></ul><ul><li>Ok? </li></ul>
  43. 43. Time to Conduct Search <ul><li>Same Scenario - search done 3 weeks later </li></ul><ul><li>Warrant requires service within five days </li></ul><ul><li>Court rule requires service within ten days </li></ul><ul><li>Three Weeks Ok? </li></ul>
  44. 44. Time to Conduct Search <ul><li>How long do you have to examine the computer? </li></ul><ul><ul><li>Constitutional Standard: Probable Cause not Stale </li></ul></ul><ul><ul><li>Magistrate deadlines </li></ul></ul><ul><ul><li>Court Rule or Statutory Deadlines </li></ul></ul>
  45. 45. Time to Conduct Search <ul><li>How about a preliminary search within deadline and a more detailed search later </li></ul><ul><li>Ok? </li></ul>
  46. 46. Time to Conduct Search <ul><li>How about lab analysis of drugs seized under warrant? </li></ul><ul><li>How about DNA analysis seized under warrant? </li></ul>
  47. 47. Time to Conduct Search Washington Court Rule CrR 2.3(c) [The warrant] shall command the officer to search, within a specified period of time not to exceed 10 days, the person, place, or thing named for the property or person specified.
  48. 48. Time to Conduct Search State v. Kern 81 Wn.App. 308 <ul><li>Police obtain warrant for bank records </li></ul><ul><li>Serve warrant on bank within ten days of issuance </li></ul><ul><li>Bank delivers records to police 17 days later </li></ul><ul><li>Defendant objects saying untimely under court rule and bank, not police, executed search </li></ul>
  49. 49. Time to Conduct Search State v. Kern 81 Wn.App. 308 <ul><li>Court says warrant was executed when served </li></ul><ul><li>Even if not, completing a search shortly after deadline when PC still exists is ok </li></ul><ul><li>Under circumstances, delegation to bank officials was OK. No danger of scope being exceeded. Less privacy invasion. </li></ul>
  50. 50. Time to Conduct Search State v. Grenning COA No. 32426-1-II (Jan. 8, 2008) A forensic examination of information stored on copies of a hard drive may extend beyond the 10-day deadline specified in CrR 2.3(c), provided the computer is seized within the 10-day period. A delay in analyzing the information stored on a hard drive will only result in the suppression of evidence if: (1) the delay caused a lapse in probable cause; (2) it created unfair prejudice to the defendant; or (3) officers acted in bad faith.
  51. 51. Tracing Electronic Communications <ul><li>Never forget the goal of tracing email, etc. </li></ul><ul><li>The goose and the gander </li></ul>
  52. 52. Fourth Amendment US Constitution No Expectation of Privacy in Records Held by Third Parties U.S. v. Miller (1976)
  53. 53. WA Constitution Article One, Section 7 No person shall be disturbed in his private affairs or his home invaded without authority of law Broader than 4th Amendment U.S. v. Miller may not be law in Washington is not the
  54. 54. <ul><li>ECPA governs access to stored communications (including customer information) </li></ul>Electronic Communications Privacy Act (ECPA), Privacy Protection Act (PPA) and Washington’s Privacy Act
