INVESTIGATING AND PROSECUTING NETWORK INTRUSIONS JOHN C. SMITH, SENIOR INVESTIGATOR HI TECH / COMPUTER CRIME UNIT SANTA CLARA COUNTY DISTRICT ATTORNEY'S OFFICE 70 WEST HEDDING STREET SAN JOSE, CALIFORNIA 95110 408/299-8411 email jsmith@netcom.com The Santa Clara County District Attorney's Office Hi Tech / Computer Crime Team has had years of experience investigating and prosecuting trade secret thefts, network intrusions, chip thefts, and other types of high technology thefts in Silicon Valley. The Unit is composed of two Deputy District Attorneys and one Investigator. Some of the cases we have handled include: Theft of Source code to manufacture computer chips. Theft of manufacturing processes to make computer chips. Theft of password files from computers (hacking). Sending harassing e-mail over networks (Internet). Theft of software by rewriting into another computer language. Shutting down computers via telephone access. Theft of Source Code to develop competing software program. Intrusion into computer systems using random number dialers. Theft of Source code via modems and cellular phone. Intrusion into systems via the Internet using bugs such as rdist. Illegal intrusion into networks to destroy data. Theft of hardware and computer chips. THIS PRESENTATION WILL COVER Network intrusions. Theft of proprietary material How to conduct your investigation and gather evidence. How to gather and safeguard the evidence necessary for prosecution. How to get the appropriate law enforcement support. How to work with law enforcement so they understand the problem. What is required for a search warrant. How a Search Warrant Raid is conducted (You may be asked to go.). What is required for a telephone trap. What is required for an arrest. What to expect from the court process. How to prepare to testify in court if necessary. How to recover damages civilly or from probation. Impact of the Electronic Communications Privacy Act. Examples of Search Warrants and Telephone Traps are attached. Actual cases will be discussed and used as examples. The search warrant affidavits and telephone traps attached to this outline are exactly as I took them to court with the exception of the name changes. By thoroughly reading the affidavits, the reader will have the opportunity to see what probable cause to obtain a search warrant. HAS A CRIME BEEN COMMITTED Under most circumstances, For Federal or local law enforcement to assist you there has to be a violation of the law. United States Code, Title 18, Section 1030, "Fraud and related Activity in Connection with Computers", is the section relied upon by the FBI. (A COPY OF THIS SECTION IS ATTACHED.) The FBI will also attempt to use sections dealing with theft by wire and interstate theft. Each State has their own laws. These laws vary widely and most states have not yet enacted appropriate laws for dealing with computer or network intrusion. California Penal Code Section 502, "Unauthorized Access to Computers, Computer Systems, and Computer Data." (A COPY IS ATTACHED.) Some of the subsections are felonies. A person who is convicted of this section is subject to having their computer forfeited under Penal Code Section 502.01. California Penal Code Section 499c, "Trade Secrets" covers the theft of trade secrets. This has to be scientific or technical information, computer programs, or information stored in a computer. If local law enforcement decides that they do not have sufficient information to file a crime report, conduct a search warrant, or issue and arrest warrant, they may be able to phone or contact your suspect and warn them to stop. This does sometimes work. WHEN A CRIME HAS BEEN COMMITTED DO NOT CONFRONT OR TALK WITH THE SUSPECT. This gives them the opportunity to hide or destroy evidence. Law enforcement probably will not help you if this occurs because of the slim chance of making a case. If necessary call law enforcement and ask what the law is. Many times executive of victims companies are hesitant to file a crime report until they know and understand what law enforcement will do. Can you discuss what your options are with the appropriate law enforcement agency without having to make an official report? You should be able to discuss your options without having to file an official crime report. Under most circumstances our office will not file a criminal case for theft of data or proprietary information (Industrial Espionage) unless the company/victim wants to file a criminal charge. These cases are complex and require the willing cooperation of the victim. We make sure they understand what will be required of them before we will start an investigation. Many times both the FBI and local law enforcement will have jurisdiction over a network intrusion or theft. You may want to talk to both about how long their investigation will take and what they expect from you. Will their reports be available for your review and use in civil actions? Law Enforcement does not like a company "shopping" for the best deal so be careful how you deal with agencies. Remember the agencies talk and work with each other. Local law enforcement may have trouble conducting the investigation outside of their jurisdiction. Police Departments and Sheriff's Offices will work with their local prosecutors. Will the FBI conduct an investigation? They have to work with the U. S. Attorney's Office to obtain a search warrant or investigate a case. SHOULD YOU REQUEST LAW ENFORCEMENT ASSISTANCE This can be DAMAGE CONTROL, the only way you may ever know the extent of your loss or network penetration is from the evidence collected from a search warrant. DO NOT WAIT TOO LONG TO CALL. It is best to notify law enforcement right way. In one case we worked, the backup tapes from a system an intruder was using were kept only a short time and then reused. In a civil action, you will demand discovery to obtain evidence and learn what document or data the defendant may have, but it is up to the person being sued to turn over the documents you are accusing them of stealing or using to penetrate your network. Working with law enforcement is a time consuming and demanding task. For us to assist you with an investigation we require your assistance and cooperation. We need: A commitment of your time and resources. You will have to work with law enforcement at almost every step of the process. Interviews to prepare crime reports and the affidavit for a search warrant. Engineers or computer operators to accompany law enforcement on the search warrant to assist with operation of computer system and identification of data or property. Assistance the victim company to identify and describe documents, source code, and other evidence found. A company expert may need to be available for explanations and assistance during a trial. Documents may need to be provided to the defendant's attorneys for discovery. They may ask for more than you want to provide. Your attorney will have to argue against broad ranging discovery. Defendant's are entitled to seek evidence they need for their defense. You and other company employees will be subpoenaed to testify. This is time-consuming in that witnesses may have to wait their turn in court Very few cases actually go to trial! Approximately 5 % go to trial in Superior Court in Santa Clara County, California. There will generally be plea bargaining and negotiations so that an agreed upon sentence can be reached. Both prosecutors and defense attorneys know what sentences can be expected from certain cases. White collar crimes are not usually prison crimes. You should be able to access law enforcement's reports. This will help you understand your situation. You can then use those reports for civil proceedings. If you are going to initiate civil litigation, it is a good idea to wait until you decide whether you are going to make a report to law enforcement. You do not want to alert the suspect to criminal action in the event a search warrant is issued. Law enforcement does not (or should not) care if civil actions are filed. In most of our cases there have been parallel civil actions and they have not affected our cases. In some cases the victim's attorneys have used our Search Warrant Affidavit to apply to the court for a TRO (temporary restraining order) to prohibit a suspect from using materials or data they have taken. HOW TO GET LAW ENFORCEMENT'S ASSISTANCE CORPORATE SECURITY - If your company has corporate security or a corporate investigator, talk with them. They may know the capability of law enforcement in your area. They may have contacts with law enforcement. They may know the best way to get assistance. The High Technology Crime Investigation Association (HTCIA) is a group of local and federal law enforcement officers, corporate investigators and private investigators who have an interest in or work in the area of computer or high technology crime. HTCIA provides training to its members. I can put you in touch with someone from each chapter. HTCIA has chapters in: Silicon Valley (San Jose), California Southern California Northern (Sacramento), California Austin Texas Portland Oregon Chicago, Illinois New York, NY New Mexico Chapters have begun forming in Netherlands and in Arizona. (I try to keep up with current contacts and phone Numbers.) If you call local law enforcement, I recommend calling the investigations or detective bureau directly. If you call 911 or a regular police department reporting number, they will send a uniformed officer, and log the call on a public log. It is the uniformed officers job to write a report which will go through a review process, be logged in by records, and then sent to investigations for assignment to the appropriate investigator. This can some times take a week. Try to get the direct assistance of an investigator. You will usually get a more experienced officer and faster assistance. Call your local prosecutors office. Most District Attorney's Office have investigators. Ask if there is a computer or hi tech unit. Ask if they know who would be best to assist you. Training for law enforcement is becoming better and easier to get. Don't be surprised if there is a highly trained law enforcement officer in your local area. You just have to find them and cultivate their friendship. Interested law enforcement officers would probably be interested in talking with you or touring your facilities. If your company will allow (many will not), consider volunteering to provide advice and assistance to local law enforcement. I have started a volunteer program of computer knowledgeable individuals who help me on search warrants and help retrieve data from computers. If you work for someone you should get permission first. Many corporations see this type of volunteer work as being a conflict of interest. If this is the case, see if they will let you provide advice or training to law enforcement. This will pay dividends because it gives you direct access to law enforcement for advice if and when you need it. The FBI has a highly trained computer crime team stationed in Washington D.C. They can be reached at (202)324-9168. WORKING WITH LAW ENFORCEMENT Remember there is a very good chance the law enforcement officer is not going understand the technical aspects what you are talking about. Most cannot work PC's much less understand a network problem. You should have been making notes of your activities as you track an intruder. Put this is some type of a report or memo format. This report can be given to the officer. It can also be used as part of the report or as an attachment for a search warrant. You can then use this report to help you recall what you did if the case goes to trial many months later. As you write your report remember WHO, WHAT, WHEN, WHERE, WHY, and HOW. If you and law enforcement can show this you can make a case. Diagrams are very helpful in understanding systems. A diagram can be attached to the report to help others who have to read and understand the report. Diagrams are frequently used in court. EVIDENCE In these types of cases evidence may consist of such things as back up tapes, printouts of computer programs, suspect's accounts and the contents, computer disks. In one case we used an article found online that had been written by our suspect regarding activities he had been involved in. We attached this to our affidavit requesting a search warrant. In a intrusion case, you will be looking for evidence that will show who commit the violation and that can be used to obtain a search warrant to seize the suspect's personal computers at his home or business. A suspect would have a good defense if you only found evidence in an online account. The defense will claim that someone else put the evidence there. We would not charge a person with a crime on the basis of evidence found in an online account. We investigated and obtained a conviction on a suspect that used someone else's account (after they broke the password) to shut down a computer. I later found the broken password in the original suspects home computer. (I CAN EMAIL YOU THE JUDGE'S RULING FROM THE APPEAL WHERE HE DISCUSSES THIS.) You would use the evidence in the online account to seize the suspect computers. Law enforcement will then search the suspect's personal computers for evidence. You often find printed material at suspect's home that can be used as evidence. Evidence must be gathered by law enforcement officers in accordance court guideline governing search and seizure or it will be excluded. This is referred to as the Exclusionary Rule. It does not apply to ordinary citizens such as you. You do have to remember that if you do something illegally you could be sued. If you gather evidence at the request or suggestion of a law enforcement officer and the gathering does not meet the legal requirement, that evidence will be excluded. Remember the provisions of the Electronic Communications Privacy Act, Chapters 2500 & 2700 of Title 18 of the United States Code. CHAIN OF POSSESSION - This means that for evidence to be admitted in court, the prosecution has to be able to show who obtained it, who secured it, anyone who has had control. It will probably be necessary to have anyone in this category testify. This applies to anything you may secure such as a disk or backup tape. Evidence should be properly marked by placing your initials on items like tapes, printouts, documents, or equipment. Items can be sealed in envelopes or bags which should be signed, dated, and sealed. Evidence should be stored and locked, so that you can testify that no one other than yourself or those people that you can name have had access to it. The defense may maintain that an item has been tampered with or changed. Read the attached Search Warrant Affidavits for ideas on what can be evidence. These are actual warrants I have written and served, but with name changes. The affidavit on page 27 is a good illustration of what can be evidence. OBTAINING AND SERVING SEARCH WARRANTS The search warrant should be done as quickly as possible before the intruder can do further damage. It has been my experience that this type of person does not destroy data unless they are threatened. It is important that you keep information about the investigation limited to as few people as possible. This limits the possibility of the investigation being leaked. When I go to a victim company to conduct my investigation, I usually do not identify myself as law enforcement to company receptionists and others not involved in an investigation. You should ask law enforcement to merely request