Legal Fundamentals

Understanding Your Role as a Cyber Crime Investigator

Corporate investigators are afforded a number of powers, many of which supersede those of law enforcement. Eavesdropping, recording network traffic and reading e-mails are just a few of the powers corporations can wield over their employees, whereas law enforcement requires a court order to engage in many of these types of activities. As a corporate investigator, you must understand how and when to invoke these powers and know how to avoid the pitfalls of using them. In doing so, you can keep from trampling on someone’s rights and avoid the possibility of becoming liable, or even worse, arrested.

Understanding Employees Rights: Employee Monitoring
A survey conducted by the American Management Association (AMA) found that almost 75 percent of companies monitor their employees’ activities (American Management Association, 2001). Additionally, it reported that such monitoring had doubled since 1997. Among the items monitored were e-mails, computer files, and telephone calls. The reasons for monitoring an employee’s communications vary. Some employers engage in this behavior to protect their trade secrets, others want to identify and monitor misconduct. The list is long and varied. Although the Electronic Communications Privacy Act (ECPA) routinely prohibits the intentional interception of communications, it is rarely applied to corporations. The courts have routinely upheld a company’s right to protect its interests over their employee’s individual right to privacy. In Smyth v. The Pillsbury Company, Pillsbury had assured its employees that their e-mails would remain confidential and privileged. The company further assured them that no e-mail would be intercepted or used as grounds for termination or reprimands.

Nevertheless, Pillsbury later fired Smyth for sending out inappropriate e-mails. Smyth sued on the grounds that Pillsbury violated its “public policy, which precludes an employer from terminating an employee in violation of the employee’s right to privacy as embodied in Pennsylvania common law” Smyth v. The Pillsbury Company, (1996). In its decision, the court stated there was no reasonable expectation of privacy for Smyth’s email even though Pillsbury made assurances that e-mails would not be intercepted by management. Moreover, once Smyth sent his message over the e-mail system used by the entire company, all reasonable expectations of privacy were lost. Although, the Smyth case has literally granted companies the unlimited right to monitor its employees, as an investigator you should be aware that employees still maintain their constitutional protections, and so you must exercise care when monitoring e-mails or computer files. According to Jean A. Musiker, an attorney of labor and employment law, employers have constraints

Warning
When investigating crimes for your corporation, be aware that ultimately you can be charged with a crime, regardless of corporate counsel’s advice, if you engage in illegal activities. when it comes to an employee’s right to privacy. She refers to Bratt v. International Business Machines, Corp.392 Mass.508 (1984) where the Massachusetts Supreme Court found that the state’s privacy statute (Mass. G.L.c.214,§1B) did apply to the workplace and does offer protection regarding an employee’s right to privacy (Musiker,1998). She also points out that in order for employers to violate the privacy statute, they must meet the balance test. Musiker quotes the court in O’Connor v. Police Commissioner of Boston [408 Mass.324, 330 (1990)], where the court ruled that in order to violate the statue the “interference with privacy must be both unreasonable and substantial or serious” (Musiker, 1998).

Musiker further quotes Cort v. Bristol Meyers [385 Mass.300, 307 (1982)], which found that employees were protected from companies that monitored their workers purely for personal reasons. Jean also points out that an employee’s position within a company may be a factor when applying the balance test. She refers to the Massachusetts case of Webster v. Motorola, Inc. [418 Mass.425 (1994)] when making this point. In this case, the court suggested that employees in upper-level management positions had a lesser expectation of privacy than those of lower positions within the company.

The point to remember here is that IT investigators must use caution when dealing with the privacy of employees. IT security personnel should not automatically assume they have the right to violate the privacy of employees. Furthermore, companies should be aware that the actions of their IT investigator on behalf of the company will not remove them from total civil and criminal liability. In Scottsdale, Arizona, case a police officer was granted $300,000 after the police department fired him from the force for sending an inappropriate e-mail to a co-worker (Spykerman,2007). The co-worker, who was a close friend of the officer, found the e-mail amusing. Nevertheless, the police department fired him but later lost the case. The bottom line is that if you determine a crime is being committed, get law enforcement involved. They may be able to remove the risk of injury to yourself or your company by pursuing appropriate legal action.

Failing to report criminal activity
It is important to recognize that professionals working in the area of cyber investigations may uncover evidence of criminal activity throughout the course of their efforts. Investigators must report evidence of criminal activity to the proper authorities; in fact, the United States criminal code requires us to do so. Let’s review the statutes applicable to our responsibly when uncovering criminal evidence:

18 USC Section 4: Misprision of a felony

This statute reads as follows:

“Whoever, having knowledge of the actual commission of a felony cognizable by a court of the United States, conceals and does not as soon as possible make known the same to some judge or other person in civil or military authority under the United States, shall be fined under this title or imprisoned not more than three years, or both (Legal Information Institute).”

