Ethical Hacker Community Forums

It occurs to me that, in order for a computer thats used in a crime to be used as evidence, it must first be seized for evidence.  Yet, there are all too many ways to dodge a search warrant.

Typically, whenever there's a computer crime, it is tracked back to the physical location of the broadband or telephone subscriber.  Then a search warrant is secretly processed and a home invasion thus proceeds.  But what happens when the computer containing forensics evidence isn't present at that location?

I can envision a dozen methods to dodge a search warrant, buying me time to have "my buddies" bury the evidence, by simply routing traffic through internet or intranet proxies.  Assuming one doesn't cover their tracks online, and their physical location is discovered, what's to prevent them from housing their forensics laden machine(s) at the neighbor's house, or their data on an off-site server (over the internet)?

Let me give you an example:

Say I'm into massive pirating of music/movies or even KP.  My apartment neighbor is into it too.  I own the internet connection, and he has the 4 Terabyte file server, and we're both connected wirelessly (or even via wire through the wall).  I'm smart enough to make sure that the only thing installed on my desktop/laptop is Windows XP, Solitaire, and Putty.

So when the door is bashed in, there I am pulling up Solitaire while closing Putty, and my neighbor who sees all the black vans out front quickly trashes his server (or sneaks it away after the feds leave).

So what if they discover that my neighbor is linked wirelessly or via wire?  They still need a search warrant before they can enter.  But it's too late, there's no evidence left to collect.


Without extensive research into a hacker's personal life or relationship with their neighbors, how is something like this normally prevented?

First off I'm not a lawyer or in enforcement so this is from reading and watching bad tv  ;)

If they've traced you to your home and grabbed your computer I'd said you're stuffed and off to county lock up for a spell of making mail bags and avoiding Bubba.

1) The link is yours. If a bad guy is using your link, it can be still your problem
http://www.networkworld.com/news/2007/010807-unprotected-wifi-security-laws.html

2) They grab your router, examine the flow of traffic and logs. I guess the amount of connections to the neighbor's system from your machine wouldn't be good thing for you to play to innocent party.

3) They grab your laptop and do a full forensics exam, plus examine the flow of traffic. I guess the amount of putty connections to the neighbor's system from your machine wouldn't be good thing for you to play to innocent party (strike 2)
http://windowsir.blogspot.com/ - the stuff that this guy can pull from your system is scary!

4) From listening to some of the podcasts at cyberspeak http://cyberspeak.libsyn.com/ law enforcement are getting wiser to anti-forensics steps. If they get to your house and see/detect the wireless kit, they may be able to get another warrent to trace down the neighbour's system before stepping through the door (if they take you as a major threat)
They have multiple warrens and serve both at the same time.

This might be an ideal world.

You may have an exploding router, Tesla coils to zap the kit, or be much smarter than the guy serving the warrent on the day and get away with it.

I'd still think this would put you on a watch list and they be gunning for you in the future..

:)

Hmm.  Well, I appreciate that you're not a lawyer.  But are you even familiar with hacking?

Home networks do not maintain "traffic logs", nor do laptops or putty.  In fact, my scenario specifically stated that the only thing on the laptop was a plain Windows install including Solitaire and Putty.  There is nothing between these two applications that can implicate someone in a crime.

Naturally, presence of the illicit material they deal in would be enough to implicate them, but this guy is quite aware of what he's doing, and him and his neighbor thought it through quite well, so he only uses his laptop to remotely monitor his server via putty.  Doesn't even keep a desktop machine in his own apartment.

True, a wireless connection _may_ set up a red flag, so lets focus on the ethernet connection he has running through the vent/outlet plate to his neighbor.  This can only be discovered upon entry on the first warrant, and nothing can be done about it until a second warrant is issued.

Or does our criminal law permit searches based on probable cause, much like a search of one's vehicle after being pulled over for speeding... or a search of an area that results in a foot pursuit where evidence is believed to have been stashed?

My disclaimer was best world case for law enforcement and that they might not be able to prove you up to no good - this time  :)


Any of the Cisco and many of the high end home router do have the option of logging traffic. You mentioned shift high bandwidth constantly, so  cheap best buy router wouldn't give you the performance 24/7 you'd want, hence a higher end router.