to speak with you when they come to your office to start the investigation. Probable cause is the criteria required for the issuance of a Search Warrant. You have to establish that a crime has been committed and show why there is cause to enter someone's home or business. The law enforcement officer, probably a local prosecutor, and a judge all have to believe that there is probable cause. For a conviction you have to prove that someone is guilty beyond a reasonable doubt, much stronger that probable cause. If you have property or data stolen and probable cause can be established, a search warrant can be issued for both building and computer systems. Comparisons of data recovered can be made with data allegedly stolen. You may be asked to accompany law enforcement on the search warrant as a technical assistant or to identify property. If it is necessary for you carry documents in on a search warrant, consider copying them onto colored paper. This will prevent the defense from inferring that what might have been found was left by you. Once law enforcement has served the search warrant and examined the seized computers and disks, you will start to be aware of the extent of your problem. You will probably be asked to help evaluate and identify programs found on computers. This will probably lead to other victims. Any evidence gathered during the search warrant, even though maintained by law enforcement, is legally under the control of the court. Even though a seized item may have your name on a document, it will not be returned to you unless the suspect signs a release or after a hearing by the court. Many victims just want to get their property back after a search warrant has been completed. They may not want to go to trial for fear of disclosing information and think that if they drop charges they will get their property returned to them. TELEPHONE TRAPS (SEE ATTACHED EXAMPLES) This requires the equivalent of a search warrant. You will have to file a crime report with law enforcement. The prosecutor or U.S. Attorney's office will have to approve the request before it is taken to a judge for signature. The form will be different from State to State, but it usually always take probable cause. Once you have information regarding where calls are coming from, this will be the probable cause needed to obtain a search warrant for that location. Modifying and illegally using cellular phones has become big business. It is impossible to track and locate if a suspect has used someone else's id or cellular phone number. In one case the suspect social engineered a modem access number and then used a cellular phone to illegally access a companies network. If you belong to any type of an association, invite a local telephone company representative to meet and talk with your group. Most of the telephone companies are charging for these types of services. You will be required to pay the costs. DISCOVERY AND PROTECTIVE ORDERS Discovery is where the prosecution (not the defense) provides all reports, information on evidence, list of potential witnesses, any criminal history of witnesses, and any information except how the prosecution is going to present the case in court. Any property or data recovered by law enforcement and will be subject to discovery if a person is charged with a crime. However a protective order can limit who has access, who can copy, and the disposition of the documents. A protective order allows you to protect proprietary or trade secret documents related to the case. California Evidence Code Sections 1061, 1062, & 1063, deal with protecting proprietary information, how to obtain protective orders, and how to close courtrooms during discussion of propriety information. It also limits who the defense can hire to use as an expert witness. If your State does not have such a law, you and members of your association should work to have one passed. (AN ARTICLE ON THIS SECTION IS ATTACHED) CRIMINAL TRIALS AND TESTIFYING IN COURT Once a person is arrested they will be arraigned, during which time the court will make sure the suspect has an attorney. For a felony a grand jury hearing or preliminary hearing will be scheduled. States do differ somewhat in this process. In a grand jury hearing the defendant nor their attorney can be present. A grand jury hearing is considerably faster. In a preliminary hearing the prosecution must show that a crime has been committed and there is probable cause to believe that the defendant committed the crime. If the defendant is held to answer in a preliminary hearing or the grand jury returns an indictment, a trial will be scheduled. If the case goes to trial, interviews with witnesses will be necessary. You may have to assign someone to work with law enforcement as a liaison. Key employees will have to spend time away from work at the court as the prosecution is required to have another witness ready as soon as the current witness is excused. If you are called as a witness, you should be given instructions prior to trial by the prosecutor about the type of questions to expect and how you will be allowed to answer questions. Remember the prosecutor does not know what the defense attorney will ask. The prosecution is required to furnish the defense with copies of all reports, evidence, and witnesses names prior to the trial. Listen to the question carefully to get the fully meaning and the determine that is not a multiple part question or contradictory. Most defense attorney are going to want you to answer only yes or no. However if you can not answer with a yes or no, let the court know that it is necessary to answer with an explanation. Do not answer immediately and make sure you understand the question. This pause will give the prosecutor time to object to defense questions that are inappropriate, confusing, or vague. If you do not totally understand the question, ask for an explanation or start your answer by stating: "I understand your question to be... (give an explanation) and thus my answer would be this....." You can not give hearsay answers, only information that you have seen or done. This means that you can generally not testify as to what someone has told you. Engineers are generally poor witnesses. They tend to see things in absolutes. Often times it is necessary to explain or request clarification so that a witness is not always answering no. In one case we called a woman engineer as a witness. On the first day she answered no so often everyone thought she was committing perjury. That evening I explain that she should begin explaining rather than just saying no. This worked for her. EXPERT WITNESS - Based on your education, training, and experience, you may qualify to testify as an expert witness. This will allow you to give explanations about how computer systems or networks function. In order to give an opinion you have to be qualified as an expert witness. I have testified as an expert on fingerprints, drugs, alcohol, and prostitutes. It has taken up to an hour to go through this process as the defense can also challenge your expertise. RECOVERY OF DAMAGES To recover the cost of damages, such as reconstructing data, re-installing an uncontaminated system, or repairing a system, you can file a civil lawsuit against a person. You can hire an attorney or you could consider filing a claim in small claims court. In California, neither you or the person you are suing can take an attorney into court. Small claims is heard only by a Judge. In California the maximum that you can sue for in Small Claims is $5,000.00. Check with your local court to learn the small claim maximum THINGS TO REMEMBER DURING AN INVESTIGATION To remember this think of Smith's Splendid / Silly / Superfluous System SPEED STEALTH SYSTEM SECURITY SECURE EVIDENCE SUSPICIOUS / SCREWY EMPLOYEES SHOW & EXPLAIN - REPORTING SEARCH WARRANT - PREPARE AND SERVE SPEED Obtain a copy of any unauthorized program or data quickly before it is moved or erased. This copy could be valuable evidence. Notify law enforcement and try to get a search warrant to find any additional data or seize any personal computers associated with the crime. There is likely to be additional information in the computers that may tell you about other intrusion into your systems as well as other companies. In one case I found 10 etc/passwd files, most with cracked passwords. In recent cases I have found a backdoor login program and a trojan horse. I was able to show these programs to the systems operator so they could more effectively check their systems. If you have a theft of a trade secret, you should talk with your law enforcement representative to find out what they can and will do to help. Can the secret be stopped before it is removed from the United States and what can be done if it is removed. We are presently prosecuting a company based in Taiwan. STEALTH Don't alert intruder that law enforcement is involved. In several cases it has taken several weeks to complete the investigation and obtain a search warrant. Very few people in the victim company knew who I was, they merely viewed me as another consultant. As a result we recovered computers and other data from the victims. SYSTEM SECURITY This will most likely be your major concern, but law enforcement's role is to catch the bad guys. Explain to law enforcement what the intruder can do with any data they may have taken or from just gaining access. Remember the law enforcement officer may not understand the potential damage to your system or the over ramifications to "merely having an unauthorized person connecting to your system." Explain what an intruder can do if they can get root access and what it will take for you to correct the problem. Even under the ECPA you can take steps to protect your system, if you do tell law enforcement what you found without a proper search warrant. If you think you need to examine someone's account to protect your system, you should document the reasons that you took the action. SECURE EVIDENCE Remember the Chain of Evidence. This is critical as we can not introduce evidence in court unless we can prove the chain of possession. Make or obtain tapes of data when possible. Try to determine the motive of the intruder. This will help with the prosecution In cases of theft, a showing of probable cause will have to be made that the product being sought in the search warrant is the same as the victim companies. I have made comparison of the victims printed manual with the manual or manual pages from a suspect's software program. A victim company engineers statement that the functionality is the same is not sufficient, this statement must be corroborated with evidence like the manual pages. SUSPICIOUS EMPLOYEES If an employee with system knowledge leaves your company, consider changing passwords. We investigated a case where a manufacturing database was erased twice. The first time was with use of a current employees password that the suspect learned while employed with the victim. Most of Santa Clara County District Attorney's office cases of trade secret theft have involved employee embezzlement. Several examples include: WBS - a disgruntled engineer who carried out thousands of pages of proprietary information and tried to use them to get another job after he was terminated. M Goldberg - a young man from France who was sent to the United States to work in American software companies rather than serve his French military draft obligations. When his 2 year obligation expired he was stopped from getting on an airplane with enough proprietary information to duplicate the software program he had been working on. He said he want to get a job when he returned to France. CVD - The manager of a computer support group that had his employees rewrite his company's major database program from an IBM mainframe language to a C for Sun workstations. He then sold it for several million dollars. He was also trying to do business with other countries. A Sun Employee was also convicted for commercial bribery for helping CVD sell the stolen software to Sun. He was also trying to sell computer programs in other countries. Raj - an Indian engineer who went to work as a security guard at a computer company's R&D building while at the same time he was working for other companies doing the same type of development. Foreign companies - One tactic is to hire one employee from a company so that person can help determine who else to hire. SHOW & EXPLAIN FOR LAW ENFORCEMENT When you think you have a problem you should ask your local law enforcement whether they are required to take a report if you talk to them about a problem. If you decide you are going to file a report designate someone to work with law enforcement. Remember a report and diagrams are helpful. On a case of software theft, I worked with a customer support software engineer who was very good at explaining the company product. Law enforcement will have to talk directly with development engineers, financial officers, and other company officials. You can not just have your attorney relate the information. We require a commitment from a high ranking company official that they will support a criminal trial before we will start a search warrant. SEARCH WARRANT A search warrant to check a suspect's home and computers is the only way to know the extent of an intrusion into your computer system or to learn if any programs were modified or programs left in you your system. A search warrant is also often the only way to recover stolen proprietary information. A phone trap also requires a search warrant. FEDERAL AGENCIES FBI has a computer crime team in Washington DC and some trained agents in various field offices Secret Service, has experts in areas around the USA. Customs tracks money exchanges. U. S. Commerce Department - can keep companies who have stolen products from doing business in the USA such as in the case of the Taiwanese company charged with theft of trade secrets. IRS sometimes even if you can not prove a crime the IRS can tax people who have stolen products, made money, and not paid taxes. ECPA - TITLE 18 U S CODE 2500/2700 Electronic Communications Privacy Act Title 18 US Code Chapters 2500 & 2700 as it relates to keystroke monitoring or system administrators looking in other people accounts. If you do not have a banner or the account holder has not been properly notified, the system administrator can be guilty of a crime and liable for civil penalties from a law suit for key stroke monitoring or looking in someone's account. ATTACHMENTS SEARCH WARRANT EXAMPLES: Page 16 - For a Commerial E-Mail account Page 20 - Illegally accessing a company network and destroying data Page 27 - Broken University account Page 38 - Number Search & Trap and Trace for long distance connections Page 45 - Trap & Trace for attempted contact to system Page 50 - Example of new language for describing computer data and computer equipment to be seized with a search warrant. Page 52 - Section 1030 Title 18 U.S. Code Page 55 - Section 499c California Penal Code Page 56 - Section 502 California Penal Code Page 61 - Article on 1061 California Evidence Code The following three (3) Search Warrant Affidavits on file with the Superior Court were used to obtain a conviction in a case where the defendant was charged with the theft of passwords and for shutting down a computer.: Page 65 - For account information from commerial provider, conforms to ECPA. Page 81 - For computers and other records to show network intrusion. Page 89 - For computers after a computer was shut down. This affidavit