Furthermore, professionals working in private investigations must be wary of their inclination to be overly helpful to their clients. Should you learn that your client is the subject of a federal investigation, preservation of data is crucial in order to remain on the right side of the law.

Title 18 of the U.S. Code, section 1519, (originally enacted as part of the Sarbanes-Oxley Act of 2002) prohibits one from knowingly altering or manipulating records or documents related to a federal investigation. The statute reads as follows:

“Whoever knowingly alters, destroys, mutilates, conceals, covers up, falsifies, or makes a false entry in any record, document, or tangible object with the intent to impede, obstruct, or influence the investigation or proper administration of any matter within the jurisdiction of any department or agency of the United States or any case filed under title 11, or in relation to or contemplation of any such matter or case, shall be fined under this title, imprisoned not more than 20 years, or both (Legal Information Institute).”

Khairullozhon Matanov, an associate of the Boston Marathon bombers, Dzhokhar and Tamerlan Tsarnaev, was indicted under this statute after deleting digital evidence related to his relationship with the bombers. According to prosecutors on the case, Matanov was informed that he may be questioned by federal authorities in connection with the attack. Following this notification, Motanov deleted hundreds of videos and documents from his computer, while misleading police about his relationship with the suspects (Ly, 2015).

Considerations for Private Investigators
Many cyber investigators are hired to perform casework in multiple states. It would be wise of a PI to seek out and obtain a private investigator’s license, as they are required in most states across the U.S. Qualifications, as well as fees and regulations, may vary by state; therefore, it is the responsibility of each investigator to verify each state’s regulation with respect to licensing. Failure to satisfy this requirement may not only subject a PI to potential statutory law violations, but may cause harm to future career prospects, or go so far as to cause embarrassment to the investigator’s employer or client.

The Electronic Communications Privacy Act
The Electronic Communications Privacy Act was passed in 1986 and governs how and when electronic communications can be intercepted. It also provides definitions as to what electronic communication is, and describes penalties for violating the Act’s provisions. Although very little in this statute applies to corporations, it behooves you to read it to obtain a better understanding of the law.

Understanding Law Enforcement Concerns
For law enforcement officers, one of the biggest fears when contacting a company in regards to a cyber-crime investigation is that the systems administrator or IT personnel are the persons committing the crime, which often has been the case. Statistics show most crimes that occur within a corporation are usually committed by its employees (Secret Service et al., 2002). As such, be leery of company employees before ruling them out as a potential suspect. What the corporate IT staff needs to know is that law enforcement officers have a duty to investigate the crimes. They cannot tip their hat to the potential perpetrator. As a result, IT personnel, as well as company employees, will usually experience the following until the law enforcement official rules them out as a possible suspect:

1. Law enforcement will provide you with the smallest amount of information possible.
2. Sometimes officers will allow you to believe they are investigating a different crime than the one you suspect.
   

On occasion, law enforcement may ask IT personnel for unnecessary documents in order to throw them off track about the nature of the investigation. In light of the preceding circumstances, IT personnel should not take this personally. They are only doing their job. Once an officer has gained confidence in IT personnel and ruled them out as a suspect, he will usually provide a little more detail. However, do not expect him to go over every aspect of the case. There are two reasons for not doing this. One, he does not want a potential witness to be coached on the case since it would appear to a judge or jury that the two of you conspired to frame the suspect. Second, by law, he cannot instruct IT personnel on what to do since it may make them an “agent of the government.”

Agent of the Government
IT personnel are routinely contacted by law enforcement. This contact can range from providing subscriber information to allowing officers to forensically image a computer system. Many times the IT investigator plays an intricate part in the investigation. A relationship between the police officer and the investigator is established, and together they help to solve the crime. Although the IT investigator may want to continue assisting the law enforcement official in the investigation once it has been turned over, often his role will automatically become reduced. This reduction in the investigative role is not because the officer dislikes or distrusts the IT investigator (he has already been vetted from being a suspect), but because the police officer must ensure that the company’s personnel do not become an agent of the government.

In theory, a person acts as an agent of the police when his or her actions are directed at the behest of a law enforcement official. The courts have held that in order for a private citizen to be an agent of the government, two conditions must exist (11th Cir. 2003). First, the person must have acted with the intent to help law enforcement. Second, the government must know about the person’s activities and either acquiesced in or encouraged them. Routinely, defendants argue that their rights have been violated when it comes to search and seizures that are conducted by civilians at the request of a law enforcement agency. Instances in which a defendant can prove that a law enforcement agency used a civilian to investigate someone will usually result in the dismissal of the criminal case.

