Cybercop boot camp takes a byte out of computer crime
September 9, 1998
by Deborah Radcliff
(IDG) -- El Nino gave California a break overnight, pushing the mercury to a suffocating 99 degrees Fahrenheit and rousting a storm of fat, window-splattering insects along Route 50 to Sacramento. Here, at the headquarters of SEARCH Group, 17 shorts-clad officers of the law had traded their guns for PCs for two weeks in June. Some came a long way to do it: from Canada, Idaho — even two from the Chinese Ministry of Justice.
They came to learn the ways of Unix from the cybercriminal's perspective. They would be tutored in little things, such as how to determine a machine's configuration and file contents, and bigger things, such as how to take over a machine remotely, gain root access and search it.
By the end of the week, students would know how to exploit well-known services — such as Telnet, file transfer protocol, browsers, mail and search engines — so they could gain full control of suspect Unix machines remotely. They'd also learn how to track and trace packet headers that lead them to the IP addresses of criminals.
And then they'd learn how to do it all over again — this time on Windows machines.
Ross Mayfield, an adjunct MIS professor at Pepperdine University in Malibu, Calif., is today's instructor. He turns from his projection screen to address the officers, who parrot his commands on their own PCs.
The students regularly interrupt, query and chatter. "Is that command case-sensitive?" "That's a forward slash, not a back slash."
Mayfield shows them how to dump several commands into a public World Wide Web page form and crash the server. "This Web server is having a really bad day," he deadpans.
Many of the students, such as officer Glenn Sylvester of the San Francisco Police Department and detective Lon Anderson of the Ada County Sheriff's Department in Boise, Idaho, are information technology junkies who have become their agencies' sole certified computer crime experts. They're familiar with Unix and Windows and have taken courses in cyberforensics and how to begin Internet investigations.
"The rise in computer-related crimes and the technology used in these crimes is hard to keep up with. These classes help us with the mechanics; they're like road maps on computer forensics," Anderson says.
The cops are the first to acknowledge they've got a lot to learn. In one exercise, they are attacked from outside (the attacks were preplanned by Mayfield). Systematically, the attacker crashes each PC. Just as systematically, the pupils reboot, not realizing there's a pattern here. Not until the end of the exercise, when all the systems shut down at once, does it occur to them they've been hit.
"They're always astonished, then enlightened by the exercise," says Mayfield, who uses several surprise attacks and exercises.
SEARCH Group, Inc. started out in 1968 as a technical support center to help the U.S. Department of Justice automate and upgrade its systems. Its name stands for System for Electronic Analysis and Retrieval of Criminal Histories. But in 1990, "The nature of the calls changed from, 'Help us automate our systems,' to, 'Help us deal with this seized computer we have,' " says Fred Cotton, the agency's director of training services.
Back then, Cotton and his staff taught themselves the technical methods of seizing and searching microcomputers and then client/server networked equipment. In 1996, Cotton added Internet crimes courses, followed last year by advanced Internet investigation courses. Subjects include Seizure and Examination of Microcomputers, Investigation of Computer Crime and Introduction to Internet Crime (a prerequisite to Mayfield's course).
As technology becomes an integral part of crime, Cotton says SEARCH's courses will continue to evolve.
Last year, SEARCH offered 27 on- and off-site high-tech investigation courses. This year, it's on track to complete 35. After teaching more than 700 trainees last year, SEARCH has worked with "well over 6,000 officers and agents" since the program's inception, Cotton says.
Investigators are hungry for training such as that offered at SEARCH. "We're behind," says Sylvester during a morning coffee break, referring to local police forces. Attendees trying to catch up say they're hampered by budget and regulatory constraints, a lack of support from old-guard management and staffing rotations.
Sylvester's superior, Lt. Lon Ramlan, joins the conversation. Now that he understands the need for IT skills, Ramlan says he's grappling with procedure. "Not only do our inspectors need to learn entire Unix systems in a matter of months, they also must develop and learn correct investigative protocol," he says.
Other cops agree that it's tough to develop investigative procedures while dealing with complex technical issues. "We're not talking about tried-and-tested techniques like those in, say, homicide cases. We must develop entirely new procedures," Anderson says.
Abigail Abraham, an assistant state's attorney for financial and computer crime in Cook County, Ill., who occasionally teaches courses on law at SEARCH, says officers may need to look at cybercrime investigations the way they look at other types of established investigative procedures. To make her point, she discusses homicide.
"The initial cop who takes the report goes to the scene and says, 'He looks dead.' Then they call in evidence technicians to do the blood scrapings, which go to lab technicians for analyzing," she says. "In computer forensics, it's not that different. You bring out someone who's good at preserving electronic evidence, someone else who's good at analyzing it in the lab and so on."
If there's no such person in a department, she adds, the cops should call another agency for help. That happens all the time in homicide cases.
Mayfield agrees. "Knowing who can solve the problem is often more important than knowing how to solve the problem," he says.
Sharing the wealth
Mayfield is all for spreading his knowledge around. He reasons that with more cops trained in IT, he might not be deputized so often or spend so much time on reserve, such as when he cracked madam-to-the-stars Heidi Fleiss' Windows-based little black book in 1993.
It was an easy case, he says. When the cops took the PC into evidence, they called Mayfield, and he simply opened an unencrypted Paradox database program, which spilled out the names and phone numbers.
More difficult, he says, was a later case that involved more than 60 male prostitutes and 1,000 johns — many of them famous. That time, Mayfield used methods he declines to divulge to crack hardware encryption that plugged in to the keyboard.
"I [ticked] off a lot of johns," he chuckles. "But what I really like is teaching these guys," he adds while gesturing toward the SEARCH laboratory.
Then he's back to business, showing his shiny-headed students (most have been on the police force long enough to lose their hair) creative ways to get around Linux boot-level security.
Take the initiative
"When you're hit with things in the field you've never seen, you must find the solutions in your own head," Mayfield says before installing a Network Intrusion Detector (NID) recently declassified by the Lawrence Livermore Weapons Lab.
Available only to law enforcement, NID not only sniffs packet information as it passes over the wire, but it also analyzes that data for attack patterns, organizes it and shows investigators just the information they need. Other sniffers spit out gigabytes of data, most of it extraneous.
Students at SEARCH also learn how to find server daemons (hidden Unix processes), how to discover what services are running and how to drop the server down to level zero — "the same as killing you with extreme prejudice," Mayfield jokes.
Their brains obviously saturated, the students beg for another break. "This course is very intense," Sylvester says.
Radcliff is a freelance writer in Northern California. Her Internet address is DeRad@aol.com.
Back to the top
© 2000 Cable News Network. All Rights Reserved.
Terms under which this service is provided to you.
Read our privacy guidelines.