deals with obtaining a copy of a suspect electronic mail account at a commerial account provider for the Internet SUPERIOR COURT OF CALIFORNIA SANTA CLARA COUNTY JUDICIAL DISTRICT STATE OF CALIFORNIA - COUNTY OF SANTA CLARA AFFIDAVIT IN SUPPORT OF SEARCH WARRANT JOHN C. SMITH being sworn, says that on the basis of the information contained within this Affidavit and any attachments thereto, he has probable cause to believe and does believe that the property described below is lawfully seizable pursuant to Penal Code Section 1524, as indicated below, in that it: ( ) was stolen or embezzled; (X) was used as the means of committing a felony; ( ) is possessed by a person with the intent to use same as a means of committing a public offense, or in the possession of another to whom he/she may have delivered same for the purpose of concealing or preventing its discovery; (X) constitutes evidence tending to show that a felony has been committed or that a particular person has committed a felony; and that he has probable cause to believe and does believe that the described property is now located at, and will be found at, the location(s) set forth below and thus requests a warrant to search THE FOLLOWING LOCATION(S): The premises at Blvd, Suite City of Town, County of Santa Clara, State of California, further described as Commercial Communications a commercial on-line computer service communication company that provides access to the Internet for subscribers. The Internet is a world wide network coordinated by National Science Foundation. The premises to be searched also include any and all electronic mailboxes, directories, or accounts on Commercial Communications's computer system, registered to or containing data placed in that directory by Brendan Gomez. DESCRIPTION OF PROPERTY TO BE SEIZED 1.2. Any and all documents and records, whether on paper or stored on magnetic media (including information stored within a computer), within the account of Brendan Gomez, which show the unauthorized entry or attempted entry or connection to other computer systems that connect to the Internet or were done 2. Any and all programs or computer instructions that reside in the account of Brendan Gomez at Commercial Communications that would be used for the unauthorized connections to other accounts on the Internet and would be used for the automatic transfer of information or programs in any other account or systems on the Internet (hacking). 3. Documents and/or magnetic media showing the identity of users, owners, or lessees of the computer account managed by Commercial Communications and registered Brendan Gomez. STATEMENT OF PROBABLE CAUSE Your affiant declares that the facts in support of issuance of this search warrant are as follows: Your affiant, John C. Smith, is a Senior Criminal Investigator (Peace Officer) employed by the Santa Clara County District Attorney's Office in Santa Clara County, California. Your affiant has been assigned to the High Technology / Computer Crime Unit of that office since December 1989. He has been a California Peace Officer since June 1965. He is a member and past President of the High Technology Crime Investigators Association (HTCIA), and the Santa Clara Valley Industrial Security Managers Association. He has been a Macintosh computer user since about 1986 and an IBM PC user since 1990 and owns both types of computers. He is a regular user of the Internet and has had classes on the Unix/Workstation operating environment. He has over 274 hours of training in the High Technology field. He has worked at least eight (8) prior network/intrusion type cases and given several talks to computer professionals on investigating intrusions. He has conversed with experts in federal law enforcement corporate network security who have specialized in these cases, and who have considerable experience in investigating and interacting with persons who have illegally accessed computers. Your affiant was contacted by President of Commercial Communications Company, Blvd., Suite 200 , Town, California, on Friday, June 17, 1994. President told affiant that Commercial had received a communication from the Computer Emergency Response Team (CERT) that detailed a break-in of a computer system at OutOfState University from an account at Commercial. (CERT is the federally funded agency responsible for monitoring security issues on the Internet). This communication is attached as Exhibit A. (NOTE FOR SUN USER GROUP - This attachment listed the dates, times, and computer systems that were illegally accessed. I attached it as part of the affidavit so I would not have to type the same information.) Your affiant started his investigation by interviewing John Little, President of Commercial Communications and opening Santa Clara County District Attorney's Office Case #94-O-0889. Little gave your affiant the following information: He started Commercial Communication, (hereafter referred to as Commerical) in 1986. Commercial is an on line communications services, setup to provide customers with access to the Internet. Commercial has two T-1 leased lines, one to BARRNET and the other to CIX, Commercial Internet Exchange, in Santa Clara. President explained that the message from CERT detailed a break-in to an account and a computer system at OutOfState University on June 9, 1994. In this intrusion the intruder achieved root access and then broke into five (5) OutOfState computers. (Root or superuser status is the privileged or upper level used by the systems administer. At the root level a user is allowed to do anything on the system such as to look, use or change any regular account and to create in files under other names that may run programs not normally allowed on a system.) President said that Commercial did not know which customer account was being used to reach OutOfState and Commercial was concerned that Commercial's computer systems may have been or be compromised. Commercial employees Brain Brown and Rich Black began checking the Commercial system to make sure Commercial's system had not compromised. They traced the activity from OutOfState back to Brenden Gomez's account. They open the account to see if Commercial's system was being compromised and saw tools for breaking into computer systems. Your affiant interviewed BRIAN T. Brown, Commercial Technical Support staff member. Brown gave affiant the following information: He has worked at Commercial for 3 years and has been working with UNIX for about 6 years. Brown explained that after Commercial received the message from CERT, Exhibit A, he and Black matched IP (Internet) addresses from OutOfState with outgoing logs generated automatically by Commercial's computers. Commercial has a logging program that captures outgoing ftp (file transfer process) and telnet connections, i.e., connections to computers at other locations. At about the same time the connections were made to the computer accessed at OutOfState, Brown saw three connections to OutOfState from a Commercial account labeled "brendan". Brown said there were no other connections made to OutOfState during this time period. Brown and Black opened this account to ensure that Commercial's system was not being compromised and in the account they observed a Sniffer program. The "sniffer" program was not operating at that time. A "sniffer" is a program that captures the data sent from a user to other users as the data is transmitted over a network. Login and password information can be pulled from the data and used to illegally access other accounts. Brown believes Brendan is 21 yrs old and a 1991 graduate of High School in Santa Clara. Brown has met Gomez through a friend and has talked with Gomez on network chat lines. Gomez has only paid $40.00 towards the monthly costs of his "brendan" account while he should have paid $240. Gomez opened the account in 1993. Gomez's account was automatically suspended, probably in Aug 93, because of non payment. Gomez somehow got around the suspension closure and into his account. On Friday 6-17-94, Brown closed the security hole for billing suspensions. Your affiant would note that neither Black or Brown actually intercepted communications made by the person using he "brendan" account and that the copy of the "brendan" directory made by Brown consisted of data that was not stored temporarily as an incident of an electronic transmission. Your affiant specifically does not seek authority to intercept wire communications made by "brendan" in the future. Affiant contacted Robin Huxley, an employee of OutOfState University. Huxley is responsible for security on the computer system that was compromised from Commercial Communications. Huxley verified the information in the report he sent to CERT and copied to Commercial Communications, attached as Exhibit A. Based on these facts, you affiant is of the opinion that it is probable that Brendan Gomez has committed violations of Penal Code Sections 484 and 502c(2), which violations are punishable by terms of imprisonment of longer than one year, and that evidence thereof exists on the data tape of the Brendan Gomez directory made by Commercial communications. WHEREFORE your affiant prays that a search warrant be issued with respect to the above locations for the seizure of said property at any time of the day and that the same be held under Penal Code section 1536 and disposed of according to law. ___________________________ JOHN C. SMITH, Investigator District Attorney's Office Santa Clara County Subscribed and sworn to before me this 28 day of June 1994. ___________________________ Judge of the Superior Court EXHIBITS: A - Three page electronic Message From: huxley- robin@CS.OutOfState.EDU, Date: 17 Jun 1994, TO: cert@cert.org. B - Three page report prepared by Brian Brown dated 94/06/22 containing portions of outgoing message logs from Commercial Communications. This search warrant was used to search the residence and computers of a former employee suspected of illegally accessing and the erasing a company's database. SUPERIOR COURT OF CALIFORNIA SANTA CLARA COUNTY JUDICIAL DISTRICT STATE OF CALIFORNIA - COUNTY OF SANTA CLARA AFFIDAVIT IN SUPPORT OF SEARCH WARRANT JOHN C. SMITH being sworn, says that on the basis of the information contained within this Affidavit and any attachments thereto, he has probable cause to believe and does believe that the property described below is lawfully seizable pursuant to Penal Code Section 1524, as indicated below, in that it: ( ) was stolen or embezzled; (X) was used as the means of committing a felony; ( ) is possessed by a person with the intent to use same as a means of committing a public offense, or in the possession of another to whom he/she may have delivered same for the purpose of concealing or preventing its discovery; (X) constitutes evidence tending to show that a felony has been committed or that a particular person has committed a felony; and that he has probable cause to believe and does believe that the described property is now located at, and will be found at, the location(s) set forth below and thus requests a warrant to search THE FOLLOWING LOCATION(S): The residence of Joe Suspect described as the premises at 18 Street, City of , County of Santa Clara, State of California, further described as being a two (2) story structure, a tan color with gray trim, with the numbers 18 on a lone mailbox across the street from the residence; including any and all yards, outbuildings, storage areas, garages, carports, sheds, or mailboxes assigned to the described premises, including but not limited to those listed above. FOR THE FOLLOWING PROPERTY: 1. Any and all documents and records, whether on paper or stored on magnetic media (including information stored within a computer), which show the unauthorized entry or attempted entry or connection to the computer systems at MfgCompany Inc, including but not limited to passwords, password files, security holes, backdoor logins, telephone numbers for modem connections, and Software that creates ZY Computer terminal emulation in a personal computer. 2. Any and all programs or computer instructions that would be used for the unauthorized connections to the computer system at MfgCompany Inc and would be used for the unauthorized transfer of information or programs. 3. Any and all documents and records, whether on paper or stored on magnetic media, that contain any portion of files from the computer systems of MfgCompany Navigtation 4. Computer hardware, software, and data including, but not limited to central processing units (CPUs), hard disks, hard disk drives, floppy disk drives, tape drives, CD-ROM drives, display screens, keyboards, printers, modems, magnetic tapes, cassette tapes, and floppy disks, found together or separately from one another. 5. Written documentation, whether typed or handwritten, including, but not limited to, computer manuals and instructions for the use of any computers and their accessories found at the premises. 6. Evidence of occupancy and control of said premises and work areas, including but not limited to, utility company bills, cancelled mail envelopes, and personal papers. STATEMENT OF PROBABLE CAUSE I declare that the facts in support of issuance of this search warrant are as follows: I, John C. Smith, am a Senior Criminal Investigator (Peace Officer) employed by the Santa Clara County District Attorney's Office in Santa Clara County, California. I have been assigned to the High Technology / Computer Crime Unit of that office since December 1989. I have been a California Peace officer since June 1965. I am a member and past President of the High Technology Crime Investigators Association (HTCIA), and the Santa Clara Valley Industrial Security Managers Association. I have been a Macintosh computer user since about 1986 and an IBM PC user since 1990 and owns both types of computers. I am a regular user of the Internet and has had classes on the Unix/Workstation operating environment. I have over 274 hours of training in the High Technology field. I have worked at least nine (9) prior network/intrusion type cases and given several talks to computer professionals on investigating intrusions. I have conversed with experts in federal law enforcement and corporate network security who have specialized in these cases, and who have considerable experience in investigating and interacting with persons who have illegally accessed computers. I am a member the Santa Clara County Network Security Working Group responsible for developing and overseeing the security of the County's wide area network. I began case #94-0-1102 on Monday, July 18,1994, by interviewing Alan Albert, Director of Information Systems, MfgCompany Inc, Community, California, and, Jonathon A., a private investigator hired by MfgCompany. I again met with Albert and A. on August 5, 1994 and with Albert on August 8, 1994. Albert told me that someone illegally gained access to MfgCompany's corporate computer network on June 12, 1994 and again on July 26, 1994. On these occasions the intruder erased the files from MfgCompany's manufacturing database, modified key files that allow data to be moved between computers for company use and caused the password file on an ZY Computer 4 computer (named Pacific) to become void so that the 400 to 500 users of that system could not log on. Albert stated that these intrusions have cost MfgCompany over $100,000 to repair the damage and hundreds of hours in lost time repairing the system so that the manufacturing database will function properly. MfgCompany has had to hire a