A Palmtop for the Prosecution

[InfoSec News <isn () c4i org>]

Forwarded from: William Knowles <wk () c4i org>

http://www.nytimes.com/2002/10/24/technology/circuits/24palm.html

By JENNIFER LEE
October 24, 2002  

The Sony Clié was as good a smoking gun as investigators could get in
a white-collar crime.

When the police in San Jose, Calif., broke up an identity-theft crime
ring two weeks ago, they used search warrants to seize and examine the
hand-held organizers of the suspects, including that of the man the
police said had been the ringleader, Julian Torres, 21.

Stored on Mr. Torres's Clié, investigators said, were the names of
more than 20 victims along with their Social Security, bank account
and credit card numbers and other personal information. Mr. Torres's
To-Do list included tasks like picking up materials at the local
office supply store to make fake checks, the police said. E-mail
messages contained confirmations of transfers from victims' bank
accounts. He had even used the Clié's digital camera to take pictures
of his partners in crime. It was hard for Mr. Torres to deny the Clié
was his, the police said, given that he had entered his parents' phone
numbers under "Dad" and "Mom."

"This was the tool he used to perpetrate his crimes," said Alan Lee, a
detective from the San Jose high-tech-crime unit who helped on the
case. "Everything is there." Information on the Clié helped
investigators find another two of Mr. Torres's accomplices, he said.  
Mr. Torres is being held in jail on $1 million bail.

As hand-held organizers like the Clié and Palm have soared in
popularity, it's not just law-abiding citizens who appreciate their
usefulness in managing appointments, contacts and schedules.  
Criminals, too, are using them to coordinate their activities. And the
rise of the organizer as a criminal tool has bred a new category of
forensic scientist: the Palm reader.

Drug dealers use contact lists to track buyers and suppliers,
investigators say, while drug makers, like those who run clandestine
methamphetamine laboratories, use memos to keep recipes and ingredient
lists. Pimps use the devices to keep track of clients, revenues and
expenses. Smugglers and money launderers track their transactions on
spreadsheets. Stalkers have been known to store their fantasies and
victims' schedules on their Palms.

Even spies have used them. Corporate spies have downloaded sensitive
documents to their hand-helds and quietly walked off with them. Robert
P. Hanssen, the F.B.I. agent who was sentenced to life in prison in
May for selling secrets to Moscow, used his Palm III to keep track of
his schedule to pass information to his Russian contacts. (He also
asked them for an upgrade to a Palm VII because of its wireless
capabilities.)

Police officials are beginning to seize and analyze personal digital
devices in their investigations (a warrant allowing search of a
suspect's electronic devices is usually required). What they often
find is a trove of detailed, intimate, up-to-date information. That
data has been used to prosecute criminals, penetrate their networks
and better understand their methods.

The data contained in a hand-held says a lot about its owner, whether
that person is a corporate tycoon or a petty thief. "It's an alter
ego," said Larry Leibrock, who teaches at the University of Texas at
Austin and has been a consultant in many forensic cases involving
hand-helds. "It represents their aspirations, who their contacts are,
where they spend their time, their tasks and objectives, and how they
completed those."

Even sensitive information is rarely password protected, demonstrating
a general naïveté that many people have about the security of their
digital devices.

Hand-held users often believe - wrongly, investigators say - that what
is personal is also private. "People assume that only they can have
access," Dr. Leibrock said.

As the criminals are discovering, that isn't the case. The simplicity
of a hand-held makes information easily retrievable - not only by the
owner, but by whoever has physical access to the device.

"The natural consequence of the information revolution is that our
lives are centered around processes and equipment whose sole purpose
is to collect data," said David Aucsmith, a security architect for
Microsoft. "These devices are all trying to make your life easier.''

While hand-held forensics has mostly been focused on criminal
investigations, the devices are popping up as evidence in civil cases
as well - in intellectual property disputes between companies, for
example, and divorces. A handful of companies, like Guidance Software,
the Paraben Corporation and AtStake, have made a business of helping
investigators preserve and analyze data.

While organizers are used mostly in white-collar crimes, they have
also been helpful in homicide investigations. When the police were
investigating the murder of 7-year-old Danielle van Dam near San Diego
last February, for example, they copied the contents of four computer
hard drives and a Palm Pilot belonging to the man who was convicted in
the case, David A. Westerfield.

