.

Dodging Search Warrants

<<

Raccoon

Newbie
Newbie

Posts: 3

Joined: Thu Jul 19, 2007 11:41 pm

Post Fri Jul 20, 2007 12:10 am

Dodging Search Warrants

It occurs to me that, in order for a computer thats used in a crime to be used as evidence, it must first be seized for evidence.  Yet, there are all too many ways to dodge a search warrant.

Typically, whenever there's a computer crime, it is tracked back to the physical location of the broadband or telephone subscriber.  Then a search warrant is secretly processed and a home invasion thus proceeds.  But what happens when the computer containing forensics evidence isn't present at that location?

I can envision a dozen methods to dodge a search warrant, buying me time to have "my buddies" bury the evidence, by simply routing traffic through internet or intranet proxies.  Assuming one doesn't cover their tracks online, and their physical location is discovered, what's to prevent them from housing their forensics laden machine(s) at the neighbor's house, or their data on an off-site server (over the internet)?

Let me give you an example:

Say I'm into massive pirating of music/movies or even KP.  My apartment neighbor is into it too.  I own the internet connection, and he has the 4 Terabyte file server, and we're both connected wirelessly (or even via wire through the wall).  I'm smart enough to make sure that the only thing installed on my desktop/laptop is Windows XP, Solitaire, and Putty.

So when the door is bashed in, there I am pulling up Solitaire while closing Putty, and my neighbor who sees all the black vans out front quickly trashes his server (or sneaks it away after the feds leave).

So what if they discover that my neighbor is linked wirelessly or via wire?  They still need a search warrant before they can enter.  But it's too late, there's no evidence left to collect.


Without extensive research into a hacker's personal life or relationship with their neighbors, how is something like this normally prevented?
Last edited by Raccoon on Fri Jul 20, 2007 12:23 am, edited 1 time in total.
<<

What90

Full Member
Full Member

Posts: 120

Joined: Sat Jun 09, 2007 2:23 am

Location: Syndey, Australia

Post Fri Jul 20, 2007 8:17 am

Re: Dodging Search Warrants

First off I'm not a lawyer or in enforcement so this is from reading and watching bad tv  ;)

If they've traced you to your home and grabbed your computer I'd said you're stuffed and off to county lock up for a spell of making mail bags and avoiding Bubba.

1) The link is yours. If a bad guy is using your link, it can be still your problem
http://www.networkworld.com/news/2007/0 ... -laws.html

2) They grab your router, examine the flow of traffic and logs. I guess the amount of connections to the neighbor's system from your machine wouldn't be good thing for you to play to innocent party.

3) They grab your laptop and do a full forensics exam, plus examine the flow of traffic. I guess the amount of putty connections to the neighbor's system from your machine wouldn't be good thing for you to play to innocent party (strike 2)
http://windowsir.blogspot.com/ - the stuff that this guy can pull from your system is scary!

4) From listening to some of the podcasts at cyberspeak http://cyberspeak.libsyn.com/ law enforcement are getting wiser to anti-forensics steps. If they get to your house and see/detect the wireless kit, they may be able to get another warrent to trace down the neighbour's system before stepping through the door (if they take you as a major threat)
They have multiple warrens and serve both at the same time.

This might be an ideal world.

You may have an exploding router, Tesla coils to zap the kit, or be much smarter than the guy serving the warrent on the day and get away with it.

I'd still think this would put you on a watch list and they be gunning for you in the future..

:)
<<

Raccoon

Newbie
Newbie

Posts: 3

Joined: Thu Jul 19, 2007 11:41 pm

Post Sat Jul 21, 2007 3:55 pm

Re: Dodging Search Warrants

Hmm.  Well, I appreciate that you're not a lawyer.  But are you even familiar with hacking?

Home networks do not maintain "traffic logs", nor do laptops or putty.  In fact, my scenario specifically stated that the only thing on the laptop was a plain Windows install including Solitaire and Putty.  There is nothing between these two applications that can implicate someone in a crime.

Naturally, presence of the illicit material they deal in would be enough to implicate them, but this guy is quite aware of what he's doing, and him and his neighbor thought it through quite well, so he only uses his laptop to remotely monitor his server via putty.  Doesn't even keep a desktop machine in his own apartment.