The Arp and netstat commands on the pc would show that you made  connection to the other machine, plus it's details (ip, mac and ports connected) and reg keys would display how many times you used putty, which puts you in the "he's up to something" box.

Examining putty's details would also give up the ip address and that you use ssh/telnet to this other local box. Local by the fact it's on the same LAN.

Your good with reasonable doubt, unless they get their hands next door's file server and check that. An ARP dump give them your MAC, the server remote connection logs (telnet and ssh both keep logs) and it's time to visit with Paris Hilton.

A smart bad guy can do lots of things to hid his trails, but it you do thrown in the ethernet cable, I'd guess they would request another warrant at the scene once they work out the where it goes. Since it's Ethernet is only 100m, and a good old line detector will get them in the right direction.

Wireless would be a better option for you as the cable would directly implicate you of having knowledge and granting permission to the guy next door to use your system. It's your problem if he's doing bad things with your connection.

Again, I'm not a lawyer, nor have any ambition to be one  ;)

Listening to the Cyberspeak podcast, they report on bad guys getting caught by making silly mistakes and now being able to get detailed records from ISP's without the hassle. I'd drop them a line and see what they make of this.

The scenario you laid is typical of the amateur hacker-cracker and might seem fine in theory but will more than likely get you busted in real life.  First of all if you were engaged in an activity worthy of the FBIs attention,they are going to not just rush in to your apartment. They will have been observing you for some time in order to build evidence. This has been my experience when working with law enforcement.

Your neighbor is not going to be looking out the window for black vans 24/7. What do you do if they kick down your door the one time your friend ran down to the corner store and left his box on because he had a huge download going on and didnt want to interrupt it..  Its also not difficult for me to locate a wireless network and see how many boxes are part of the network. Same is true of an ethernet connection.  Unless you really have incredible security, I will see  exactly what your network consists of.  If the law enforcement arrested your friend, they might cut him a deal to implicate you. I hope he is really a good friend. I can go on and on, the problem is you cant think of everything.  The point is a real high level hacker-cracker doesn't get caught in the first place and spends a lot of time making sure he is invisible.

The success of a search warrant can depend hugely on the wording i.e. the scope of said warrant. It's unlikely that a well planned and executed search would be restricted to a single dwelling unless there was a reasonable expectation of finding significant evidence.

Exploding routers and tesla coils are pretty much a work of fiction. The more common techniques of tying to evade digital investigation often, if poorly implemented, point a big flashing arrow at where the investigators need look to find the evidence they're after.

As for destruction of evidence by a 3rd party, opting to perform an erase operation on a large disk array could be time consuming and allow the investigators time to follow up on leads to discover the illicit cache. Better that the bad guy take a sledge hammer to the disks.

Jim

Ah well, you guys shot up that scenario.  I thought it might make a novel script where FBI agents or RIAA goons obtain a warrant to search a home, only to find that it's the neighbors who are utilizing the internet connection for illicit ends.  So all they could do is stand around and frown at the door until an emergency warrant comes in, by which time there's nothing left to search.

It would certainly be more practical if a wireless internet connection were used, but right away it would be obvious where the packets are coming from.  I consider an ethernet connection to another dwelling more secure and something an investigator wouldn't expect to find, thus limiting the scope of the warrant to a single residence.  It would add an "oh sht" factor when the wire is discovered.

Certainly high profile criminals wouldn't be taken so lightly, but then again, they probably wouldn't be doing it out of their own home.

Thanks for all the comments!

Congress appropriated $500 Million Dollars for the Internet providers to keep a 2 year log of all your activity. So despite you escaping a raid and having no hardware to help convict you, I would venture to guess your are going to be hanged anyways. The traffic logs not being kept by the likes of AT&T, Charter, Comcast and all the other ISP providers will be more than enough to not only convict you, but imagine a smart prosecutor telling the judge that yes we have logs and know he downloaded all this, but hid the machines on us during the raid. My guess is the judge or jury will call you unrepentant and give you a much harder sentence than someone who is deemed sorry for his actions. But what do I know, over 20 years as an investigator, I have a tiny bit of experience is court. Unless you have a slick lawyer who understands IT and can argue and convince a judge or jury your were the victim of a prolonged network invasion and had no knowledge of networks enough to let you off the hook so to speak. But you would have to be able to really play the dumb pathetic victim role darn good.