In a recent homicide case in Texas, the assailant turned out to be a
person on the contact list in the victim's organizer. "It was a close
personal friend who did it for financial gain," said Amber Schroader,
who is director of forensics for Paraben, in Orem, Utah, and helped
with the investigation.

The police will often seize a suspect's organizers to establish a link
with the victim, check on alibis or determine motivation. In an
attempted homicide case that Dr. Leibrock recently worked on, the
suspect planned his day around his victim's schedule, which he kept in
his Palm. The man, whom Dr. Leibrock described as obsessive
compulsive, also kept detailed notes of his fantasies about the woman
on the device. "He was going to capture this woman, tie her up and
have his way with her," Dr. Leibrock said.

People are remarkably truthful on their personal digital devices -
even when they are lying elsewhere. Federal investigators from the
Department of Health and Human Services will use doctors' own
organizer schedules to catch them for falsely billing for Medicaid and
Medicare patients they have never seen. (Investigators don't need a
warrant for these searches, since doctors agree to make records
available as a term of their participation in the programs.)

Organizers are rarely encrypted or password-protected - even when
criminals take similar precautions in other electronic formats. "If
you went to their desktop machine they would have a good 5 to 10
passwords," Ms. Schroader said. "But when it came to their P.D.A. they
felt it was so close to them that they didn't need it."

In fact, investigators often find passwords for protected desktop or
laptop computer files stored on suspects' hand-helds.

Even when Palms are encrypted, they are remarkably easy to crack, said
Joe Grand, the principal engineer at Grand Idea Studio, a product
design firm in Boston, who has analyzed the security flaws in the Palm
operating system.

Organizers are easy to locate, because they are almost always found
with individuals or in their cars. As a result, the devices themselves
even help in identifying bodies. In a suicide case in Virginia in
March, for example, a decomposing body was found on the Appalachian
Trail with a hand-held but no wallet or other identification. When the
device was cleaned off and powered up, it revealed the name of the
55-year-old Maryland man who had shot himself.

Previously the information now found in one place may have been
scattered in various locations - wallets, desks, cars and even
dumpsters.

"It gets a little disgusting sometimes when you have to dig through
their trash for their bank statements," said John Holzer, a special
agent with the Commerce Department's Office of Export Enforcement,
which is responsible for preventing certain goods from being exported
to countries like Libya and Iran. In tracing suspicious American
companies, the agents often search for account numbers to subpoena
bank information to look for money transfers from foreign banks.

But now, Agent Holzer and fellow investigators have begun to find
account numbers stored neatly on the hand-helds of suspected export
violators. "It saves us from the white spaceman suits and jumping into
the big Dumpster," he said.

As with computer hard drives, deleting something on a hand-held
doesn't make it really gone.

"Things people think are deleted are still retrievable," said Larry
Gagnon, a detective with the Peel Regional Police in Ontario. "Whereas
if you rip up a piece of paper and throw it out, it's gone for good."

Investigators say that organizers have also been used to commit
crimes. In a case in Texas, a government employee was caught using his
Handspring Treo to transfer child pornography. "When we pulled the guy
in to do an interview, what does he have on his pocket but the
wireless device," said Jamey Tubbs, a federal law enforcement agent
who worked on the case. "We seized it right then and there."

In another case earlier this year, a Fortune 500 company in the
Chicago area discovered that an employee was using his company-issued
Palm to steal patent applications bit by bit. "It totally blew their
mind," said Thomas Rude, a security consultant from Atlanta who was
called in to investigate the case.

Hand-held analysis may become even more fruitful over the next few
years as the devices become more sophisticated and gain wireless
capabilities. A person's movements can often become a critical issue
in civil and criminal investigations.

Michael Burnette, director of information technology at an Atlanta law
firm, Rogers & Hardin, made an interesting discovery when he was asked
to do forensic analysis on a BlackBerry, the popular wireless device.  
Because BlackBerries are always on to receive e-mail, they constantly
communicate with the network around them and create an internal ledger
of the nodes they have recently talked with. "It's moving around with
you and telling a story about you," Mr. Burnette said. "But then
again, it has to be intimately intertwined with who you are in order
to be as useful as it is."


 
*==============================================================*
"Communications without intelligence is noise;  Intelligence 
without communications is irrelevant." Gen Alfred. M. Gray, USMC
================================================================
C4I.org - Computer Security, & Intelligence - http://www.c4i.org
*==============================================================*



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.