True, a wireless connection _may_ set up a red flag, so lets focus on the ethernet connection he has running through the vent/outlet plate to his neighbor.  This can only be discovered upon entry on the first warrant, and nothing can be done about it until a second warrant is issued.

Or does our criminal law permit searches based on probable cause, much like a search of one's vehicle after being pulled over for speeding... or a search of an area that results in a foot pursuit where evidence is believed to have been stashed?
<<

What90

Full Member
Full Member

Posts: 120

Joined: Sat Jun 09, 2007 2:23 am

Location: Syndey, Australia

Post Sat Jul 21, 2007 7:14 pm

Re: Dodging Search Warrants

My disclaimer was best world case for law enforcement and that they might not be able to prove you up to no good - this time  :)


Any of the Cisco and many of the high end home router do have the option of logging traffic. You mentioned shift high bandwidth constantly, so  cheap best buy router wouldn't give you the performance 24/7 you'd want, hence a higher end router.

The Arp and netstat commands on the pc would show that you made  connection to the other machine, plus it's details (ip, mac and ports connected) and reg keys would display how many times you used putty, which puts you in the "he's up to something" box.

Examining putty's details would also give up the ip address and that you use ssh/telnet to this other local box. Local by the fact it's on the same LAN.

Your good with reasonable doubt, unless they get their hands next door's file server and check that. An ARP dump give them your MAC, the server remote connection logs (telnet and ssh both keep logs) and it's time to visit with Paris Hilton.

A smart bad guy can do lots of things to hid his trails, but it you do thrown in the ethernet cable, I'd guess they would request another warrant at the scene once they work out the where it goes. Since it's Ethernet is only 100m, and a good old line detector will get them in the right direction.

Wireless would be a better option for you as the cable would directly implicate you of having knowledge and granting permission to the guy next door to use your system. It's your problem if he's doing bad things with your connection.

Again, I'm not a lawyer, nor have any ambition to be one  ;)

Listening to the Cyberspeak podcast, they report on bad guys getting caught by making silly mistakes and now being able to get detailed records from ISP's without the hassle. I'd drop them a line and see what they make of this.
<<

Kev

Post Sat Jul 21, 2007 8:53 pm

Re: Dodging Search Warrants

The scenario you laid is typical of the amateur hacker-cracker and might seem fine in theory but will more than likely get you busted in real life.  First of all if you were engaged in an activity worthy of the FBIs attention,they are going to not just rush in to your apartment. They will have been observing you for some time in order to build evidence. This has been my experience when working with law enforcement.

Your neighbor is not going to be looking out the window for black vans 24/7. What do you do if they kick down your door the one time your friend ran down to the corner store and left his box on because he had a huge download going on and didnt want to interrupt it..  Its also not difficult for me to locate a wireless network and see how many boxes are part of the network. Same is true of an ethernet connection.  Unless you really have incredible security, I will see  exactly what your network consists of.  If the law enforcement arrested your friend, they might cut him a deal to implicate you. I hope he is really a good friend. I can go on and on, the problem is you cant think of everything.  The point is a real high level hacker-cracker doesn't get caught in the first place and spends a lot of time making sure he is invisible.
Last edited by Kev on Sat Jul 21, 2007 9:12 pm, edited 1 time in total.
<<

jimbob

Post Sun Jul 22, 2007 3:33 am

Re: Dodging Search Warrants

The success of a search warrant can depend hugely on the wording i.e. the scope of said warrant. It's unlikely that a well planned and executed search would be restricted to a single dwelling unless there was a reasonable expectation of finding significant evidence.

Exploding routers and tesla coils are pretty much a work of fiction. The more common techniques of tying to evade digital investigation often, if poorly implemented, point a big flashing arrow at where the investigators need look to find the evidence they're after.

As for destruction of evidence by a 3rd party, opting to perform an erase operation on a large disk array could be time consuming and allow the investigators time to follow up on leads to discover the illicit cache. Better that the bad guy take a sledge hammer to the disks.

Jim
<<

Raccoon

Newbie
Newbie

Posts: 3

Joined: Thu Jul 19, 2007 11:41 pm

Post Sun Jul 22, 2007 5:22 am

Re: Dodging Search Warrants

Ah well, you guys shot up that scenario.  I thought it might make a novel script where FBI agents or RIAA goons obtain a warrant to search a home, only to find that it's the neighbors who are utilizing the internet connection for illicit ends.  So all they could do is stand around and frown at the door until an emergency warrant comes in, by which time there's nothing left to search.