Just my opinion...

isnt that what the wifi at starbucks is for?...hacking.

Unless you can find a free Starbucks hotspot wifi access is more expensive than the coffee. That's a pricey way to hack.

LOL, any hacker worth a damn is getting into that free. If you don't know how, by me a cup of coffee at the next Defcon and I will show you!

Hey I think I might of wrote a paper on how to get free WiFi http://www.ethicalhacker.net/content/view/131/24/ sorry Kev he owes me the coffee I beat you to it.

Brian

I've served my share of warrants, and I think there are some problems with your scenario:
1)Assume that everything is just the way you've laid it out.  You are still in trouble.  If you've done something on the level that would cause me to come kick in your door, that means I've probably been monitoring your traffic for awhile.  When then traffic goes dead the second I come through your door, we tend to cal that a “clue”.  Even if your server isn't right there with you, it will take 15 minutes to call the judge and get an expanded warrant.  In the mean time I'll be reminding you that destroying evidence is a felony, you're buddy is probably going to screw up the whipe, I'll pull everything off with EnCase, but by then I'll be tired and pissed off.
2)To be a bit more realistic, your above scenario isn't going to happen.  If I'm interested enough in you to kick in your door that means I'll be monitoring you, not just your traffic.  If you are working with someone else then you are probably going to meet with them at some point, which means I start watching them.  Trust me, it won't take more than a couple of days to figure out that when you, him, or both of you are at home then the naughty traffic is occurring.  That means I get two search warrants, and when your door is being kicked down, so is his.
3)To be even more realistic, the above scenario is also a bit unlikely.  If I think there is a chance that you'll destroy the evidence, why am I going to give you a chance?  There is this place called “outside” that people go to in order to get food/alcohol/smokes/paychecks/transvestite hookers/etc.  It is usually a lot easier and a lot more fun to wait for you to go get a slurpee, arrest you in the parking lot, and then watch you piss your pants when I tell you that we just served a search warrant on your place 15 minutes ago.  I'll probably even drink your slurpee for you.
4)If you've really done something bad then the above scenario isn't going to happen either.  Almost every agency that would be doing this kind of investigation is going to have access to their own keyloggers, trojans, backdoors, etc.  (Read up on the FBI's Magic Lantern)  Again, if you are doing something that is going to get your door kicked in then you are probably worth having someone install one of these little toys on your system.  That means I've captures all of the keystrokes for your putty sessions which negates your “but its a remote system and you can't see me” argument.
5) Unless you are doing this hacking just for shits and giggles, at some point you probably expect to make a profit off of it.  Most hackers get busted by investigators following their money trail rather than their network trail. 
6) Once all of this goes to trial then your remote setup is going to work against you.  It just goes to show the judge and jury that you were very aware that you were involved in something illegal.  It will probably add an extra year or so onto your sentence in Federal Pound-Me-In-The-Ass prison where your only joy will be reading my smart ass forum submissions.

so what happens, in a realistic scenario, when i "cant remember" the pgp key that will unencrypt parts of my hard drive?

That will always be a catch for investigators, but it is offset a bit if those parts of your hard drive are still mounted when the system is taken into custody.  If you can secure the suspect before they unmount those areas or power off the system, then the encryption is worthless.  If they do manage to get it locked you can often make your case based on the network traffic you've been monitoring and the bits and pieces left over in the host OS that will indicate what they've been doing.  Remember, if the feds are kicking down your door they've probably already got a pretty good load of evidence against you. If you get a court order allowing you to rootkit their system before you take them into custody, you'll probably already have the password plus a log of the activities.  That naughty traffic also has to go somewhere and do something, which they probably already have observed and recorded.  Unless you are just hacking stuff for fun you are going to have to do something with the data you've collected. (use the credit card numbers, sell the data, control your bots, etc)  All of that activity leaves evidence scattered all over other networks, not just your home systems. If all else fails, I've seen situations where the suspect is subpoenaed and order to produce the password.  If they don't, they are held in contempt until they do.  That puts some heat on them to comply since they can sit in jail as long as the judge can allow.

