Send the link below via email or IMCopy
Present to your audienceStart remote presentation
- Invited audience members will follow you as you navigate and present
- People invited to a presentation do not need a Prezi account
- This link expires 10 minutes after you close the presentation
- A maximum of 30 users can follow your presentation
- Learn more about this feature in our knowledge base article
FBI - New Haven field office - Tracking a Computer Intruder
Transcript of FBI - New Haven field office - Tracking a Computer Intruder
FBI gets technical
FBI Laboratory is established
CART's mission is to "provide digital forensics and technical capabilities, services, and support to the FBI, intelligence organizations, and other law enforcement agencies."
Connecticut Computer Crimes Task Force (CCCTF)
Back to the Case...
is a small business in Connecticut that specialized in online sales of marine products.
Tracking a Computer Intruder
CT e-commerce company was hacked
Customer order information stolen
Hacker sent emails to customers
Emails appeared to be legitimate
Occurred after recent online purchases
Emails: "We need more information"
Customers -> Company: "Are these from you?"
Company suspected fraud, and contacted the
Included credit card numbers
Evolution of the FBI
34 employees (including 12 accountants)
Investigate violations of national laws in...
Protect the US from...
foreign intelligence operations & espionage
The FBI has many more priorities but, in the context of this case study, we merely want to emphasize how FBI's priorities have changed with societal changes, and how this paradigm shift led the FBI to play such a key role.
Computer Analysis & Response Team
Created to retrieve evidence from computers
Became fully operational in 1991
Became its own FBI division in 1942
-- Kenneth J. Morrison, "The Impact of Digital Forensics on FBI Criminal Investigations," 2004.
Nearly 500 personnel
Special Agents or Computer Specialists
Located across the country
56 FBI field offices
Regional Computer Forensics Laboratories
CART Field Examiners
One field office located in New Haven, CT...
FBI - New Haven Office
U.S. Postal Inspection Service
Connecticut State Police
Connecticut Chief State Attorney's Office
Defense Criminal Investigative Service
Criminal Investigation Division of Internal Revenue Service
U.S. Secret Service
Detectives from area police departments
Types of crimes
Intellectual property theft
Online crimes against children
Created to investigate Internet crimes in Connecticut
Multi-agency task force (it's a party)
* BoatingCT.com is not the real name of the company.
It was changed for the Casebook to protect its identity
Shortly after ordering online products through the company's website, several customers received email messages which appeared to come from the company. This began on
April 24, 2001.
The Emails requested the customers' credit card verification numbers and/or bank account information, and since the emails were already "confirming" the online order number, the last four digits of the credit card numbers, and the expiration dates, the emails seemed valid.
The company contacted the FBI New Haven field office for investigative assistance.
At the FBI's request, the company provided copy of several emails received by customers, along with web server logs
This is where the FBI analysis begins.
Dear Mr. or Mrs. D,
We apologize for any inconvenience this may cause you, but our system has flagged your order most likely due to an unauthorized credit card transaction.
In order for your items to be shipped we first need some verification. For our safety and security,
BoatingCT requires that you respond back with your card's verification number
, if one is available. The verification number is a 3-digit number printed on the back of your card. It appears after and to the right of your card number.
The second method is bank account verification in case fraudulent credit card information was provided.
We require the routing number, which is located at the bottom of your check in between the |; and |; symbols, as well as the account number which comes before the ||' symbols.
Exact location and number of digits varies between banks.
All information is private and confidential. Again, we apologize for any inconvenience and hope you continue to shop with us in the future.
Actual text from an email received by a customer
Received: from ntmail1n.interaccess.com ([220.127.116.111]) by
gas-fs1.interaccess.com with SMTP (Microsoft Exchange Internet Mail Service
id JAYAG6ZX; Tue, 24 Apr 2001 03:04:45 -0500
Received: from janus.hosting4u.net ([18.104.22.168])
by ntmail1n.interaccess.com (Post.Office MTA v3.5.3 release 223
ID# 0-52801U100L2S100V35) with SMTP id com for
Tue, 24 Apr 2001 03:16:06 -0500
Received: (qmail 8371 invoked from network); 24 Apr 2001 08:00:26 -0000
Received: from scorpius.hosting4u.net (22.214.171.124)
with SMTP; 24 Apr 2001 08:00:26 -0000
Subject: Order Verification
Email address (From) <> Email Address (Reply-To)
Whoever sent the email confirmations to the customers was using a Hotmail account to obtain additional financial data from them.
hosting4u.net in the 'Received' headers
This indicated that the email had passed through a Web hosting site.
