Computer Crime & Intellectual Property SectionComputer Crime & Intellectual Property Section
24/7 High Tech24/7 High TechCrime NetworkCrime Network
Albert Rees Albert Rees Computer Crime & Intellectual Property SectionComputer Crime & Intellectual Property SectionCriminal Division, U.S. Department of JusticeCriminal Division, U.S. Department of Justice
OAS Regional Cyber Crime Workshop, April 2007OAS Regional Cyber Crime Workshop, April 2007 2
Computer Crime & Intellectual Property SectionComputer Crime & Intellectual Property Section
24/7 Network24/7 Network
• “The G-8 24/7 Network for Data Preservation”
• Points of contact in participating countries that require urgenturgent assistance with investigations involving electronic evidence
• About 48 participating countries, including:Brazil Canada ChileJamaica Mexico Peru
OAS Regional Cyber Crime Workshop, April 2007OAS Regional Cyber Crime Workshop, April 2007 3
Computer Crime & Intellectual Property SectionComputer Crime & Intellectual Property Section
Electronic EvidenceElectronic Evidence
• E-mail• Chat logs and instant messenger info• Web-based email• Web pages• Data stored in computers• Customer records• And more…
THIS EVIDENCE CAN DISAPPEAR QUICKLYTHIS EVIDENCE CAN DISAPPEAR QUICKLY
OAS Regional Cyber Crime Workshop, April 2007OAS Regional Cyber Crime Workshop, April 2007 4
Computer Crime & Intellectual Property SectionComputer Crime & Intellectual Property Section
Internet Service Providers (ISP)Internet Service Providers (ISP)
• Essential link to the Internet
• Accessing the Internet through an ISP creates important records and other information– Customer records– Connection information– Stored data
THE ISP OFTEN HAS CRITICAL EVIDENCETHE ISP OFTEN HAS CRITICAL EVIDENCE
OAS Regional Cyber Crime Workshop, April 2007OAS Regional Cyber Crime Workshop, April 2007 5
Computer Crime & Intellectual Property SectionComputer Crime & Intellectual Property Section
The ISP and InvestigationsThe ISP and Investigations
• Locating the ISP– An ISP’s servers may be anywhere in the world– Often in the United States
• Working with the ISP– Law enforcement point of contact– Requests from outside the country
• Data retentionretention practices differ– ISP policy– A country’s laws
• Data preservationpreservation is key step in investigation
OAS Regional Cyber Crime Workshop, April 2007OAS Regional Cyber Crime Workshop, April 2007 6
Computer Crime & Intellectual Property SectionComputer Crime & Intellectual Property Section
US Approach toUS Approach toData PreservationData Preservation
• Law enforcement contacts ISP & requests that any existing data be retained
• Contact can be by mail, e-mail, fax• Contact can be 24/7• Appropriate legal process to obtain data
– Subpoena, court order, search warrant– Exception for emergencies
OAS Regional Cyber Crime Workshop, April 2007OAS Regional Cyber Crime Workshop, April 2007 7
Computer Crime & Intellectual Property SectionComputer Crime & Intellectual Property Section
Why a 24/7 Network?Why a 24/7 Network?
