The DEA's challenges when it comes to nabbing tech-savvy criminals
February 23, 2011
We've all heard the phrase 'It ain't easy being a cop' and it propably isn't, but today, modern technology can also present a few more challenges to criminal investigators and DEA (Drug Enforcement Administration) agents that are working at putting drug and other criminals behind bars. But law enforcement agencies today also have their own training in modern technology and are getting better as well, just to keep up with the criminals that is. But there is hope in the near-term nevertheless.
When agents at the DEA learned that a suspect was using PGP (pretty good privacy) technology to encrypt some illegal documents, they persuaded a judge to let them sneak into an office complex and install a keystroke logger that recorded the passphrase as it was typed in.
In 2001, when the search warrant was granted, that kind of procedure was very much a rarity. But today, federal law enforcement agents in the U.S. are encountering well-designed encryption products more and more frequently, forcing them to invent and then re-invent better ways to bypass or circumvent the technology. And they really don't have other options, basically.
"In the United States, every new federal agent who goes to the Secret Service academy goes through a week of training in computer forensics, including how to deal with encrypted files and hard drives," U.S. Secret Service agent Stuart Van Buren said at the RSA computer security conference held Feb. 15 to 17 last week.
One way to circumvent encryption: use court orders to force Internet-based service providers to deliver them passwords the criminal suspect uses everyday and see if they match. "Sometimes if we can go in and find one of those passwords, or two or three, I can start to figure out that in every password, you use the No. 3," Van Buren said. "There are a lot of things we can find, and it keeps getting better almost everytime."
FBI general counsel Valerie Caproni told a congressional committee last week that encryption and lack of the ability to conduct wiretaps was becoming a serious problem, not just for the FBI but for the DEA, the SEC and other federal law enforcement agencies.
"On a regular basis, the U.S. government is unable to obtain critical communications and related data," she said. But the FBI did not request mandatory backdoors for police, however.
Also becoming more readily available, if not exactly in common use, is well-designed encryption built into operating systems, including Apple's FileVault and Microsoft's BitLocker. PGP announced whole disk encryption for Windows in 2005. More than 6 years later, it's now available in Windows 7 Ultimate (not even the professional edition has it) and it's also available for OS X.
Last week's public appearance tops a gradual but nevertheless dramatic change from just ten short years ago, when the U.S. Department of Justice spent many months arguing in a case involving an alleged New Jersey mobster that key loggers were "classified information" and could not be discussed in court.
But today, and after keystroke-logging spyware has become more commonplace, even being marketed to parents as a way to monitor kids' activities, there's less reason for secrecy. "There are many times when the government tries to use keystroke loggers," Van Buren acknowledged.
In 2009, the U.S. Justice Department sought to compel a criminal defendant suspected of having child porn on his laptop to turn over the passphrase. A border guard said he opened the defendant's laptop, accessed the files without a password or passphrase and discovered "thousands of images of adult pornography and animation depicting adult and child pornography." This is exactly one of the many federal crimes that today's investigators and prosecutors are after, and modern technology is actually helping them.
Another option is to ask software and hardware makers for help, especially when searching someone's house or office and encryption is suspected. "PC manufacturers may provide us with some assistance," Van Buren said. "We've got to make all of those arrangements in advance." In a 2008 presentation, he reportedly alluded to the Turkish government beating a passhprase out of one of the primary ringleaders in the T.J. Maxx credit card theft investigation.
At times, Van Buren said, there's no substitute for what's known as a brute force attack, meaning configuring a program to crack the passphrase by testing all possible combinations. If the phrase is short enough, he said, "there's a reasonable chance that if I do lower upper and numbers I might be able to figure it out. Then again, maybe not, at least not in a reasonable timeframe, but we're still getting better at this nonetheless."
Howard Cox, assistant deputy chief for the U.S. Justice Department's Computer Crime and Intellectual Property Section in Washington, said he didn't believe that a defendant could be legally forced--upon penalty of contempt charges, for instance--to turn over a passphrase.
"We believe we don't have the legal authority to force you to turn over your password unless we already know what the data is," said Cox, who also spoke at the RSA Security Conference last week. "It's a form of compulsory testimony that we can't do. Compelling people to turn over their passwords for the most part is a non-starter."
For example, finding a seven-character password took three days, but because there are 62 likely combinations (26 uppercase letters, 26 lowercase letters, 10 digits), an eight-character password would take 62 times as long. "All of a sudden I'm looking at close to a year to do that," he said. "That's not feasible."
And to avoid brute-force attacks, the Secret Service has found that it's better to seize a computer that's still turned on with the encrypted volume mounted and the encryption key and passphrase still in memory. "Traditional forensics always said pull the plug," Van Buren said. "That's changing. Because of encryption. We need to make sure we do not power the system down before we know what's actually on it, since of course we would lose all the data that's in the RAM."
A team of Princeton University and other researchers at MIT published a paper in February 2008 that describes how to bypass encryption products by gaining access to the contents of a computer's random access memory--through a mechanism as simple as booting a laptop over a network or from a USB drive--and then scanning for encryption keys. And the method works remarkably well.
For now, it seems clear that law enforcement is doing precisely that. "Our first step is grabbing the volatile memory," Van Burean said. He provided decryption help in the Albert "Segvec" Gonzalez prosecution case, and the leaked H.B. Gary email files show he "went through a Responder Pro class about a year ago." Responder Pro is a "memory acquisition software utility" that claims to display "passwords in clear text."
Cox, from the Justice Department's computer crime section, said "there are certain exploits you can use with peripheral devices that will allow you to get in." That seems to be a reference to techniques like one Maximillian Dornseif demonstrated in 2004, which showed how to extract the contents of a computer's memory merely by plugging in an iPod to the Firewire port.
A subsequent presentation by "Metlstorm" in 2006 expanded the Firewire attack to Windows-based systems, as well as to Mac OS X.
And how to make sure that the computer is booted up and turned on? Van Buren said that one technique was to make sure the suspect is logged on, perhaps through an Internet chat, and then send an agent dressed as a UPS driver to the door.
Then the hapless computer user is arrested on the spot and the contents of his devices are seized immediately. From that point on, the legal system then kicks in and the criminal is prosecuted, said Cox.
Source: The U.S. Justice Dept.
You can link to the Internet Security web site as much as you like.