full time consultant to check the integrity of the system and ascertain if there are back door login programs or other programs hidden in the system that would allow an intruder to access MfgCompany's system without MfgCompany's knowledge. Albert explained that MfgCompany has offices around the world and uses its electronic network to connect operations and offices. MfgCompany has employees in 30 countries. MfgCompany's information systems and core business systems are headquartered in Bldg x, Ave., Community, California. MfgCompany has its manufacturing database set up on three ZY Computer 4 Mini Computers, named Atlantic, Pacific, & Baltic, on MfgCompany's ethernet (network connection). There are approximately 500 computers, both Unix and personal computers, on MfgCompany's network. MfgCompany's manufacturing database is an inventory system called "MIP" for Manufacturing & Inventory Planning. The ZY Computer 4 operating system is in a language called MPE and the database application/program is called "Enhanced Software", produced by SoftwareCo Computer Systems of Santa Clara County. Albert believes that the unauthorized intrusion and damage to the system was done by a former MfgCompany employee, Ray Suspect, who was the Manager of the Operations Group in the Information Systems Department. Albert said that Suspect was only one of two people who had all of the information and skills necessary to locate and change the files that were changed. Albert explained that MfgCompany has not cross trained Information Systems employees so that in some cases only one person will know a job or function. In most cases there will only be two people who may have the same skills. Suspect was released by MfgCompany. Albert told me the following: Suspect was hired because he had worked for (ZY Computer) and was very knowledge able about the ZY Computer 4 Computer. Suspect set up the "Enhanced Software" communications software that allows communication and file exchange between the ZY Computer 4 computers, Pacific & Baltic, at MfgCompany. Ray connected to MfgCompany's computer network system from his home as part of his job on a daily or regular basis via a modem into the ZY Computer 4 and into a modem bank on an X.25 network (worldwide network) that is connected to the ethernet (local). He was also aware of the modem connections for Unix computers and personal computers on the ethernet based network. An internal investigation preceded Suspect's termination, so that he was working at the company while the termination was discussed. He has the knowledge to place hidden programs (backdoor logins) on the system that would allow him access to the system. On June 12, 1994, MfgCompany experienced an unauthorized 3 minute logon to one of the ZY Computer 4 Mini Computers, called Pacific. Pacific contains MfgCompany's manufacturing database. During this unauthorized intrusion the intruder performed four (4) actions that have caused MfgCompany to have to spend many hours and extra cost to repair their computer system. In the first action the intruder erased MfgCompany's data files in the manufacturing database but not the executable database program. In the second action, two Configuration files were removed from Pacific's Enhanced Software application which tell Enhanced Software how to use how to obtain data from the other 2 ZY Computer 4s on the system. Enhanced Software resided on both Baltic and Pacific, but with different sets of data. The data is divided between Pacific and Baltic based on demand and location. For MfgCompany to achieve maximum utilization of the Enhanced Software database and its computers, all three ZY Computer 4's have to be able to communicate and pass data. The 2 configurations files which were removed are separate from the Enhanced Software executable code and do not reside in the same group (directory). The intruder had to have expert knowledge of the ZY Computer 4 system and the SoftwareCo Enhanced Software application to know which files from approx 20,000 files in the application and manufacturing database files would stop the computers from communicating. Once MfgCompany had purchased and installed Enhanced Software, it added a feature called Enhanced Software" to the main program. The two deleted configuration files that were deleted were part of this added feature. Albert stated less than (Small) percent of SoftwareCo's customers use this feature. He learned this from dealing with SoftwareCo. In the third action, the intruder moved to the "ftp" (file transfer protocol) file in the ZY Computer 4 Operating System of the computer Pacific. In this "ftp" file the intruder changed a small "i" to a capital "I" in a directory name in a path in the script which caused the path to become invalid and not function properly. This change of case on the "i" in "mis" was made globally in this script and thus modified approximately 30 paths. This in turn affected 30 files which prohibited data from being send to Unix computers on the network. MfgCompany had purchased this "ftp" feature separately and Ray Suspect had installed it. The "ftp" feature is used by the ZY Computer 4's to automatically transfer certain files that are listed in a script, to Unix computers on MfgCompany's ethernet network. This transfer is completed by the computer referring to a path (the hierarchy of files/directories that lead to a given file) in the script of directions and then copying the specified file to the location designated in the path. Since Unix computers are sensitive to capital and lower case letters, every letter in the path has to be of the same case as it listed in root (main) directory of the Unix computer where it is located. If any one letter is of a different case the computer will not make the transfer of the copy. MfgCompany employees then use the data on the Unix computers for business. This failure signaled the corporation that there has been a failure in the Information Systems. Ray Suspect created this ftp script for MfgCompany when it was set up and them maintained it. In the fourth action, the intruder voided passwords on the ZY Computer 4 computer named Pacific by causing the password expiration program to expire several hours later on Monday May 13, 1994, at 0001 hours. Thus when MfgCompany employees tried to logon on Monday morning they could not use the computer system as all of the passwords had became invalid. The intrusion was made through the account of Employee4. Network system log's indicated that Employee4's password was used to make the connection. The passwords for the network were not changed after Suspect left MfgCompany. While at MfgCompany, Suspect had authorization to review and copy the password file as he was one of three system administrators with "root" privileges. Only two people in the company, Employee2 and JoeSuspect, had the total level of knowledge to complete the above actions. Employee2 is the senior applications engineer in Information Systems. Albert said that Employee2 and Suspect did not work together and were only speaking acquaintances. Employee2 was on a canoeing trip on June 12, 1994, and it was Albert's belief that this trip was out of State. On July 26, 1994, MfgCompany discovered that its computer network had again been illegal accessed and files erased. This came to MfgCompany's attention because production schedules stopped working on the ZY Computer 4 as a result of database files having been erased. No other modifications. This intrusion took 8 minutes. On this occasion both Pacific and Baltic ZY Computer 4s had files erased. This intrusion was possible as security for whole system went down on July 26, 1994, as a result of a hardware upgrade. On Friday, 8-12-94, I spoke with Jonathon A. and Robert Burns, Private Investigators. Burns told me that he works for A. and was checking the trash of Suspect. Burns said that on 8-12-94, at about 12:30 a.m., he checked the trash of JoeSuspect, 1111 Rd., The trash was located in a trash can next to the street for collection. There are no sidewalks or curbs in this area. In the trash he found piece of yellow lined paper approximate 3 X 5 inches. The paper had the following numbers written on it: 123-1111 1112 1113 1114 444-5555 During a conference call between Alan Albert, A., and myself, as A. read the numbers, Albert told us the 123 numbers connect to a modem pool in the computer room of the Information Service's office in Community where the ZY Computer 4 computers are maintained. This modem pool allows a connection to MfgCompany's ethernet/local network in Community. Information services uses this modem pool as a connection to MfgCompany's network when they need to check the system. Albert went on to say that the 444-5555 telephone number is a San Jose telephone number that serves as a connection point to MfgCompany's world wide X.25 network. A. faxed me a copy of the paper with numbers. Your affiant seeks permission to bring MfgCompany employee Alan Albert and Jonathon A., private investigator under contract to MfgCompany, along on the search to assist with the identification of the files. Albert will be under the direct supervision and control of your affiant or another peace officer assisting your affiant in the service of this warrant. Your affiant is aware that such a procedure was approved in People v. Superior Court (Moore) (1980) 104 Cal. App. 3d 1001. Albert will be closely supervised by members of the District Attorney's office staff or other law enforcement officers. Computers: Your affiant requests permission to search and seize any computer systems and magnetic media found at the scene. Your affiant knows from his training and experience that computer systems commonly consist of central processing units (CPUs), hard disks, hard disk drives, floppy disk drives, tape drives, display screens, keyboards, printers, modems (used to communicate with other computers), electronic cables, cassette tapes, floppy disks, and other forms of magnetic media containing computer information. Your affiant knows from his training and experience that computer users will commonly keep computer hardware and software in their homes, garages, carports, outbuildings, storage areas and sheds assigned to their premises. Your affiant requests permission to seize computer systems and magnetic media found at the scene without first conducting an examination of each and every hard and floppy disk to determine if such systems and media contain the items requested by this affidavit. Computer users frequently collect a great deal of software on disks or other magnetic media. Searching that media within a reasonable amount of time to determine which material is relevant to this investigation would be difficult and could risk destruction of the evidence. Your affiant may also need to examine at another location any computer(s) found at the scene because most hard disks contain so much data that an on-site inspection is impractical. The examination required to determine whether the hard disk contains the items requested by this affidavit could take days or weeks. Furthermore there may be too many tapes and or disks to allow a thorough search of such disks within a reasonable period. Finally, the computer and magnetic media is the best evidence available. Magnetic media is easily erased or destroyed. Leaving magnetic media behind may result in the loss of that magnetic media as evidence. Your affiant believes that it is better to seize the original evidence than to rely solely on copies which have not been authenticated in the presence of counsel for persons who could face criminal charges based on material found pursuant to this warrant. Your affiant also seeks to seize documentation associated with the computer(s) found at the scene. Your affiant may need that documentation to search the computer. Moreover, that documentation may well contain information identifying the owner and/or user of that computer. Occupancy: Based on your affiant's training and experience, your affiant knows that occupants of dwellings usually receive correspondence addressed to the occupants at that particular dwelling. Such correspondence usually includes, but is not limited to, phone bills, utility bills, rental agreements, rent receipts, identification papers, canceled mail envelopes, and personal letters. Additionally, your affiant knows that other evidence of ownership and control of said dwellings can usually be found on the occupants of said dwellings and may include, but is not limited to, keys, rent receipts and photographic identification documents, with names and addresses on them. Your affiant seeks permission to seize those items. Based on these facts, you affiant is of the opinion that it is probable that Suspect has committed violations of Penal Code Section 502c(2), the violation of which is punishable by terms of imprisonment of longer than one year. WHEREFORE your affiant prays that a search warrant be issued with respect to the above locations for the seizure of said property at any time of the day and that the same be held under Penal Code section 1536 and disposed of according to law. ___________________________ JOHN C. SMITH, Investigator District Attorney's Office Santa Clara County Subscribed and sworn to before me this 16th day of August 1994. ___________________________ Judge of the Superior Court This affidavit was used to get into the residence and personal computers of a part time university employee who broke an other employees account and used that account. SUPERIOR COURT OF CALIFORNIA SANTA CLARA COUNTY JUDICIAL DISTRICT STATE OF CALIFORNIA AFFIDAVIT IN SUPPORT COUNTY OF SANTA CLARA OF SEARCH WARRANT JOHN C. SMITH, Sr. Criminal Investigator, Santa Clara County District Attorney's Office being sworn, says that on the basis of the information contained within this Affidavit and any attachments thereto, he has probable cause to believe and does believe that the property described below is lawfully seizable pursuant to Penal Code Section 1524, as indicated below, in that it: ( ) was stolen or embezzled; (X) was used as the means of committing a felony; ( ) is possessed by a person with the intent to use same as a means of committing a public offense, or in the possession of another to whom he/she may have delivered same for the purpose of concealing or preventing its discovery; (X) constitutes evidence tending to show that a felony has been committed or that a particular person has committed a felony; and that he has probable cause to believe and does believe that the described property is now located at, and will be found at, the location(s) set forth below and thus requests a warrant to search THE FOLLOWING FOUR (4) LOCATION(S): LOCATION A: 1. The three (3) electronic mail accounts, including the information from these accounts on the system backup tapes, belonging to Joe Suspect: #1 suspect@rome.univ.ede (Unix System); #2 suspect@univvm1.univuniv.edu (IBM system); and #3 guard@univvm1.univ.edu (IBM system). These accounts are on computers maintained and housed in the Information Systems and Communications Department, University, Information Systems and Communications("ISC") Department, California. AND 2. The desk and work space of Joe Suspect at the Computer Information Center, Information Systems & Computing Department, FOR THE FOLLOWING PROPERTY: 1. Any and all documents and records, whether on paper or stored on magnetic media (including information stored within a computer) that contain any of the network electronic mail addresses, hertz@Rome.Univ.Edu, jeanc@college-ca.edu (Jean Clinton), or carol@college-ca.edu. 2. Any and all documents and records, whether on paper or stored on magnetic media which contain the code or computer instructions that are used for the automatic transfer of information or email from one account to another and directing the transfer of email to or from supect2nd@rome, hertz@rome, jeanc@college-ca, or carol@college-ca 3. Any and all programs or computer instructions that would be used for the cracking, matching, or discovering encrypted passwords for computer accounts. 