  55. 55. <ul><li>Extremely Complex Statute </li></ul><ul><li>Governs Holders of Third Party Records Relating to Electronic Communications </li></ul><ul><li>Sets up an elaborate scheme for what process (warrant, court order, subpoena) can obtain what records </li></ul><ul><li>Can get everything except real-time information with search warrant </li></ul>Electronic Communications Privacy Act
  56. 56. <ul><li>Can’t Use Warrant to obtain records from a publisher - must use subpoena </li></ul><ul><li>Applies to computer publishers </li></ul><ul><li>Doesn’t apply when publisher is suspect </li></ul><ul><li>Complex statute - ask me </li></ul>Privacy Protection Act
  57. 57. <ul><li>Prohibits Recording or Interception of Real Time Private Communications without Consent of All Parties to Communication </li></ul><ul><li>Privacy Act covers Electronic Communications like Email and Instant Messaging </li></ul><ul><li>No exception for parental monitoring </li></ul>Washington Privacy Act RCW 9.73
  58. 58. <ul><li>Records Stored on Victim or Suspect’s Computer not Covered by ECPA or Privacy Act </li></ul><ul><li>Governed by Traditional Search and Seizure Law </li></ul>Search Warrant Law
  59. 59. E-Mail Spoofing <ul><li>Spoofing - a simple definition </li></ul><ul><li>Changing e-mail so that it looks like it came from someone else </li></ul>
  60. 60. E-Mail Spoofing <ul><li>Simple (and easy to detect) spoofing </li></ul><ul><li>Changing the name in the FROM line of the message </li></ul>
  61. 61. <ul><ul><li>Network Solutions Registration Services </li></ul></ul><ul><ul><li>E-mail: hostmaster@internic net </li></ul></ul><ul><ul><li>>From postmaster@isomedia.com Wed Dec 31 19:00:00 1969 </li></ul></ul><ul><ul><li>>Received: from rs.internic.net (bipmxo.lb.internic.net [192.168.120.13]) </li></ul></ul><ul><ul><li>by opsmail.internic.net (8.9.3/8.9.1) with SMTP id QAAO17O1 </li></ul></ul><ul><ul><li>for <hostmaster~internic.net>; Fri, 16 Jul 1999 16:19:46 -0400 (EDT) </li></ul></ul><ul><ul><li>>Received: (qmail 18559 invoked from network); 16 Jul 1999 20:15:16 -0000 </li></ul></ul><ul><ul><li>>Received: from smtp6.jps.net (209.63.224.103) </li></ul></ul><ul><ul><li>> by 192.168.119.13 with SMTP; 16 Jul 1999 20:15:16 -0000 </li></ul></ul><ul><ul><li>>Received: from [209.63.189.117] (209-63-189-117.sea.jps.net [209.63.189.117]) by smtp6.jps.net (8.9.0/8.8.5) with ESMTP id NAA17047; </li></ul></ul><ul><ul><li>Fri, 16 Jul 1999 13:19:43 -0700 (PDT) </li></ul></ul><ul><ul><li>>X-Sender: (Unverified) </li></ul></ul><ul><ul><li>>Message-Id: <v04003a00b3b475e9299ee[209.63.189.841> </li></ul></ul><ul><ul><li>>Mime-Version: 1.0 </li></ul></ul><ul><ul><li>>Content-Type: text/plain; charset=~us-ascii </li></ul></ul><ul><ul><li>>Date: Fri, 16 Jul 1999 13:22:14 -0700 </li></ul></ul><ul><ul><li>>To: hostmaster@internic net </li></ul></ul><ul><ul><li>>From: Steve Milton <postmaster~isomedia.com> </li></ul></ul><ul><ul><li>>Subject: [NIC-990716.l2fcd] MODIFY DOMAIN </li></ul></ul>
  62. 62. E-Mail Spoofing <ul><li>Most e-mail programs allow you to specify what name will be shown on the FROM line </li></ul><ul><li>Easy to detect because it doesn’t change the header information which shows where the message really came from </li></ul>