A case that addressed this very issue was United States v. Jarrett. In Jarrett, law enforcement officers utilized information from a Turkish hacker who on two occasions obtained information on child molesters (Fourth Cir. 2003). The hacker referred to by the district court as the Unknown user, utilized a Trojan horse program to gain access to the unsuspecting child molesters’ computer systems. William Adderson Jarrett was arrested after the Unknown user recovered images of child pornography from Jarrett’s computer and reported him to the police. During his trial, Jarrett asked the court to suppress the evidence obtained by the Unknown user from being used against him since it violated his constitutional rights. The district court denied his motion and allowed the evidence into the proceedings. Jarrett later entered a plea of guilty and during his sentencing hearing motioned again for the district court to suppress the evidence based on new e-mail evidence that was not disclosed during the trial. The e-mail communications were between the Unknown user and an FBI agent. During the email conversations, which occurred after Jarrett’s arrest, the agent engaged in what the district court deemed to be a “proverbial wink and a nod.”

The e-mail contained the following message:
I cannot ask you to search out cases such as the ones you have sent to us. That would make you an agent of the federal government and make how you obtain your information illegal and we could not use it against the men in the pictures you send. But if you should happen across such pictures as the ones you have sent to us and wish us to look into the matter, please feel free to send them to us. We may have lots of questions and have to e-mail you with the questions. But as long as you are not ‘hacking’ at our request, we can take the pictures and identify the men and take them to court. We also have no desire to charge you with hacking. You are not a U.S. citizen and are not bound by our laws. (United States v. Jarrett, Fourth Cir).

The district court further stated that the relationship between the agent and the hacker was that of a penpal like a relationship and that the agent never instructed the hacker to stop his illegal activity in obtaining the evidence. Additionally, the district court felt that the government and the Unknown user had “expressed their consent to an agency relationship.” Although the district court reversed the plea of guilty, the United States Court of Appeals later would reverse the district court’s decision. Ironically, the appellate court cited United States v. Steiger, which was the first case that involved the Unknown user, in reversing the district court’s decision. This decision to reverse was based partly on the fact that the e-mails occurred after Jarrett’s arrest, and because the government failed to meet the two conditional requirements of the agency. The outcome may have been different had no e-mails occurred before Jarrett’s arrest.

(Note: A Trojan horse in the computer sense refers to a software program containing malicious computer code. The name Trojan horse comes from the Trojan War military tactic in which Greeks hid soldiers in a wooden horse and then offered it to the city of Troy as a gift, thus secretly gaining entrance to the city and eventually laying siege to it.)

Providing the Foundation

One of the most important things an IT security investigator can provide in any case is information. No one understands your network setup better than you. Also, you know the technology in your organization. Many times law enforcement officers will not have experience with many of the devices or systems they will come upon. It is here that IT investigators play their second-biggest role after detection. Imparting your knowledge of the system setup and how it works will help the law enforcement officer better understand how the crime was committed? Point out what types of security and monitoring devices you may have at your locations. Take the time to explain where all the log files are, and what they show. Become the technical teacher and help bridge the gap between technology and law enforcement. You will find this very satisfying.

The Role of Law Enforcement Officers
Cyber-crime police officers should be cognizant of the concerns of corporations. Often, this lack of understanding leads to tension and standoffs between the two.

Understanding Corporate Concerns
I remember sending a subpoena to a company and receiving a phone call several days later.

The owner of this small ISP asked me how important the information I was seeking was since it would take some work to sift through all of his logs. My immediate response was, “It was important enough for me to write a subpoena for it.” He then proceeded to ask me information about the type of case I was investigating. We established earlier in this chapter that I don’t trust until I vet a possible suspect, so I told him I could not disclose the type of case I was working on to him. The owner then responded by saying that if he was not informed about the type of case I was working on, he would just respond to my subpoena by saying he did not have any log files. I then informed him that he had just admitted to me that he did, in fact, have log files and that I am directing him to preserve them while I apply for a search warrant. Furthermore, I told him that if any files were deleted I would seek to have him arrested for tampering with evidence. Prior to hanging up the phone, I told him that the search warrant would include all computers, routers, switches, and so on where I believed evidence would be found. A short time later, as I was on the phone with the District Attorney, he called me back. At that point, we both agreed the conversation had spun out of control and we worked together to minimize the information I needed. After our initial head-butt, I discovered he was a one-man operation, and that he was unsure how to retrieve the logs. I wish he had told me that up front since I would have worked with him to get the logs I needed.