It would certainly be more practical if a wireless internet connection were used, but right away it would be obvious where the packets are coming from.  I consider an ethernet connection to another dwelling more secure and something an investigator wouldn't expect to find, thus limiting the scope of the warrant to a single residence.  It would add an "oh sht" factor when the wire is discovered.

Certainly high profile criminals wouldn't be taken so lightly, but then again, they probably wouldn't be doing it out of their own home.

Thanks for all the comments!
<<

bailenforcer

Newbie
Newbie

Posts: 2

Joined: Mon Nov 19, 2007 3:30 pm

Post Mon Nov 19, 2007 4:19 pm

Re: Dodging Search Warrants

Raccoon wrote:Hmm.  Well, I appreciate that you're not a lawyer.  But are you even familiar with hacking?

Home networks do not maintain "traffic logs", nor do laptops or putty.  In fact, my scenario specifically stated that the only thing on the laptop was a plain Windows install including Solitaire and Putty.  There is nothing between these two applications that can implicate someone in a crime.

Naturally, presence of the illicit material they deal in would be enough to implicate them, but this guy is quite aware of what he's doing, and him and his neighbor thought it through quite well, so he only uses his laptop to remotely monitor his server via putty.  Doesn't even keep a desktop machine in his own apartment.

True, a wireless connection _may_ set up a red flag, so lets focus on the ethernet connection he has running through the vent/outlet plate to his neighbor.  This can only be discovered upon entry on the first warrant, and nothing can be done about it until a second warrant is issued.

Or does our criminal law permit searches based on probable cause, much like a search of one's vehicle after being pulled over for speeding... or a search of an area that results in a foot pursuit where evidence is believed to have been stashed?


Congress appropriated $500 Million Dollars for the Internet providers to keep a 2 year log of all your activity. So despite you escaping a raid and having no hardware to help convict you, I would venture to guess your are going to be hanged anyways. The traffic logs not being kept by the likes of AT&T, Charter, Comcast and all the other ISP providers will be more than enough to not only convict you, but imagine a smart prosecutor telling the judge that yes we have logs and know he downloaded all this, but hid the machines on us during the raid. My guess is the judge or jury will call you unrepentant and give you a much harder sentence than someone who is deemed sorry for his actions. But what do I know, over 20 years as an investigator, I have a tiny bit of experience is court. Unless you have a slick lawyer who understands IT and can argue and convince a judge or jury your were the victim of a prolonged network invasion and had no knowledge of networks enough to let you off the hook so to speak. But you would have to be able to really play the dumb pathetic victim role darn good.

Just my opinion...
<<

LSOChris

Post Mon Nov 19, 2007 5:21 pm

Re: Dodging Search Warrants

isnt that what the wifi at starbucks is for?...hacking.
<<

jimbob

Post Tue Nov 20, 2007 2:30 am

Re: Dodging Search Warrants

ChrisG wrote:isnt that what the wifi at starbucks is for?...hacking.

Unless you can find a free Starbucks hotspot wifi access is more expensive than the coffee. That's a pricey way to hack.
<<

Kev

Sr. Member
Sr. Member

Posts: 428

Joined: Sat Sep 29, 2007 12:26 pm

Post Tue Nov 20, 2007 3:12 am

Re: Dodging Search Warrants

LOL, any hacker worth a damn is getting into that free. If you don't know how, by me a cup of coffee at the next Defcon and I will show you!
Last edited by Kev on Tue Nov 20, 2007 3:13 am, edited 1 time in total.
<<

slimjim100

User avatar

EH-Net Columnist
EH-Net Columnist

Posts: 385

Joined: Wed Nov 08, 2006 12:50 pm

Location: Atlanta

Post Tue Nov 20, 2007 6:36 am

Re: Dodging Search Warrants

Hey I think I might of wrote a paper on how to get free WiFi http://www.ethicalhacker.net/content/view/131/24/ sorry Kev he owes me the coffee I beat you to it.