CART field examiner used the ARIN site to determine that the owner of the IP addresses for hosting4u.net was CommuniTechnet, and the system administrator of CommuniTechnet was interviewed...
American Registry of Internet Numbers (ARIN)
The different email addresses show that the people sending the email confirmations to the customers were using a Hotmail account to obtain additional financial data from the customers
What does this mean?
Also, the presence of
in the 'Received' headers indicated that the email passed through a Web hosting site.
examiner used American Registry for Internet Numbers (ARIN) to determine that the owner of the IP addresses for hosting4u.net was
hosted a site called
, an email spoofing site
used to hide the identity of the person sending email.
Court order issued to Hotmail.com
preserve subscriber information, billing information, logs, and email related to
email address had been registered to an individual named Jason Smith from Los Angeles, CA, using IP address
The CART field examiner plugged 126.96.36.199 into ARIN, and saw that it was associated with APNIC, the
Asia-Pacific Network Information Centre
, the CART examiner found that the owner of this IP address was
, an Internet leased-line service located in Seoul, South Korea...
Hotmail's records showed that the
address had been set up from a computer in Seoul, and that the account also had been checked from a computer in Seoul...or, at least, it seemed so...
The FBI New Haven field office contacted the Legat (FBI foreign liaison office) in Seoul, South Korea, to obtain BORANet's Web logs.
Meanwhile, the CART field examiner began to search
's web logs for entries referring to BORANet or its IP address, when he came upon a suspicious entry...
FBI informed BoatingCT of the vulnerability in the shopping cart software
BoatingCT quickly upgraded to the latest version of WebStore (version 2.0)
New version immune to this particular vulnerability.
Patch had been available since October, 2000
Six months before suspicious emails were reported to BoatingCT
Oh, what could have been!!!
Further analysis of Hotmail logs included two IP addresses which, after using the ARIN site, were found to be associated with the University of Akron, OH, and a free public proxy server in California. The proxy server in California had an IP address of
Logs were requested from the Computing Center at the University of Akron, but none were available
Student entered guilty plea to 1 count of "Fraud and related activity in connection with computers."
Also admitted to preparing and sending fraudulent email messages to the company's customers to obtain additional financial information, and to using some of the credit card and financial information for his own personal gain.
The court stipulated a loss figure $335,000 based on the number of credit cards he stole (670) times the minimum implied loss per credit card ($500), as well as $20,000 in restitution.
The investigation continues...
The FBI contacted the System Administrator of the proxy server in California, and were told that the server had little security.
The Sys Admin offered to search their Web logs for the strings
CART field examiner found several entries in the Hotmail and BoatingCT.com logs in which the WebStore vulnerability had been exploited from an originating IP address of
Note multiple appearances of the originating IP
. This will be relevant later in the investigation.
Do you see the suspicious entry??
The IP address,
, which appeared in dozens of log entries from the California proxy server, also appeared several times in BoatingCT.com's Web logs as exploiting the shopping cart vulnerability.
The CART field examiner used the ARIN web site to determine that this IP address was registered to Road Runner (i.e. Time Warner Cable) in Herndon, Virginia.
A further analysis of BoatingCT.com's Web logs showed that IP address
also exploited the same vulnerability. This IP address was also found to be registered to Road Runner in Herndon, VA.
FBI issued a court order to the owner of Road Runner, requiring them to preserve subscriber information, billing information, logs, and email related to IP addresses
The information provided by Time Warner Cable indicated that the subscriber to the Road Runner IP addresses was a student at the University of Akron
The FBI prepared a search warrant in Connecticut and forwarded it to the FBI CCTF in Akron, OH.
FBI agents in Akron executed the search warrant at the student's home.
Student initially denied any wrongdoing to FBI
Student finally admitted to hacking into BoatingCT.com's website, and taking customer order information, including credit card numbers.
He also admitted using proxy servers in other countries to cover his tracks.
When the search team seized the student's computer system, they noticed that many of the cables were disconnected.
The student said he was cleaning his computer, then confessed that when he heard the agents outside, he knew why they were there.
Student deleted credit card info and tried to destroy master drive, which he hid in the ceiling
Computer system sent to FBI New Haven office for forensic analysis
Data Recovery unsuccessfully attempted on master drive.
CART imaged slave (2nd) drive and used ILook to analyze contents
Search was conducted on the free space and slack space of the imaged hard drive for keywords "boatingct" and "boatingct.com"
Data were recovered from the free space, including customer order records and evidence that he attempted to sell the card information
This is the day before customers began to contact company about strange emails.
He was sentenced to 12 months in prison, but was released after 6 months.
The case was officially closed on Feb 23, 2004