Shutting Down and Seizing Systems
I remember getting a call to respond to a company whose server was being illegally accessed by remote. The owner of this company stated that numerous files were deleted and that he believed the computer had a remote-access Trojan. I immediately invoked my forensics best-practices and proceeded to shut down the server. At that point, I was literally tackled by the owner, who stated that the server was a production server and could not be taken down. I needed an alternate plan. I didn’t want to victimize the victim by shutting down his company. So I called the District Attorney and informed him of the facts. Based on my conversation with the DA, I was able to generate a list of items I’d need to prove the case and proceeded to image only the things I required. If you’re wondering why I didn’t just mount the drive and image it with a network tool, it was because the server was 300 terabytes in size. In the end, I was able to understand the company’s needs and avoid causing additional harm to them. We will discuss the issue of network forensics further in the next chapter.

Providing the Foundation
As a cyber-crime officer, your job should be to lay the foundation of how the crime was committed, and how the computer-aided in the commission of this crime. You should also attempt to explain the techniques, methodologies, and technologies to prosecutors, judges, and juries in simple terms. This will help you remove the veil of mystery behind the technology and aid in helping build the case against the suspect.

The Role of the Prosecuting Attorney
Understanding the role of a prosecutor will better serve the overall legal process when it comes time for prosecution.

Providing Guidance
The prosecuting attorney’s goal should always be that of a legal advisor and not of an investigator. Oftentimes, prosecutors become personally involved with a case and jeopardize the process, as well as their immunity. Additionally, the prosecutor should act as a bridge between the information gap between technology and the judge or jury. It will be the prosecutor’s job to remove the mask behind the technology presented in the case and ease the fears of the technophobes.

Avoiding Loss of Immunity
Prosecutors are afforded special privileges when acting on behalf of the court. One of the most important privileges they possess is that of immunity. This immunity shields them from both criminal and civil liability when acting in their official capacity and performing related duties. However, when prosecutors engage in conduct that is beyond the scope of their responsibilities, they may place themselves in harm’s way. Many attorneys become emotionally involved in a case and dance close to the line of trouble. Although it is extremely rare and difficult to prove a prosecutor has lost his or her immunity, it is not impossible.

Prosecutors are afforded absolute immunity from liability for their actions when their prosecutorial activities are directly associated with their judicial responsibilities during the criminal process. This entitles them to absolute immunity from any action for damages. Prosecutors are afforded the privilege of qualified immunity from liability for damages due to their actions when performing official discretionary functions, as long as their conduct does not violate any clearly defined statutory or constitutional rights that a reasonable person would have known.

In Richards v. NYC, Samantha Richards was accused of killing her live-in boyfriend Gersham O’Connor. The police, along with the District Attorneys, conducted the investigation. The investigators interviewed Richard’s two daughters, ages four and five, who implicated their mother as the killer. Based on the interviews, Ms. Richards was subsequently arrested. During Richards’ trial, it was discovered that her daughters never witnessed the shooting and that their statements were based on the interview tactics of the police and prosecutors. Richards brought suit against the District Attorneys involved and alleged that they “supervised, assisted, and gave advice to the police [throughout] the course of their investigation; acted and conspired with them in that investigation; decided whether there was probable cause to arrest the plaintiff; and/or knew or should have known that the police conducted the investigation in disregard” of her civil and constitutional rights (Southern District of New York,1998). The court found that the District Attorneys were not fully immune to civil penalties, citing Barbera v. Smith and Burns v. Reed.

The court wrote the following statement in its opinion:

Absolute immunity is not available . . . when a prosecutor undertakes conduct that is beyond the scope of his litigation-related duties. (Barbera v. Smith, 836 F.2d 96, 100 [2d Cir. 1987]) Thus, when a prosecutor supervises, conducts, or assists in the investigation of a crime, or gives advice as to the existence of probable cause to make a warrantless arrest—that is, when he performs functions normally associated with a police investigation—he loses his absolute protection from liability. (_Burns v.Reed_,500 U.S.478,493,114 L.Ed.2d 547,111 S.Ct.1934¹⁹⁹¹) We do not believe it… that advising the police in the investigative phase of a criminal case is so intimately associated with the judicial phase of the criminal process… that it qualifies for absolute immunity. (Southern District of New York, 1998). As you can see, performing tasks outside of your prescribed role may put you at risk of liability.

Providing the Foundation

As in the other roles described previously, the prosecutor’s job, in addition to prosecuting the case, should be to explain the offense to judges and juries in order to aid them in understanding how computers and technology can be used to commit crimes. The prosecuting attorney’s duty is to also provide guidance as it relates to the prosecution and not the total investigation.