Brian
CISSP, CCSE, CCNA, CCAI, Network+, Security+, JNCIA, & MCP
<<

pseud0

User avatar

Recruiters
Recruiters

Posts: 210

Joined: Sat Nov 17, 2007 8:26 pm

Location: Detroit, Michigan

Post Tue Nov 20, 2007 7:41 am

Re: Dodging Search Warrants

I've served my share of warrants, and I think there are some problems with your scenario:
1)Assume that everything is just the way you've laid it out.  You are still in trouble.  If you've done something on the level that would cause me to come kick in your door, that means I've probably been monitoring your traffic for awhile.  When then traffic goes dead the second I come through your door, we tend to cal that a “clue”.  Even if your server isn't right there with you, it will take 15 minutes to call the judge and get an expanded warrant.  In the mean time I'll be reminding you that destroying evidence is a felony, you're buddy is probably going to screw up the whipe, I'll pull everything off with EnCase, but by then I'll be tired and pissed off.
2)To be a bit more realistic, your above scenario isn't going to happen.  If I'm interested enough in you to kick in your door that means I'll be monitoring you, not just your traffic.  If you are working with someone else then you are probably going to meet with them at some point, which means I start watching them.  Trust me, it won't take more than a couple of days to figure out that when you, him, or both of you are at home then the naughty traffic is occurring.  That means I get two search warrants, and when your door is being kicked down, so is his.
3)To be even more realistic, the above scenario is also a bit unlikely.  If I think there is a chance that you'll destroy the evidence, why am I going to give you a chance?  There is this place called “outside” that people go to in order to get food/alcohol/smokes/paychecks/transvestite hookers/etc.  It is usually a lot easier and a lot more fun to wait for you to go get a slurpee, arrest you in the parking lot, and then watch you piss your pants when I tell you that we just served a search warrant on your place 15 minutes ago.  I'll probably even drink your slurpee for you.
4)If you've really done something bad then the above scenario isn't going to happen either.  Almost every agency that would be doing this kind of investigation is going to have access to their own keyloggers, trojans, backdoors, etc.  (Read up on the FBI's Magic Lantern)  Again, if you are doing something that is going to get your door kicked in then you are probably worth having someone install one of these little toys on your system.  That means I've captures all of the keystrokes for your putty sessions which negates your “but its a remote system and you can't see me” argument.
5) Unless you are doing this hacking just for shits and giggles, at some point you probably expect to make a profit off of it.  Most hackers get busted by investigators following their money trail rather than their network trail. 
6) Once all of this goes to trial then your remote setup is going to work against you.  It just goes to show the judge and jury that you were very aware that you were involved in something illegal.  It will probably add an extra year or so onto your sentence in Federal Pound-Me-In-The-Ass prison where your only joy will be reading my smart ass forum submissions.
CISSP, CISM, CISA, GCIH, GREM, CEH, HMFIC, KTHXBIROFLCOPTER
<<

LSOChris

Post Tue Nov 20, 2007 8:50 am

Re: Dodging Search Warrants

so what happens, in a realistic scenario, when i "cant remember" the pgp key that will unencrypt parts of my hard drive?
<<

pseud0

User avatar

Recruiters
Recruiters

Posts: 210

Joined: Sat Nov 17, 2007 8:26 pm

Location: Detroit, Michigan

Post Tue Nov 20, 2007 9:52 am

Re: Dodging Search Warrants

That will always be a catch for investigators, but it is offset a bit if those parts of your hard drive are still mounted when the system is taken into custody.  If you can secure the suspect before they unmount those areas or power off the system, then the encryption is worthless.  If they do manage to get it locked you can often make your case based on the network traffic you've been monitoring and the bits and pieces left over in the host OS that will indicate what they've been doing.  Remember, if the feds are kicking down your door they've probably already got a pretty good load of evidence against you. If you get a court order allowing you to rootkit their system before you take them into custody, you'll probably already have the password plus a log of the activities.  That naughty traffic also has to go somewhere and do something, which they probably already have observed and recorded.  Unless you are just hacking stuff for fun you are going to have to do something with the data you've collected. (use the credit card numbers, sell the data, control your bots, etc)  All of that activity leaves evidence scattered all over other networks, not just your home systems. If all else fails, I've seen situations where the suspect is subpoenaed and order to produce the password.  If they don't, they are held in contempt until they do.  That puts some heat on them to comply since they can sit in jail as long as the judge can allow.
CISSP, CISM, CISA, GCIH, GREM, CEH, HMFIC, KTHXBIROFLCOPTER
Next

Return to Forensics

Who is online

Users browsing this forum: No registered users and 2 guests

cron
.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software