4. Any and all documents and records, whether on paper or stored on magnetic media which contain the code or computer instructions that create or operate a computer program commonly known as a "TROJAN HORSE", a shell or program that purports to have a valid purpose, but contains hidden in its code instructions that start another job such as automatically capturing a user's log-on identification and password and sends it to another location. LOCATION B: SUSPECT'S Apartment B, Drive, in the City of _________. This residence is a duplex type residence, that is painted gray and has a detached open carport. The residence is on the south side of Drive between Streets. There are two street address number plaques attached to the front of the house. The plaque with 732B is nearest the corner of the west side, where there is a door that appears to be the front door for Apartment B. The premises to be searched also include any and all yards, outbuildings, storage areas, garages, carports, sheds, or mailboxes assigned to the described premises, including but not limited to those listed above. LOCATION C: The person of Joe Suspect and any personal affects such as but not limited to books, binders, backpacks, or briefcases where papers or computer disks may be carried. LOCATION D: A gray, Ford, bearing California license ________ registered to Joe Suspect City of __________, wherever it maybe located in the County of Santa Clara. STATEMENT OF PROBABLE CAUSE Your affiant declares that the facts in support of issuance of this search warrant and court order are as follows: Your affiant, John C. Smith, is a Senior Criminal Investigator (Peace Officer) employed by the Santa Clara County District Attorney's Office in Santa Clara County, California. Your affiant has been assigned to the High Technology Unit of that office since December 1989. He has been a California Peace Officer since June 1965. He is a member and past President of the High Technology Crime Prevention Association (HTCIA), and a member of the Santa Clara Valley Industrial Security Managers Association. He has been a Macintosh computer user since about 1986 and an IBM PC user since 1990 and owns both types of computers. He is a regular user of the Internet and has had classes on the Unix/Workstation operating environment. He has over 274 hours of training in the High Technology field. He has been involved in at least five (5) prior intrusion type cases and given several talks to computer professionals on investigating intrusions. He has conversed and worked with experts in federal law enforcement who have specialized in these cases, and who have considerable experience in investigating and interacting with persons who have illegally accessed computers. Your affiant is currently investigating violations of Penal Code Sections 502 (Unlawful Access to Computer Systems). Your affiant knows from training and experience that individuals who "hack" or access computers without authorization often do so from their own computer systems and maintain cracking or password matching programs which may include dictionary or word lists. Your affiant knows that persons who hack computers services by fraudulent means maintain notes and ledgers which document the accesses that are valid, passwords which have been used or tried, and their written notes on how to bypass systems security measures installed. They also make notes of what systems are accessed, what files were down loaded or uploaded and who else they have been in contact with regarding the access codes being used. Your affiant knows from training and experience that persons who have passwords on their computer system usually maintain a record of that password on a piece of paper, card, book, etc. so that it may be retrieved in case the persons fails to recall a password. Your affiant knows the above information may be in the form of hard copy printouts, paper notes, notes in a ledger, or files maintained on a computer system itself in the form of electronic media. Your affiant knows from training and experience that a computer system used to communicate with other systems via modem and the telephone lines will be attached to a modem and a phone line that is installed in the residence. On May 10, 1994, your affiant was contacted by Detective _______, University Police Department, and provided with police reports for case number 94- alleging a violation of California Penal Code Section 502, Computer Crime. Affiant opened SSCCDA case #94-0-0661. Your affiant interviewed Dept Head, Associate Vice President, in charge of the Information Systems and Computing (ISC) Department at AnyCity State University (Univ); Bill Sysop, Staff Systems Software Specialist, ISC, ; and Timothy J. Sysadmin, Network Systems Programmer, ISC. To the best of your affiant's knowledge, these three individuals are reliable and trustworthy citizens without involvement in criminal activity. The following chronology of events prepared by your affiant after reading the police reports and interviewing the three individuals named above, was prepared for convenient review: CHRONOLOGY OF EVENTS: 3-21-94 to 4-1-94 - Joe Suspect and Jason Student workers are suspended from the jobs at the Computer Information Center (CIC), ISC, Univ and are told not to use their network accounts for two weeks for verbally fighting and arguing via their electronic mail accounts on Univ's system and on America Online, a commercial system. 3-21-94 - A message is sent from "Patricia Hertz" to ten people, "From: Suspect!", stating that he had been suspended and to send any email to hertz@.univ.edu. 4-12-94 - The email message to "Hello John", attached as Exhibit #1, accusing systems operators Sam Sysadmin and another employee of maintaining pornographic GIFs (graphic or photographic computer files) on the university system was sent to the mailing list on another system maintained by Univ 4-14-94 - Univ President Ferris receives an email message from jeanc@college-ca.edu (St Mary's College) regarding Univ computer administrators holding pornographic pictures on the Univ system, attached as Exhibit #2. 4-15-94 - Dept Head assigns Bill Sysop to investigate this matter. 4-15-94 - Bill Sysop learns that there is no issued account to "Patricia Hertz", but he knows a Professor Hertz and contacts him. Professor Hertz states he was issued the account but does not use it. - Bill Sysop checks logs on the IBM computer network and finds that (a) the message, Exhibit #2, sent to Univ President Evens was received from jeanc@college-ca.edu on 4/14/94, at 17:49:14 hrs and that (b) suspect@univvm1.univ.edu sent a message to jeanc@college-ca.edu at 4/14/94 17:39:02 hrs, Exhibit #9. 4-27-94 - Univ Police report 94-117-0705 was taken by Officer Laws. The suspect named was Joe Suspect. - Sysadmin examines data in the broken "hertz account" obtained from the backup tapes of April 11, 1994, and observes a ".forward" file used by the Unix mail system to forward mail to another computer. The forwarding address listed was supect2nd@.univ.edu, Exhibit #11. 5-4-94 Front page article appears in Univ newspaper written by regarding pornography on the Univ computer system. * On 5-11-94 your affiant began his investigation by talking with Dept Head at his office at Univ. Dept Head related the following information: In March 1994, Suspect and another student, Jason Student , were verbally fighting and arguing. This disagreement spilled into electronic mail. American OnLine sent a message to Supervisor and Bill in the Computing Information Center, the supervisor of Suspect and Student , asking if something could be done to stop the bickering. Suspect and Student were then suspended from their jobs for two weeks by the Director of Information Services (a division of the ISC) after he investigated and concluded that they have behaved inappropriately. Supervisor also told Suspect and Student not to use their computer network accounts during their suspension. The suspension was from March 21, 1994 to April 1, 1994. Sometime during this two weeks, Dept Head suspects that Joe Suspect hacked into the "hertz account". The "hertz account" belongs to Univ Professor Hertz who was assigned the account 2 yrs ago and has never used it. The Identifier that is printed when electronic mail is sent from the hertz account was changed from Professor to Patricia. On 5-11-94 and 5-12-94, your affiant interviewed Bill Sysop, Staff Systems Software Specialist, Technical Services, Information System & Computing Department, Univ, at the ISC. Sysop provide affiant with the following information: The Information Systems and Computing Department (ISC) is assigned the task of providing general academic and computing services and Administrative services to the University. Administrative services include student scheduling, records, grades, and other student information as well as purchasing, and assorted administrative functions. The campus has an IP (Internet Protocol) type network that has both Unix and IBM computers attached to it.The Unix system was installed three years ago. ISC has an Internet connection. Sysop was assigned to investigate this matter by Dept Head after Ferris, the President of Univ, received an email message from a Jean Clinton, St Mary's College, dated 14 Apr 94, 17:49:13 PDT, stating in relevant part, "your university computer administrators are using the system as a holding area for pornographic pictures." A copy of the messages is attached as Exhibit #2. Sysop began his investigation by trying to find "Patricia Hertz". He asked the CIC (Computer Information Center) and learned there was no record of "Patricia Hertz". Sysop had worked with Professor Hertz, Univ, on prior occasions. Thinking it might be Patrick rather than Professor, Sysop phoned Professor Hertz, on April 15, 1994. Professor Hertz told Sysop that he did have a Unix account but, that he did not use it. Professor Hertz told Sysop that he recalled being told that he needed a UNIX account to receive email and so about 2 years ago he signed up with Univ and was given a Unix account that was named hertz. He did not use the Unix account because he found he could use email facilities directly through the Unix Workstation he has on his desk. On Friday April 15, 1994, Bill Sysop examined the SMTP (Mail Transfer) log for April 14, 94, on the Univ IBM computer system, attached as Exhibit #9. He did this because Ferris's email account is on the IBM system. Sysop checked the log for the time that Ferris had received Exhibit #2 Jean Clinton. Sysop then looked through the log and found that on 4/14/94, 17:39:02 hours, ten minutes before Exhibit #2 was sent, Suspect had been connected to jeanc@college-ca.edu. Your affiant has obtained a list of log-ins to the jeanc@college-ca account and verified this information. One of the log-ins was from 17:55 to 18:06 hours. The message to President Ferris from jeanc@college-ca was received at Univ at 18:05 hours. Sysop knows Joe Suspect to be a paid Student Assistant at CIC, Computing Information Center, a division of ISC. CIC is assigned the task of providing with computer support to the academic computing community at Univ and to provide assistance to administrative computer users. Suspects' supervisor is -------- who reports to __Director of CIC. Sysop believes Suspect has worked there for about 2 years. On May 12, 1994, your affiant interviewed Bill J. Sysadmin, Network Systems Programmer, ISC, at the computer center. Sysadmin maintains the Unix network. Sysadmin related the following information to your affiant: The hertz account resides on a computer server called "" which is the primary Unix server at Univ. Sysadmin made the printout labeled "Apr 17 23:27 1994 hertz.last Page 1.", attached as Exhibit #10. This printout, Exhibit #10, is a list of connections to the hertz account and shows that someone was connecting to the hertz account on from a terminal server that houses the public modem pool. The entry, "isc- ts1.Univ.EDU", on the log indicates that the connection to hertz was most likely made through a dial-in telephone modem hooked to the terminal server. The original message "Hello John" was sent to 1.BITNET, which distributed the message to a number of systems users. This message is attached as Exhibit #1. At that time there were 30 faculty members and students from the Univ campus on the mailing list to receive messages sent to the UnivSER account on UnivSER on the IBM system. This account serves as a general computer information source for asking questions and disseminating information regarding the computer system. After seeing the message to President Ferris (Exhibit #2), Sysadmin opined that the hertz account had been broken into. His opinion was based on a number of factors. He recognized that the hertz account had a low user id number (meaning that it was an older account) and the wording of the message in Exhibit #1 caused him to infer the sender was a new user also, the sender described him or herself as a student. Finally, faculty and staff are in one file system and students in another. The hertz account was a faculty account. Sysadmin made a "last" print out that shows where the user logged in from and the date & time. A "last log" shows the account where the connection was made, the name of the computer or device where the connection came from, the date, the time, and the duration of the connection. On this "last log" printout Exhibit # 10, the log shows log- ins from College and a log-in from the Univ CIC, which is in the form of a network numerical address, IP address 130.65.55.26. This number shows up on the log since the computer at that location has not been given a name. Sysadmin went to the backup tapes from April 11, 1994, for the server on the Unix system and recovered the home directory from the hertz account onto his (Sysadmin's) workstation. Sysadmin printed the stored mail messages recovered from the backup tape in the hertz account and gave your affiant the 56 pages that he printed. What appears to be the first message from the hertz account is attached as Exhibit #3. That message reads as follows: Date: Mon, 21 Mar 1994 15:11:36 From: Patricia Hertz Subject: From Suspect! To: people , (list of his friend'e email addresses) "Hello everybody, I'm sure you're wondering why I'm not using my account to mail this to all of you, well the reason is I got suspended for two weeks from work. Actually it was me and Jason "May I sniff your buttcheeks?" Student that got suspended. It's a very long story, but suffice to say I got screwed royally on this one and as such, it is only right that I screw back. Student is toast. I'm not too sure how much mail is going to pile up on my system in 14 days, but let's do the simple math: I get about 45 pieces of mail a day on EACH of my accounts, and I have three, count 'em three, accounts. Let's see 45 times 14 times 3. Shit. 1890 pieces of mail. I think I'll forward all of it to Jason "I'm, the Weenie Genie" Student . Anyway, if for any reason you need to get a hold of me via e-mail, please use