• Importance of timely response to cybercrimes
• Need to find and preserve electronic evidence– Data stored on computers and storage devices– Data and records kept by ISP
• Need to identify points of contact– Law enforcement organization with cyber expertise– Knowledge of local laws and procedures
OAS Regional Cyber Crime Workshop, April 2007OAS Regional Cyber Crime Workshop, April 2007 8
Computer Crime & Intellectual Property SectionComputer Crime & Intellectual Property Section
24/7 Operations in the US24/7 Operations in the US
• Computer Crime & Intellectual Property Section (CCIPS), Department of Justice is the point of contact
• Each day one prosecutor takes 24/7 calls
• Duty mobile phone for calls after office hours
OAS Regional Cyber Crime Workshop, April 2007OAS Regional Cyber Crime Workshop, April 2007 9
Computer Crime & Intellectual Property SectionComputer Crime & Intellectual Property Section
24/7 Process24/7 Process
• CCIPS receives call
• Requestor identifies assistance sought– Preserve records– Report online criminal activity in US affecting
requesting nation– Shut down web site
• Child pornography• Phishing
OAS Regional Cyber Crime Workshop, April 2007OAS Regional Cyber Crime Workshop, April 2007 10
Computer Crime & Intellectual Property SectionComputer Crime & Intellectual Property Section
24/7 Process24/7 Process
• CCIPS determines if request indicates a violation of US law
• If US law is violated, CCIPS contacts appropriate US law enforcement– US law enforcement works with requesting law
enforcement to obtain needed evidence– Evidence obtained & shared informally between
law enforcement agencies
OAS Regional Cyber Crime Workshop, April 2007OAS Regional Cyber Crime Workshop, April 2007 11
Computer Crime & Intellectual Property SectionComputer Crime & Intellectual Property Section
24/7 Process24/7 Process
• If no US law is violated– CCIPS can contact ISP to request record
preservation– CCIPS informs requesting country of results of
preservation request
THE 24/7 PROCESS IS AN IMPORTANT THE 24/7 PROCESS IS AN IMPORTANT STEP, BUT IS NOT A SUBSTITUE FOR STEP, BUT IS NOT A SUBSTITUE FOR FORMAL PROCEDURESFORMAL PROCEDURES
OAS Regional Cyber Crime Workshop, April 2007OAS Regional Cyber Crime Workshop, April 2007 12
Computer Crime & Intellectual Property SectionComputer Crime & Intellectual Property Section
Providing Electronic EvidenceProviding Electronic EvidenceThrough Diplomatic ChannelsThrough Diplomatic Channels
• Convention on Cybercrime• MLAT• Letters Rogatory• US obtains requested info by subpoena, court
order or warrant & provides to requesting agency
OAS Regional Cyber Crime Workshop, April 2007OAS Regional Cyber Crime Workshop, April 2007 13
Computer Crime & Intellectual Property SectionComputer Crime & Intellectual Property Section
CCIPS Ways to Expedite CCIPS Ways to Expedite PreservationPreservation
• Identification of major ISPs in US
• Identification of legal points of contact at ISPs
• Many US ISPs have developed procedures on timely processing of law enforcement requests
OAS Regional Cyber Crime Workshop, April 2007OAS Regional Cyber Crime Workshop, April 2007 14
Computer Crime & Intellectual Property SectionComputer Crime & Intellectual Property Section
24/7 Network Membership24/7 Network Membership
• Contact point available 24/7
• English speaking
• Technical knowledge
• Knowledge about domestic laws and policies
OAS Regional Cyber Crime Workshop, April 2007OAS Regional Cyber Crime Workshop, April 2007 15
Computer Crime & Intellectual Property SectionComputer Crime & Intellectual Property Section
24/7 Network Membership24/7 Network Membership
• Capability– Knowledge of ISPs in country– Knowledge of legal points of contact at ISPs– Knowledge of cyber law enforcement agencies in
country• Prosecutor• Police
OAS Regional Cyber Crime Workshop, April 2007OAS Regional Cyber Crime Workshop, April 2007 16
Computer Crime & Intellectual Property SectionComputer Crime & Intellectual Property Section
24/7 Network Membership24/7 Network Membership
• Capability– Knowledge of law enforcement authority to compel
ISPs to• Preserve records• Provide records
– Knowledge of procedures to provide information in accordance with international law
LARGE OFFICE NOT REQUIRED!LARGE OFFICE NOT REQUIRED!
OAS Regional Cyber Crime Workshop, April 2007OAS Regional Cyber Crime Workshop, April 2007 17
Computer Crime & Intellectual Property SectionComputer Crime & Intellectual Property Section
Joining the 24/7 NetworkJoining the 24/7 Network
• Informal process
• Registration form
OAS Regional Cyber Crime Workshop, April 2007OAS Regional Cyber Crime Workshop, April 2007 18
Computer Crime & Intellectual Property SectionComputer Crime & Intellectual Property Section
International CooperationInternational CooperationIs Necessary for SuccessIs Necessary for Success
• Online criminals operate internationally– Electronic evidence can be anywhere– ISPs operate internationally
• Countries must work together to meet this challenge– Improved formal and informal mechanisms– Better person-to-person contacts
OAS Regional Cyber Crime Workshop, April 2007OAS Regional Cyber Crime Workshop, April 2007 19
Computer Crime & Intellectual Property SectionComputer Crime & Intellectual Property Section
FOR MORE INFORMATIONFOR MORE INFORMATION
Albert Rees
+1 (202) 514-1026