  63. 63. E-Mail Spoofing - A More Sophisticated Method <ul><li>Where did this message originate </li></ul>
  64. 64. <ul><li>Return-Path: <mickey@mouse.com> </li></ul><ul><li>Received: from Mail ([12.228.157.210]) by sccrmhc01.attbi.com </li></ul><ul><li>(InterMail vM.4.01.03.27 201-229-121-127-20010626) with SMTP </li></ul><ul><li>id <20020917013945.NHXQ26988.sccrmhc01.attbi.com@Mail>; </li></ul><ul><li>Tue, 17 Sep 2002 01:39:45 +0000 </li></ul><ul><li>Received: from blv-smtpout-01.boeing.com ([192.161.36.5]) </li></ul><ul><li>by Mail ([12.228.157.210]) </li></ul><ul><li>(InterMail vM.4.01.03.37 201-229-121-137-20020806) with ESMTP </li></ul><ul><li>id <20020916220917.PGLL21115.rwcrgwc53.attbi.com@blv-smtpout-01.boeing.com>; </li></ul><ul><li>Mon, 16 Sep 2002 22:09:17 +0000 </li></ul><ul><li>Received: from stl-av-02.boeing.com ([192.76.190.7]) </li></ul><ul><li>by blv-smtpout-01.boeing.com (8.9.2/8.8.5-M2) with ESMTP id PAA03869; </li></ul><ul><li>Mon, 16 Sep 2002 15:09:15 -0700 (PDT) </li></ul><ul><li>Received: from blv-hub-01.boeing.com (localhost [127.0.0.1]) </li></ul><ul><li>by stl-av-02.boeing.com (8.9.3/8.9.2/MBS-AV-02) with ESMTP id RAA17781; </li></ul><ul><li>Mon, 16 Sep 2002 17:09:14 -0500 (CDT) </li></ul><ul><li>Received: from xch-nwbh-02.nw.nos.boeing.com (xch-nwbh-02.nw.nos.boeing.com [192.54.12.28]) </li></ul><ul><li>by blv-hub-01.boeing.com (8.11.3/8.11.3/MBS-LDAP-01) with ESMTP id g8GM9D511228; </li></ul><ul><li>Mon, 16 Sep 2002 15:09:13 -0700 (PDT) </li></ul><ul><li>Received: by xch-nwbh-02.nw.nos.boeing.com with Internet Mail Service (5.5.2650.21) </li></ul><ul><li>id <TBQGHFX5>; Mon, 16 Sep 2002 15:07:58 -0700 </li></ul><ul><li>Message-ID: <86DC430079D8024898A5EE2FF390B16DE91F04@xch-nw-12.nw.nos.boeing.com> </li></ul><ul><li>From: &quot;Heyamoto, Craig R&quot; <craig.r.heyamoto@boeing.com> </li></ul><ul><li>To: My Victim </li></ul><ul><li>Date: Tue, 17 Sep 2002 01:39:45 +0000 </li></ul><ul><li>I am the Viper! </li></ul>
  65. 65. SpoofMail 1.17
  66. 66. SpoofMail 1.17 <ul><li>Return-Path: <craig.r.heyamoto@boeing.com> </li></ul><ul><li>Received: from blv-smtpout-01.boeing.com ([192.161.36.5]) </li></ul><ul><li>by rwcrgwc53.attbi.com </li></ul><ul><li>(InterMail vM.4.01.03.37 201-229-121-137-20020806) with ESMTP </li></ul><ul><li>id <20020916220917.PGLL21115.rwcrgwc53.attbi.com@blv-smtpout-01.boeing.com>; </li></ul><ul><li>Mon, 16 Sep 2002 22:09:17 +0000 </li></ul><ul><li>Received: from stl-av-02.boeing.com ([192.76.190.7]) </li></ul><ul><li>by blv-smtpout-01.boeing.com (8.9.2/8.8.5-M2) with ESMTP id PAA03869; </li></ul><ul><li>Mon, 16 Sep 2002 15:09:15 -0700 (PDT) </li></ul><ul><li>Received: from blv-hub-01.boeing.com (localhost [127.0.0.1]) </li></ul><ul><li>by stl-av-02.boeing.com (8.9.3/8.9.2/MBS-AV-02) with ESMTP id RAA17781; </li></ul><ul><li>Mon, 16 Sep 2002 17:09:14 -0500 (CDT) </li></ul><ul><li>Received: from xch-nwbh-02.nw.nos.boeing.com (xch-nwbh-02.nw.nos.boeing.com [192.54.12.28]) </li></ul><ul><li>by blv-hub-01.boeing.com (8.11.3/8.11.3/MBS-LDAP-01) with ESMTP id g8GM9D511228; </li></ul><ul><li>Mon, 16 Sep 2002 15:09:13 -0700 (PDT) </li></ul><ul><li>Received: by xch-nwbh-02.nw.nos.boeing.com with Internet Mail Service (5.5.2650.21) </li></ul><ul><li>id <TBQGHFX5>; Mon, 16 Sep 2002 15:07:58 -0700 </li></ul><ul><li>Message-ID: <86DC430079D8024898A5EE2FF390B16DE91F04@xch-nw-12.nw.nos.boeing.com> </li></ul>