hertz@.univ.edu. I'll send you all the gory details later. -Suspect" Another message that Sysadmin found in the hertz account deals with Trojan Horses, attached as Exhibit #4. This message is addressed as follows: Date: Tue, 22 Mar 1994 15:29:44 PST From: fly To: hertz@.univ.edu Subject: The Trojan Horse (For Suspect) In this message, a "Trojan Horse Program" is discussed. Dfly states, "Here's what the code *might*(sic) look like", and describes what the code would be. Also in this message is a description of a Trojan Horse, which is a fake shell. That paragraph is as follows: When a user attempts to login on the Trojan Horse their login name and password are mailed to a specific user (defined in the code). The process then terminates and the user is left with the *REAL* login prompt. You now have a password and login for a specific user, in other words you have full access to their account. How this happens is defined here: When Sysadmin looked at the data in the broken hertz account, which obtained from the backup tapes of April 11, 1994, he observed a ".forward" filed used by the Unix mail system to forward mail to another computer. The forwarding address listed was supect2nd@.univ.edu. The file listing shows that the .forward file was last modified on April 6. On May 19, 1994, Sysadmin printed a copy of the .forward file from the hertz April 11 backup and gave it to your affiant. As indicated this printout is attached as Exhibit #11. Sysadmin told your affiant that he called the network system administrator at College, College Sysadmin, and advised College Sysadmin that someone seemed to have broken into (the name of the primary Unix server for the .univ.edu system) from College's Network. Subsequently, College Sysadmin told Sysadmin that the "jeanc" and "carol" accounts had been broken into. College Sysadmin sent Sysadmin a list of log-ins to the computer "galileo" at St Mary's where the jeanc and carol accounts are located, (Exhibit #6). Roy College Sysadmin in his message of April 26, 1994, (Exhibit #6) states: The owner of the carol, account found that someone has tampered with her account. The user hertz@.univ.edu re-routed her e-mail using a .forward file. This has gone on about 2 weeks. She is understandably very upset and has lost some very important messages." On May 15, 1994, your affiant attempted to contact College Sysadmin and learned that he is out of town for several days. Affiant spoke on the telephone with College's 2nd Sysop, Ph.D., Computer Science, College, California, who also serves as a systems administrator with College Sysadmin. Dr. College's 2nd Sysop said he was familiar with the situation with Univ. Dr. College's 2nd Sysop told affiant that Carol is a teacher at College. Mrs. Carol was using her child's name as a password; the password thus would have been on a standard word list or dictionary used by a cracker or password matching program. Sysadmin made printouts from the "last" log for both accounts "hertz" and "suspect" from the Unix workstation named "homerun", which uses as a server. The printout for the supect2nd account is attached as Exhibit #7 and the printout for hertz account is attached as Exhibit #8. Sysadmin found log entries on March 17 between 16:34 hours and 18:15 hours which appear to indicate that someone logged out of the supect2nd account and immediately into the hertz account. The following are entries of log-in and log out time from the "last" logs if the two accounts: supect2nd Mar 17 16:43 - 16:40 hertz Mar 17 16:40 - 16:52 supect2nd Mar 17 16:52 - 18:07 supect2nd Mar 17 18:07 - 18:09 hertz Mar 17 18:09 - 18:15 On May 19, 1994, your affiant talked with Bill Sysop and Sam Sysadmin at their office. They both informed affiant that it would be highly unusual for Joe Suspect to have his supect2nd account broken into without Suspect not being ware of it and for cortes not to make a report. Suspect' "vigil" account was set up to subscribe to various mailing lists dealing specifically with network security. Suspect is supposed to review any material that is received and distribute any relevant material to CIC employees. Sysadmin has never received any complaints from Suspect about problems with the cortes account being compromised. Sysop told affiant that when he interviewed Suspect, he asked Suspect if he was having any problems with his (Suspect) IBM accounts. Suspect said he was not having any problems with his accounts. On April 19, 1994, Sysadmin said he copied the contents of the supect2nd@ account from the backup tapes into his (Sysadmin's), workstation. Sysadmin also said that he had not looked at or examined the contents of that account until the legality of such examination can be determined. Your affiant seeks permission to bring Bill Sysop and Sam Sysadmin along on the search to the four locations to assist with identifying the computer programs described in this affidavit that are to be searched and seized, and to them operate the Univ computer system to search for the items listed in the Search Warrant. Sysop and Sysadmin will be acting under the direct supervision and control of your affiant or another peace officer assisting your affiant in the service of this warrant. Your affiant is aware that such a procedure was approved in People v. Superior Court (Moore) (1980) 104 Cal. App. 3d 1001. Residence Information: Joe Suspect told Officer Laws of the AnyCity State University Police Department that his home address is 732 E. Taylor Street, AnyCity, California. Dept Head checked Payroll records and found that Suspect' address is listed as 732. E. Taylor Street, Apartment 2, AnyCity, California. Dept Head has also seen a business card for a business maintained by Joe Suspect that listed an address of _______. Your affiant checked the California Department of Motor Vehicle records for the drivers license information on Joe Suspect based on the date of birth, 11-18-66, and drivers license number, C1111111, on the police report and found that Joe Suspect Jr has a valid California Drivers License that expires on his birthday in 1987. This record states that his residence address is ______ California DMV records checked by affiant also show that Joe Suspect Jr., ___ the registered owner of a Ford, license number Affiant drove by the residence and saw a gray Ford California license number XXXin the carport of ___ Computers: Your affiant requests permission to search and seize any computer systems and magnetic media found at the scene. Your affiant knows from his training and experience that computer systems commonly consist of central processing units (CPUs), hard disks, hard disk drives, floppy disk drives, tape drives, display screens, keyboards, printers, modems (used to communicate with other computers), electronic cables, cassette tapes, floppy disks, and other forms of magnetic media containing computer information. Your affiant knows from his training and experience that such computers and magnetic media are used to store information. Your affiant believes that, based on the information related above, that computers and magnetic media located at the place to be searched contain telephone numbers, access codes and the software necessary to access such computer codes. Your affiant knows from his training and experience that computer users will commonly keep computer hardware and software in their homes, garages, cars, carports, outbuildings, storage areas and sheds assigned to their premises. Your affiant requests permission to seize computer systems and magnetic media found at the scene without first conducting a detailed examination of each and every hard and floppy disk to determine if such systems and media contain the items requested by this affidavit. Computer users frequently collect a great deal of software on disks or other magnetic media. Searching that media within a reasonable amount of time to determine which material is relevant to this investigation would be difficult and could risk destruction of the evidence. Your affiant may also need to examine at another location any computer(s) found at the scene because most hard disks contain so much data that an on-site inspection is impractical. The examination required to determine whether the hard disk contains the items requested by this affidavit could take days or weeks. Furthermore there may be too many tapes and or disks to allow a thorough search of s uch disks within a reasonable time. Finally, the computer and magnetic media is the best evidence available. Magnetic media is easily erased or destroyed. Leaving magnetic media behind may result in the loss of that magnetic media as evidence. Your affiant believes that it is better to seize the original evidence than to rely solely on copies which have not been authenticated in the presence of counsel for persons who could face criminal charges based on material found pursuant to this warrant. Your affiant also seeks to seize documentation associated with the computer(s) found at the scene. Your affiant may need that documentation to search the computer. Moreover, that documentation may well contain information identifying the owner and/or user of that computer. Occupancy: Based on your affiant's training and experience, your affiant knows that occupants of dwellings usually receive correspondence addressed to the occupants at that particular dwelling. Such correspondence usually includes, but is not limited to, phone bills, utility bills, rental agreements, rent receipts, identification papers, canceled mail envelopes, and personal letters. Additionally, your affiant knows that other evidence of ownership and control of said dwellings can usually be found on the occupants of said dwellings and may include, but is not limited to, keys, rent receipts and photographic identification documents, with names and addresses on them. Your affiant seeks permission to seize those items. Your affiant will not intercept electronic mail or examine electronic mail that has not been read and stored. To the best knowledge of your affiant, this Affidavit and Search Warrant complies with the requirements of Section 2703, of Title 18 United States Code dealing with the disclosure of by a provider of electronic communications services of the contents of an electronic communication that is in electronic storage. On the basis of the foregoing, your affiant believes that evidence of the commission of felony violations of California Penal Code section 502 will be found upon the premises and in the records heretofore described. That based upon the above facts, your affiant prays that a search warrant be issued with respect to the above location for the seizure of said property, and that the same be held under Penal Code section 1536 and disposed of according to law. ___________________________ AFFIANT John C. Smith Criminal Investigator Subscribed and sworn to before me this 23rd day of January 1994. ___________________________ JUDGE OF THE SUPERIOR COURT Exhibits: 1 Message "Hello John", from Patricia Hertz, April 14, 94. 2. Message to ferris@univ from jeanc@college-ca, April 14, 94. 3. Message from Patricia Hertz, Subj: From Suspect, March 21, 94, with Suspect explaining why he is using this account. 4. Message from fly , to hertz@univ, Subj: THE TROJAN HORSE (for Suspect). March 22, 94. 5. Dept Head's report/chronology of this event. April 20, 94. 6. Message from Systemop@college-ca.edu, To: Sysadmin@isc.univ, Subj: last list. April 20, 94. 7. "last" log from supect2nd (Unix) account showing activity on 3-17- 94. 8. "last" log from hertz (Unix) account showing activity on 3-17-94. 9. SMTP, mail log, from IBM network showing message to jeanc@college- ca on April 14. 94. 10. hertz@.univ "last" log showing connections and dates, this includes modem connections. 11. Copy of the ".forward" file from the hertz@ account on the April 11 backup tape. This is a request for tracing a long distance call GEORGE W. KENNEDY DISTRICT ATTORNEY FRANK D. BERRY JR. DEPUTY DISTRICT ATTORNEY 70 West Hedding Street San Jose, California 95110 Attorneys for PEOPLE of the State of California SUPERIOR COURT OF CALIFORNIA, COUNTY OF SANTA CLARA In re Order authorizing "trap and trace" device. ) ) ) ) ) ) ) )NO. APPLICATION FOR ORDER AUTHORIZING "TRAP AND TRACE" DEVICE AND NUMBER SEARCH [18 USC 3123]Personally appeared before me this 20th day of January 1994, Investigator John C. Smith who requests an order authorizing the installation of a "trap and trace" device and number search and on oath, deposes and says that there is just, probable, and reasonable cause to believe, and that he does believe, that the telephone number(s) from which incoming calls are to be trapped/number searched and identified are being used in connection with criminal activity and that the information likely to be obtained by such installation and use is relevant to an ongoing criminal investigation. Your affiant is requesting that this Court authorize a "trap and trace" device by Pacific Bell, the American Telegraph and Telephone Company, and any other provider of electronic or wire communication service for the following telephone numbers: (408) 999-1111 and (408) 999-1112. Affiant is seeking to determine the origin of all telephone calls made to the aforesaid telephone numbers as well as records showing the date, time, and length of call, together with the area code, telephone number, subscriber identification information (including name and address), and location of the calling telephone device. STATEMENT OF PROBABLE CAUSE Your affiant declares that the facts in support of issuance of this court order are as follows: Your affiant, John C. Smith, is a Criminal Investigator (Peace Officer) employed by the Santa Clara County District Attorney's Office in Santa Clara County, California. Your affiant has been assigned to the High Technology Unit of that office since December 1989. He has been a California Peace Officer since June 1965. He is a member and past President of the High Technology Crime Prevention Association (HTCIA), and the Santa Clara Valley Industrial Security Managers Association. He has been a Macintosh computer user since about 1986 and an IBM PC user since 1990 and owns both types of computers. He is a regular user of the Internet and has had classes on the Unix/Workstation operating environment. He has over 274 hours of training in the High Technology field. He has worked at least five (5) prior intrusion type cases and given several talks to computer professionals on investigating intrusions. He has conversed with experts in federal law enforcement who have specialized in these cases, and who have considerable experience in investigating and interacting with persons who have illegally accessed computers. Your affiant was contacted by Frank L. Edwards, Brand Incorportated, Security Services Department, Street, FarState. on January 19, 1994. Your affiant knows Brand Systems to be a company which creates and sells software which enables users to create and maintain Mr. Edwards told affiant that the Brand corporate network had been penetrated by an unauthorized intruder who had then gained superuser status on numerous Brand computer systems, reviewed proprietary data and transferred copies of proprietary data to a computer outside the Brand network. Your affiant started his investigation case #94-0-0109, on January 19, 1994 by interviewing Brand employees Frank Edwards; Davis Investigator; Employee2, Investigative Technician; and Employee3, Network Security Manager for Security Services. These interviews were conducted by telephone. Employee 3 has