U.S.Code Used by Federal Law Enforcement in Cyber-Related Crimes

I. Federal Laws to Prosecute Cyber Crime

• 18 U.S.C. Section 1956, “Laundering of monetary instruments”;18 U.S.C. Section 1957, “Engaging in monetary transactions in property derived from specified unlawful activity”;
• 18 U.S.C., Chapter 96, the Racketeer Influenced and Corrupt Organizations (RICO) provisions;
• 18 U.S.C. Section 2314, “Transportation of stolen goods, securities, money, fraudulent State tax stamps, or articles used in counterfeiting”; and
• 18 U.S.C. Section 2315, “Sale or receipt of stolen goods, securities, money, or fraudulent State tax stamps.”

II. Federal Criminal Code Related to Computer Crimes

• 18 U.S.C. § 1029. Fraud and Related Activity in Connection with Access Devices;
• 18 U.S.C. § 1030. Fraud and Related Activity in Connection with Computers;
• 18 U.S.C. § 1362. Communication Lines, Stations, or Systems
  

III. Federal Computer Crime Laws

• computer trespassing in a government computer, 18 U.S.C. 1030(a)(3);
• computer trespassing resulting in exposure to certain governmental, credit, financial, or computer-housed information, 18 U.S.C. 1030(a)(2);
• damaging a government computer, a bank computer, or a computer used in, or affecting, interstate or foreign commerce, 18 U.S.C. 1030(a)(5);
• committing fraud an integral part of which involves unauthorized access to a government computer, a bank computer, or a computer used in, or affecting, interstate or foreign commerce, 18 U.S.C. 1030(a)(4);
• threatening to damage a government computer, a bank computer, or a computer used in, or affecting, interstate or foreign commerce, 18
  U.S.C. 1030(a)(7);
• trafficking in passwords for a government computer, or when the trafficking affects interstate or foreign commerce, 18 U.S.C. 1030(a)(6);
• and accessing a computer to commit espionage, 18 U.S.C. 1030(a)(1).
  

IV. Searching and Seizing of Computers

• 18 U.S.C. § 2510. Definitions
• 18 U.S.C. § 2511. Interception and disclosure of wire, oral, or electronic communications prohibited
• 18 U.S.C. § 2701. Unlawful Access to Stored Communications
• 18 U.S.C. § 2702. Disclosure of Contents
• 18 U.S.C. § 2705. Delayed notice
• 18 U.S.C. § 2711. Definitions
  

V. Civil Litigation

• RICO Statutes
• Civil Suits
• Legislation partnerships
• VERO Notices / Take Downs
• Copyright Infringement
• Civil Suits on Landlords
  

Summary
The preceding examples are just some of the issues that can be encountered when investigating cyber-crime. Again, the roles of each type of investigator should always remain defined, and lines should never be crossed. Also, each sector should come to understand the concerns of the other to avoid confusion and misunderstandings. We should work together to find solutions rather than isolate ourselves from other sectors because of a lack of understanding. Try joining a group that provides an exchange of ideas between all sectors. One such organization is The High Technology Crime Investigation Association (www.HTCIA.org), which is designed to encourage, promote, and aid in the voluntary exchange of data, information, experience, ideas, and knowledge about methods, processes, and techniques relating to investigations and security in advanced technologies.

Solutions Fast Track
It’s important understanding your role as a cyber-crime investigator:

1. It is possible to violate the law when conducting cyber-crime investigations.
2. Cyber-crime investigators should be aware that their actions, on behalf of their company, may not absolve them of criminal or civil liability if their actions are illegal.
3. Corporations should involve law enforcement at the beginning of a criminal investigation.
4. Corporate counsel should consult a prosecutor prior to taking actions in a criminal matter.
5. Corporate investigators should always be cognizant of employees’ rights when conducting investigations.
   

As a corporate investigator, you may not be privy to much of the information when visited by a law enforcement officer. Be cognizant that your actions can be construed as acting as an agent of law enforcement.

The Role of Law Enforcement Officers

1. Understand that companies may have privileged and confidential information on the computers you are seizing.
2. It is a wise practice to avoid victimizing your victim further by parading your case before the media.
3. It is important to understand the data retention policies and the subpoena process of a company prior to requesting their assistance.
   

The Role of the Prosecuting Attorney

1. One of the primary functions of a prosecutor is to provide guidance and direction as it relates to the law during an investigation.
2. Prosecutors should avoid directing law enforcement when investigating a case since it may result in the loss of immunity.
3. As a prosecutor, you explain to the judge and jury how technology was used to commit a crime.