cool that helps thanks

In the scenario that Racoon originally posed if the FBI, etc are ready to serve you with a warrant then there is enough evidence already to obtain the warrant but one thing to be noted is that the majority of cases (nearly all) do not convict on the forensic or digital evidence found. It's often only corroborating evidence. This is why in the case of online predators, investigators attempt to get the individual to actually visit a location. The FBI need evidence of extortion, attempted fraud, etc... The digital evidence is there to back that up and reinforce an existing case in most instances and not to create a case. I have done my share of forensic work and each time the legal powers that be just wanted to "seal the deal" not build a case. This is only my experience though

I agree with pseud0's "smart ass" :) submissions in that if they are knocking on your door there is a damn good reason why.

But lets assume a scenario where nobody knows what you're up to.

1. Why would you use your own computer for starters? There are enough open systems around to store your files/data on. Compromised machines or devices like printers (Nice little self contained OSes) are a great place to store data. Highly doubtful they will be discovered in daily operations.

2. Accessing your data can be done in a number of ways too. Why even mount a drive. Install helix (does not mount swap space). use a computer at a coffee shop/internet cafe.

3. Route traffic through proxies, etc... Tunnel traffic over different protocols and use encryption. Bots can be used for more than just spamming or DDoS. I could have Bot A upload my set of commands and Bot B downloads and executes them at a predetermined time. Sure, it could be traced...but with enough countries, laws, etc... in the way it's highly doubtful.

4. Don't store anything on the usb key. Keep it on your person at all times. Try and rootkit that.

5. If someone actually walks in on you (assuming that you're at home and not an cafe, etc...) maintain a "dead-man switch" accessible from all roons in your home, step on it and kill all power or run your degausser  if you store data on your drive at home (you can build one that will actually melt the platters  on a drive let alone destroy the data).

6. Have encrypted volumes within encrypted volumes on your remote drive. You can always make the case that someone else also compromised that drive. Give up the key to one and deny even knowing about the other. (then again if you're at this point, the FBI has other evidence on you).

5. Google "anti forensics". Encase really does not stand a chance. BTW, the FBI uses encase and more recently FTK.

6. Network forensics is your next option for capturing enough data to reinforce your case but you need to prove that the data originated from a device the person was at during that time. Not so easy to do if that person is careful.

The reality is that most people get caught through their interactions with others, online or in person. The seized data is just icing on the cake at that point.

Are there flaws in the above? sure but it proves the point that it's not so easy to detect and then gather enough evidence to convict.

dean

Just had to let all of you know that I am enjoying the hell out of this thread especially that smart ass (meant as a compliment) pseud0. Had me lol several times.  ;D

Keep it going,
Don

Dean, good addition to the discussion.  Just to throw more fuel on the fire:

-Any live distro CD is going to be a good solution for your local system since any data is not going to be persistent.  You turn the computer off and it all goes "poof".  Well, except for all of the network traffic that brought the feds to your house in the first place.  The problem is that sometimes you are going to need to store some data for long term use.  Working with a gig size file in an OS that runs only in memory is going to cause some problems.  (hint: load BT2 live CD, mount local hard drives, turn them all into TreuCrypt volumes, throw all your crap in the secondary hidden volume)  Major problem with this solution is that the user is still at risk of getting picked up before they can kill the system.  At that point everything is still available.  Mot of the time you wouldn't want to turn everything off if you went outside because you're going to lose a lot of data (the whole live CD thing).
-Even using remote systems, proxies, bot nets, IRC, P2P, malformed packets, encrypted tunnels, smoke signals, isn't going to be perfect.  It is a great first step (as dean pointed out), but at some point you have to interact with those systems in order to do your work.  If that can ever be physically traced back to you, you're in trouble.  That means don't let it be physically traceable to you as per dean's "use coffee shop" comment.  You are still vulnerable to physical observation, though.  If I see you at the same couple of coffee shops every time we are tracking naughty data, well, as was already pointed out, actually catching you with the data is only part of the case.
-I'm not l33t enough to rootkit a thumbdrive, but I can drop some fun stuff on the system you'll be plugging into.  That might get me what I need.  Now, if your live distro was stored on the USB key and you were booting off of it...
-I have rarely even heard of deadman switches that work as advertised.  If you wire them correctly and are actually in the right spot to use them then you might get away with it.  But that's a lot of assuming things work correctly.  (Note: the coolest one I ever saw was a guy who stored all of his CD's and DVD's inside microwaves.  He had all of them turned on, but plugged into a power strip that was turned off.  All he had to do was turn on the power strip button to nuke everything he had.  Too bad for him that he got arrested at his mom's house.)
-Antiforensics are a bitch, but not if you are only using the data on the system to support a case not make it.  If you stomp my time stamps I could still use other data (physical observations, network logs, my rugged handsomeness) to convince a jury that it was probably you that pulled down that picture from boysinsprinknlers.com.  That being said, it does start to introduce a lot of reasonable doubt.
-Dean's last point is dead on.  Most people get caught by being stupid, cocky, and lazy. If they used all of the recommendations that he brought up they'd probably be in good shape.  Most of them won't.