a Degree in Electrical from College. He has worked in the computer industry since 1979. Employee3 has been working in security at Brand for about 15 months. Employee2 started with Brand about 1986. He became a Brand Engineer about 1989, and has held several jobs of a technical nature. The last four years he has worked as an Investigative Technician for Brand Security. Frank L. Edwards spent 7 years with the FBI, 2 1/2 years with FarState xxxx Department and four years with Brand as Manager of Investigations. The information in this affidavit was furnished to affiant by these Brand investigators and Michael Houser, a Brand Manager. Your Affiant has worked with Brand Security on previous occasions, and knows the personnel to be experienced and reliable. A report in Memo form from Scott Employee3 is attached as Exhibit A. To the best of your affiant's knowledge, these Brand employees are reliable and trustworthy citizens without involvement in criminal activity. Brand's internal corporate network is designed to link Brand facilities with electronic mail, transfers of data and source code, and phone system messaging. Brand Security personnel describe it as one of the largest in the world. The network links facilities such as the major products research & development sites at Texas; FarState; San Jose, Ca.; Ca.; sites in the United Kingdom, smaller development sites, (which do not do major product development), and Brand sales offices. There are over 40 connections on the network worldwide. Your affiant was informed by these Brand Security investigators that the problem with the network intruder first came to Brand's attention, on December 20, 1993, when an unkown individual called a Brand employee posing as a Novel engineer named John Cash. The person posing as Cash asked the Brand employee for his password to a Brand computer file server, a 486 Personal Computer named "Money", located at the Engineering Department in FarState. The computer file server named Money contains source for Brand Software, has ever developed. The engineer provided the person his password. This password enabled the intruder to log into the file server, Money. Employee 4 one of the administrators for the file server named Money, checked the internal logs of Money, and found that someone had tried to log in as John Cash through the Brand network computer located at the Brand facility at View, FarState. Further investigation indicated that the intruder had teleneted into View, FarState from an unknown location. (Your affiant knows teleneting to be the method where a user connects to a remote computer via his own computer and directs the remote computer to perform various functions.) Once the intrusion had been verified, Brand started searching intrusion logs on the Money file server to ascertain who had attempted to log onto the computer. Security and administrators then called the employees whose names and accounts had been used by the intruder in attempt to gain access to the file server. Some employees on that list contacted the administrators and informed them that they had been contacted by a telephone caller who attempted to persuade them to divulge their passwords. Security contacted some of the employees who said that the caller identified himself as `Doug Smith' from Brand. `Smith' told them he was working the on Money file server and needed their password to make corrections. Affiant knows this to be a method used by network intruders to fraudulently obtain passwords. Security then warned employees not to give out passwords on the telephone, but employee interviews revealed that intruder was still able to obtain more passwords. Employee3, working with Michael Houser, Brand Development Systems Manager and Employee6 Brand Sr. Service Engineer also found several "Trojan Horses" on the entire Brand network. A Trojan Horse refers to program covertly placed in a computer system to perform a function not authorized by the system administrator or owner. This Trojan Horse system was designed to capture passwords and then allow retrieval by the intruder. Numerous passwords were captured but only 2 could be used without having to contact their owner. The owners of these two passwords were using the same passwords on the Brand Unix system as well as the Brand System, which runs on DOS systems. Money is on the system and these two passwords allowed the intruder access to Money. Logs of activity on Money, which were provided by one of three system administrators, Jason Johnson, are attached as Exhibit B. Using the passwords gained through contacting the employees and from the trojan horses, the intruder was connecting to various computers on the Brand corporate network, teleneting from machine to machine. On or about December 28, 1993, a male individual telephoned Employee 8the Program Manager in the Brand Software Engineering Department, FarState, for Brand utility source code. The man identified himself as a Brand employee named Richard Hoover and requested employee8 place a copy of Brand Source Code on the file server "Flower" into an account called "Richard" with the password being "Richard1". employee8 complied with the request. On January 4, 1994, at 6:18 pm a male phoned Brand Information Services Desk, San Jose, California, and left a message on voice mail, for employee9, the system administrator, directing him to set up a modem access account for Richard Hoover with the password "goose". This caller had also previously talked to employee9. This account was established on January 5, 1994. The modem access accounts from this facility connect to the Brand Corporate Network, allowing a user to connect to computers where the user has a password and user name. On January 5, 1994, employee8, the program manager for utility source code, received a telephone call from a person identifying himselves as Richard Hoover. This person asked employee8 to put all of the Brand Version X Source Code on a file server called Flower. employee8 tried to load the software; however, it would not fit on this file server. employee8 phoned Brand employee Richard Hoover, at the Brand facility in View, FarState and told Hoover that the enire set or source code would not fit. The majority of the source code files were however transferred to the computer before it became full. Richard Hoover is a Brand Engineering Manager in the Unix Systems Group at View, FarState, who has authorized access to this utility source code. Richard Hoover informed employee8 that he did not know what employee8 was talking about and denied he had made such a request. employee8 then asked Hoover if he had been the person who had requested that version Y be placed on the file server "Flower"the week previously. Hoover denied that he had ever made such a request. Richard Hoover subsequently told Employee3 that he had never requested a modem access account through Brand's San Jose Office. employee8 said that an unknown person had removed Version X Source Code from the computer. Brand security suspects that was done to make room for version Y. About January 5, 1994 Michael Houser installed a product called LANalyzer, to trouble shoot network problems, on the network at the Brand View, FarState facility. The LANalyzer was placed in that portion of the Brand network where file server "Flower"resides so that it could watch the traffic in and out of Flower. The LANalyzer captures network data packets which contain destination and origin data. Houser reviewed the data, which showed the intruder retrieving passwords from the Trojan Horse and the transfer of Brand Ver X source code for LogAB and LogCD to the Colorado Supernet account "Ben". The captured data from LANalyzer shows commands being executed by the intruder to put Brand source code into a computer account on the Colorado Supernet in the name of `Ben'. ame2 is the source code for the Name 2 file that resides on the operating system in an installed Brand networking system on a computer and allows a person to log into a Brand system. The estimated value of Name2.exe is worth in excess of $1.00. Richard Hoover e-mailed a message regarding the transfer of the data to the systems operator, Trent Hein, at the Colorado Supernet. Colorado Supernet is a commercial service provider of accounts on the Internet to members of the public. Hein told Hoover that the account named "Ben" where the Brand data was being deposited had been compromised and the intruder was not authorized to use it. The logging system at Colorado Supernet showed FTP (File Transfer Protocol) connections being made from 17 different Brand computer systems on the Brand Network to the `Ben' account. The FTP command is used to copy files to and from computer systems, although it can be used to look at a computer directory. Logs from the Colorado Supernet system, for the account Ben, from December 24, 1993, to January 7, 1994, were sent to Brand and are attached to this affidavit as Exhibit C. From December 24, 1993 to January 7, 1994 connections from Brand were made with Colorado supernet approximately 4 times per day. On January 7, 1994, 10 connections from 4 different Brand computer systems were made to the Colorado Supernet. Employee 11 a Brand Lead Engineer, in the Software Engineering Division, FarState, for a new unpublished Brand project, has a computer running the HP Unix operating system. On January 18, 1994, He installed a "wrapper" on this computer and changed all of the users passwords. Michael Houser explained that a wrapper is a program that keeps anyone out of a computer who is not an authorized user trying to connect from a computer that has been specifically designated as having permission to connect. Employee11 then checked his computer's logs and found an intruder trying to access this computer from a computer on the Brand network at the Brand facility, San Jose, California. The computer at the facility in San Jose is a 3Com computer terminal server connecting the inbound modem for telephone numbers (408) 999-1111 & (408)999-1112. This 3Com terminal server (computer) is designed to allow remote connection to Brand's internal corporate network via modem by calling these telephone numbers. The Modem connects the caller to the network via the 3Com terminal server. Brand Security has determined that there have been in excess of 140 logins through this telephone number using the fraudulent account of Richard Hoover that had been established in San Jose. The intruder used this account and telephone number approximately 4 -5 times on January 19, 1994 and left a message that read as follows: "I know you idiots are watching, goodbye asshole." On one of these occasions on January 19, 1994, the intruder using (408)999-1111 as a connecting point e-mailed all of Brands's technical publications to a user on the Colorado Supernet. Employee3 said the intruder had gained root access at the beginning of the intrusions. Root access gives the intruder system administrator status which would allow the intruder to change passwords and to create methods to gain entry back into the system at some later time even after the intrusion has been stopped. Michael Houser said that the intruder has obtained root access at least 50 times. The intruder has put a hacked program on the root directory on at least 6 commputers on the Brand network. Five (5) of these computers are at the Drive facility in San Jose, California. The hacked program is a modified version of a legitimate Sun program called Newgrp. This program at the root level allows the intruder to move into other computers and make changes. Based on training and experience, it is your affiant's opinion that is series of intrusions throughout the Brand Network have all been perpetrated by the same individual or individuals, based on similarity of methods used, times, interest in Brand source code and the use of Brand employee names. Your affiant is informed and believes based on the representations of Jim Capili, an Investigator for Pacific Bell, that the items requested in this application are the type of records obtained, kept, and maintained by Pacific Bell when they perform a "trap and trace". On January 19, 1994 your affiant notified Jim Capili that he would be making this application to the Court. Affiant is requesting a further Order authorizing Pacific Bell, AT&T and any other provider of electronic or wire communication service to the numbers (408) 999-1111 and 1112 install an appropriate "trap and trace" device in switches connecting to the aforesaid numbers in order that the origin of these calls can be established. Therefore, your affiant further requests that such an order be made. Your affiant is informed and believes that telephone companies, including Pacific Bell and AT&T, are required to advise subscribers of telephone service who are identified pursuant to searches such as here requested, unless the court ordering the installation of a "trap and trace" device makes a specific order to the contrary. Your affiant believes that any such disclosure might alert suspects as to the nature, scope, and direction of this investigation before it is completed, and could therefore impede the investigation and interfere with the enforcement of the law. Therefore, your affiant would request that the Court issue the following order as part of its Order: Pacific Bell, AT&T and their agents and employees, and any other provider of wire or electronic communication service subject to this Order and its agents and employees shall not disclose to the subscriber(s) of the telephone service described herein, or those subscribers identified as calling the above mentioned number(s), the existence of this Order or of this investigation, unless otherwise ordered by this Court. That based upon the above facts, your affiant prays that an order be issued as requested above. ___________________________ JOHN C. SMITH Subscribed and sworn to before me this day of January, 1994. ___________________________ JUDGE OF THE SUPERIOR COURT Exhibit A - Report by Employee3 Exhibit B - Delyle Johnson's Money activity logs Exhibit C - Colorado Supernet activity logs This affidavit was used to trap and trace telephone numbers calling into a business. This affidavit would not authorize the telephone company to release the subscriber information (name and address), this would require another affidavit and order. GEORGE W. KENNEDY, DISTRICT ATTORNEY FRANK DUDLEY BERRY, JR., Deputy District Attorney High Technology Unit Attorneys for the People SUPERIOR COURT OF THE STATE OF CALIFORNIA IN AND FOR THE COUNTY OF SANTA CLARA In re Order authorizing "trap and trace" device and a "number/call search". ) ) ) ) ) ) ) )NO. APPLICATION FOR ORDER AUTHORIZING "TRAP AND TRACE" DEVICE, AND "NUMBER/CALL SEARCH", [18 USC 3123];Personally appeared before me this 28 day of June 1994, Investigator John C. Smith who requests an order authorizing the installation of a "trap and trace" device, number/call search, and release of subscriber information and on oath, deposes and says that there is just, probable, and reasonable cause to believe, and that he does believe, that the telephone number(s) from which incoming calls are to be trapped/number searched and identified are being used in connection with criminal activity and that the information likely to be obtained by such installation and use is relevant to an ongoing criminal investigation. Your affiant is requesting that this Court authorize a "trap and trace" by the American Telegraph and Telephone Company, Pacific Bell Telephone Company, and any other provider of electronic or