  67. 67. SpoofMail 1.17
  68. 68. <ul><li>Return-Path: <mickey@mouse.com> </li></ul><ul><li>Received: from fMail ([12.228.157.210]) by sccrmhc01.attbi.com </li></ul><ul><li>(InterMail vM.4.01.03.27 201-229-121-127-20010626) with SMTP </li></ul><ul><li>id <20020917013945.NHXQ26988.sccrmhc01.attbi.com@SpoofMail>; </li></ul><ul><li>Tue, 17 Sep 2002 01:39:45 +0000 </li></ul><ul><li>Return-Path: <craig.r.heyamoto@boeing.com> </li></ul><ul><li>Received: from blv-smtpout-01.boeing.com ([192.161.36.5]) </li></ul><ul><li>by fMail ([12.228.157.210]) </li></ul><ul><li>(InterMail vM.4.01.03.37 201-229-121-137-20020806) with ESMTP </li></ul><ul><li>id <20020916220917.PGLL21115.rwcrgwc53.attbi.com@blv-smtpout-01.boeing.com>; </li></ul><ul><li>Mon, 16 Sep 2002 22:09:17 +0000 </li></ul><ul><li>Received: from stl-av-02.boeing.com ([192.76.190.7]) </li></ul><ul><li>by blv-smtpout-01.boeing.com (8.9.2/8.8.5-M2) with ESMTP id PAA03869; </li></ul><ul><li>Mon, 16 Sep 2002 15:09:15 -0700 (PDT) </li></ul><ul><li>Received: from blv-hub-01.boeing.com (localhost [127.0.0.1]) </li></ul><ul><li>by stl-av-02.boeing.com (8.9.3/8.9.2/MBS-AV-02) with ESMTP id RAA17781; </li></ul><ul><li>Mon, 16 Sep 2002 17:09:14 -0500 (CDT) </li></ul><ul><li>Received: from xch-nwbh-02.nw.nos.boeing.com (xch-nwbh-02.nw.nos.boeing.com [192.54.12.28]) </li></ul><ul><li>by blv-hub-01.boeing.com (8.11.3/8.11.3/MBS-LDAP-01) with ESMTP id g8GM9D511228; </li></ul><ul><li>Mon, 16 Sep 2002 15:09:13 -0700 (PDT) </li></ul><ul><li>Received: by xch-nwbh-02.nw.nos.boeing.com with Internet Mail Service (5.5.2650.21) </li></ul><ul><li>id <TBQGHFX5>; Mon, 16 Sep 2002 15:07:58 -0700 </li></ul><ul><li>Message-ID: <86DC430079D8024898A5EE2FF390B16DE91F04@xch-nw-12.nw.nos.boeing.com> </li></ul><ul><li>From: &quot;Heyamoto, Craig R&quot; <craig.r.heyamoto@boeing.com> </li></ul><ul><li>To: My Victim </li></ul><ul><li>Date: Tue, 17 Sep 2002 01:39:45 +0000 </li></ul><ul><li>I am the Viper! </li></ul>Headers I Inserted Headers Servers Inserted
  69. 69. E-Mail Spoofing - Other Sophisticated Methods <ul><li>Using an anonymous remailer </li></ul><ul><li>Using an open e-mail server </li></ul><ul><li>Use of Sniffers and Intercepts </li></ul>
  70. 70. Problems in Electronic Communications Cases <ul><li>Defendant produces email from victim in which she admits she made it all up </li></ul>
  71. 71. Computer Trespass <ul><li>A person is guilty of computer trespass . . . if the person, without authorization, intentionally gains access to a computer system or electronic database of another </li></ul><ul><li>What constitutes accessing a computer system or electronic database “without authorization” </li></ul>
  72. 72. Ivan Orton Complex Prosecutions & Investigations Division King County Prosecutor’s Office 500 Fourth Ave., Rm. 840 Seattle, WA 98104 [email_address] 206 296-9082

×