I think the point of finding a person based on network traffic is an interesting one. The whole topic of "downstream" liability aside I still think enough reasonable doubt can be introduced into the validity of the network traffic's origin to be inadmissible.

for example: I set up a wirless router. I visit my neighbor, bob, and crack his WEP/WPA key and install dd-wrt, open-wrt, etc... on the AP. I bridge his AP with mine. If the traffic is actually traced to my home then after their analysis of my router they find a bridge to Bob and visit him. Reasonable doubt.

Still, I would not be using my home for this anyway. My computer at home would probably have a "broken" virus or trojan and spyware installed to substantiate my claims of being computer illiterate. Oh look! I was owned!

dean

dean busts out the SODDI defense... FTW!
http://cyb3rcrim3.blogspot.com/2006/06/trojan-horse-defense.html

"Some Other Dude Did It!" That's my story and I'm sticking to it.


That quote quite nicely and effectively sums up my point. The defendant needs to be convicted by a jury of his "peers". Not bad odds at this point cause I can guarantee that one of them had a virus or something and is still dealing with the fact their identity was stolen and so will sympathize with the defendant.

dean

That cuts both ways.  I'd sit on the witness stand and suggest that you are probably one of the guys who wrote the virus, stole their identity, and charged all of those 900 calls to their credit card.  Still, coin flip, but becoming less so every year as the public becomes more and more computer literate.

i think that would definitely depend on what he was in court for...unauthorized access, maybe... 

stealing bank info from some dumb aol user and buying stuff, maybe not...

Christ isnt time to give this thread a rest!  The initial scenario given by Raccoon was answered by What90, Kev and Jimbob.  Everyone else has just repeated what they said with minor variations.  The reality is no decent hacker would hack from their home IP PERIOD!  Thinking you are safe because you hide your downloads or whatever is noob thinking at its worst. Even in cases with the RIAA they didn’t have to actually seize the computer in order to launch their lawsuits. 

no

EmanoN, you might want to take the time to read the entire thread be for answering next time. It evolved from Raccoon's orginal scenario into a discussion about ways to hide and what an agency like the FBi's response would be.

Additionally, do you really think that it is only 'hackers' that commit crimes and use digital means to cover it up??

With regards to the RIAA, I see these on a weekly basis through one of my clients. They send a cease and desist type of letter based on the IP address. It's a John Doe type document sent to the organization that owns the IP. It is the organizations responsibility to prove the user shared the songs or videos. Often this requires similar techniques as discussed previously. Most often network traffic (netflow, etc...) is used to prove or disprove and after that it needs to be proven that it was the persons workstation in use and not someone else's. Can you prove the person's IP was used by someone else? can you match the MAC address to the computer, etc...

So it seems that while this thread might have been dead you just did a good job of reviving it.

dean

Nice. Just another hijacked thread. If you are so committed to to this topic, perhaps you should start a new one. As I said already, the original poster was answered early on and then what followed was a lot of silly rambling.

So you can dodge any search warrants this way?

Well, it was an interesting read.  Reminds me of a setup I saw once for a switch in a desktop that lit up magnesium that would fall down onto the harddrive platters.  Basically burn right through the harddrive and computer.  Way too much work really, but entertaining.