wire communication service for the telephone number specified below. Affiant is seeking to determine the origin of all telephone calls made to Computer Co. nc. Computer Corporation telephone numbers (415) 222-0000 to and including 222-9999 and (415) 333-0000 to and including 333-9999, as well as records showing the date, time, and length of call, together with the area code, telephone number, subscriber identification information (including name and address), and location of the calling telephone device. STATEMENT OF PROBABLE CAUSE Your affiant declares that the facts in support of issuance of this court order are as follows: Your affiant, John C. Smith, is a Senior Criminal Investigator (Peace Officer) employed by the Santa Clara County District Attorney's Office in Santa Clara County, California. Your affiant has been assigned to the High Technology / Computer Crime Unit of that office since December 1989. He has been a California Peace Officer since June 1965. He is a member and past President of the High Technology Crime Investigators Association (HTCIA), and the Santa Clara Valley Industrial Security Managers Association. He has been a Macintosh computer user since about 1986 and an IBM PC user since 1990 and owns both types of computers. He is a regular user of the Internet and has had classes on the Unix/Workstation operating environment. He has over 274 hours of training in the High Technology field. He has worked at least eight (8) prior network/intrusion type cases and given several talks to computer professionals on investigating intrusions. He has conversed with experts in federal law enforcement corporate network security who have specialized in these cases, and who have considerable experience in investigating and interacting with persons who have illegally accessed computers. Your affiant was contacted by the Police Department on 6-16-94 and asked to investigate this matter. Designated by the Police Department as case # 92-7354. Your affiant started his investigation case #94-0-0888, on 6-16-94 by interviewing Patrick Jones, Manager of Network Security, and Manager of Information Resources Advanced Networking Group, Computer Co. Computer Corporation. Computer Co.'s Network Security unit is responsible for Computer Co. Network security, policy, workstation and system security audits, and intrusions into Computer Co. computer systems and networks. Jones gave your affiant the following information: He has worked for Computer Co. for 9 years. He has been the Manager of Security (networks) for the last 9 months. He has worked in the communication industry for 19 years with the last 15 years being in data and voice type network systems. Working in this field required him to become knowledgeable about security issues. Jones advised that it is his opinion that an unknown person has been attempting to penetrate Computer Co.'s corporate computer system by gaining access through telephone analog lines. Computer Co. has 10,000 telephone numbers dedicated to their corporation. These numbers are designated through two prefixes, (415) 222-0000 thru 222-9999 or (415) 333-0000 thru 333-9999. Jones said that an unauthorized intruder has been using some type of an automatic dialer program that can check a telephone line for a connection about every six (6) seconds. The intruder has narrowed down the attempts to connect to only analog telephone lines that have a tone which are use to connect to computers and fax machines. On 6-20-94, affiant was furnished with the report from Helen Phillips, Computer Co. Network Support Specialist, dated 6-16-94, and attached as Exhibit A. In this report Phillips explains that Computer Co. has experienced an increase in telephone calls at the Town Computer Co. facility from approximately average of 11,000 per day to the peak of 44,000 call per day on 6-3-94. On 6-23-94, your affiant went to the Computer Co. facility in Other Town and met with Computer Co. employees, Patrick Jones, Helen Phillips and Roger Green, Network Security Consultant. Helen A. Phillips, is a Network Support Specialist, in the Network Administration Department. She has worked for Computer Co. for about 5 years. Prior to working for Computer Co., she was a telephone communications technician for Pacific Bell and American Telephone for about 9 years. She was trained by Pacific Bell. Phillips's job is collecting and billing "Call Detail Recording". This data shows the telephone usage by Computer Co. employees on the telephone PBX. Phillips watches for unusual activity and follows up by notifying management of that activity. Phillips gave affiant the following information: Computer Co. leases their telephone system from Commmunication Company. As detailed in her report of 6-16-94, she observed an alarming jump in total number of call records at certain locations. She watches five locations. She researched the calls coming in and found that the majority of calls were going to numbers not in service. (At the present time, only about 1,000 of the 5,000 numbers are active.) Phillips observed that the duration of the calls were 6 seconds or less. Phillips observed that when the calls started on 5-24-94, all of Computer Co.'s telephone numbers were being called. Thereafter the calls were focused on numbers with that have a tone signifying a connection to either a fax machine or computer modem. As Phillips examined the logs of the numbers called, she also observed repeated calls to the same number. She believe that the intruder did not know what telephone numbers to call in the beginning, but then learned which telephone numbers were for analog lines to fax machine and computers. Some telephone numbers have been hit as many as 300 times per day and others 60 times per day. This is not a normal level of Computer Co. business activity. She found that one line with a tone (telephone number) was hit 27 times in one minute. Roger Green is a Network Security Consultant in the Network Security Department. Green gave affiant the following information: He has worked at Computer Co. nc. for 3 years. Prior to joining Computer Co., Green worked at Large company from 1986-1989. He has a Bachelor of Science Degree from University. Green writes security policies, does intrusion investigations, and evaluates software for enhancing Computer Co. internal security. Green explained how modems and computers attach to the Computer Co. telephone system. He explained that someone can dial a telephone number that is connected to a modem and workstation and, if that person has the correct password or can determine the correct password, they have access to Computer Co.'s corporate world wide computer network that connects their facilities in many countries and Computer Co.'s 6,456 employees. Computer Co. policy requirements calls for every computer with a modem to have it configured with software that sets up a call back procedure. Your affiant knows from training and experience that a callback procedure requires someone calling a telephone number to obtain a connection to a computer to give a password. The computer being called has been programmed not to allow a connection, but to telephone back to a preprogrammed telephone number. When the computer telephones back to the prearranged number, the person requesting the connection has to enter a second password. If there is no call back procedure in place, an intruder with the right type of software can call a number and once a tone is received, the computer/software generates a number emulating a password. If the password is incorrect, the calling computer hangs up and dials the number again, this time generating another number attempting to match the password of the computer being called. These password dialer programs are designed to be left running indefinitely, recording any telephone numbers and correct passwords that are successfully determined. However, Green knows some people have not complied with this policy. Green is concerned that the intruder will hit a modem number that is not set up according to Computer Co. policy with a call back number. Green also said there are a fair number of modems that have been distributed to people thru the Computer Co. corporation and these modems are not set up thru Computer Co. modem pools but hooked directly to a desk top computer and individual telephone. He knows of about 50 modems in the corporate headquarters building in Palo Alto and estimates that there may be as many as 200 modems through the Computer Co. facilities in Santa Clara County. The Computer Co. modem pools are all configured with call back software. When affiant asked Green and Jones what they thought the motive would be for an Intruder to gain access to the Computer Co. computer network, they gave several reasons. They said that Computer Co. operating system (OS) source code is valuable, costing in the range of xxx per copy, and can be downloaded from the Computer Co. network. Also, if an intruder can learn how to break into Computer Co., such knowledge would help the intruder learn how to break into other sites. Affiant examined the list of Computer Co. telephone numbers called by the intruder and noticed that certain numbers were being called multiple times. Affiant is aware of at least one other instance where even after an intruder was successful in obtaining a password for telephone number, the program continued to try other numbers to obtain the password for each number. Intruders continue to look for other passwords for specific telephone numbers in the event they are discovered and closed out of a telephone number they have learned. Your affiant is informed and believes based on the representations of Darrell Santos, an Investigator for Pacific Bell, that the items requested in this application are the type of records obtained, kept, and maintained by Pacific Bell when they perform a "trap and trace" and "number/call" search. On June 16, 1994, affiant notified Darrell Santos that affiant would be making this application to the Court. Affiant is requesting a further Order authorizing AT&T, Pacific Bell, and any other provider of electronic or wire communication service to install a "trap and trace" and "number/call search" device. Therefore, your affiant further requests that such an order be made. Your affiant is informed and believes that telephone companies, including AT&T and Pacific Bell, are required to advise subscribers of telephone service who are identified pursuant to searches such as here requested, unless the court ordering the installation of a "trap and trace" device makes a specific order to the contrary. Your affiant believes that any such disclosure might alert suspects as to the nature, scope, and direction of this investigation before it is completed, and could therefore impede the investigation and interfere with the enforcement of the law. Therefore, your affiant would request that the Court issue the following order as part of its Order: AT&T, Pacific Bell, and its agents and employees, and any other provider of wire or electronic communication service subject to this Order and its agents and employees shall not disclose to the subscriber(s) of the telephone service described herein, or those subscribers identified as calling the above mentioned number(s), the existence of this Order or of this investigation, unless otherwise ordered by this Court. That based upon the above facts, your affiant prays that an order be issued as requested above. ___________________________ JOHN C. SMITH, Investigator District Attorney's Office Santa Clara County Subscribed and sworn to before me this 28 day of June, 1994. ___________________________ JUDGE OF THE SUPERIOR COURT EXHIBIT A - Report of 6-16-94 by Helen Phillips. This is new language for seizing computer equipment. for the following property: 1. Any and all documents, including documents stored in computer readable form, that contain the (NAME OF ITEM) or any portion thereof. 2. Any and all documents, including documents stored in computer readable form, that contain the words (NAME OF ITEM) Confidential, 3. Any and all documents, including documents stored in computer readable form and computer files, relating to (NAME OF ITEM)'s 4. Any and all computers, including any peripheral devices connected thereto, as well as any and all hard disks, floppy disks, computer tapes, CD-ROM's, and other computer storage devices. 5. Any and all computer manuals and instructions for the use of any computers and associated peripheral devices found at the premises. 6. Any and all documents showing the identity of persons occupying and/or in possession of the premises to be searched including, but not limited to, utility company bills, telephone bills, mail and personal papers. Seizure of computer systems: Your affiant knows from his training and experience that computer systems commonly consist of a central processing unit (CPU), connected to peripheral devices such as hard disk drives, floppy disk drives, tape drives, CD-ROM's, display screens, keyboards, printers, and modems (used to communicate with other computers). In order to examine a computer system it is sometimes necessary to have all original peripheral devices connected to the CPU in order for the system to work properly. Computer users also maintain floppy disks and other forms of computer readable media which can store computer data and can be moved from one computer system to another. Floppy disks typically store up to 1.4 megabytes of data. (A megabyte is one million bytes of data. One byte of storage is needed for each text character stored.) The computer systems currently in use today typically come configured with internal hard disk drives with a storage capacity of 200 megabytes or more. Hard disk drives on the market today can have storage capacities as high as one gigabyte, which is one-thousand megabytes of storage. In searching computer systems it is not unusual to find a large number floppy disks along with the computer system. It would not be unusual to find hundreds of floppy disks associated with a computer system. Your affiant requests permission to seize all computer systems and computer readable media found at the scene without first conducting an examination of each and every hard and floppy disk to determine if such systems and media contain the items requested in this affidavit. Computer users frequently collect a great deal of software on disks or other computer readable media. Searching that media at the search scene within a reasonable amount of time to determine which material is relevant to this investigation is not usually possible. It can take up to one hour to search just one (1) megabyte of computer storage. Given the storage capabilities of modern computers and floppy disks it could easily take upwards of 200 hours just to search one computer system and its associated floppy disks. Finally, the computer and magnetic media is the best available. Magnetic media is easily erased or destroyed. Leaving magnetic media behind may result in the loss of that magnetic media as . Your affiant believes that it is better to seize the original than to rely solely on copies which have not been authenticated in the presence of counsel for persons who could face criminal charges based on material found pursuant to this warrant. Your affiant also seeks to seize documentation associated with the computer(s) found at the scene. Your affiant may need that documentation to search the computer. Moreover, that documentation may well contain information identifying the owner and/or user of that computer.