by Jack Davis
These aspects of the case did not require technical acumen but were just as critical. When Morley heard that Kruzerski and Murray had grumbled about not being allowed to do the forensic, he pulled them into his office. He made clear to the duo what he had stressed the first day. “This is a priority investigation; speed is of the essence. Dividing it up amongst the squad is the fastest way to get through it.” Then, to make sure he wouldn’t hear anything else about the subject, he said, “Besides, I’m still waiting for the report on Anthony’s machine. Get that done and you can take the next computer exam.”
All three knew the Marines hadn’t found the numbers, so the meaning was clear. There was no more grumbling.
The situation with Swann and Greere was remarkably similar to their two antagonists. When Morley told them they needed to continue on the current investigation, he got what he called the “oral Gandhi.” The passive resistance came in the form of explaining that their other priority cases would be neglected and overdue for status reports. The two knew this argument wouldn’t fly, because their boss knew exactly what cases they were working on and the standing of each. When he brushed that aside with a comment about Greere never once before being concerned about reports being on time, and that Swann was currently taking all of his—and Posada’s—spare time setting up the office LAN to allow them to compete online in Call of Duty, they got to the real topic.
Like always, it resolved back to how the squad suffered by having Fred and Barney instead of true ECSAP agents. Since they really didn’t push the issue, Morley bought them off with, “You let me worry about the makeup of the squad; you just keep worrying about what it will cost to fly your wives to Zurich.”
Once satisfied they had properly voiced their complaints, the two computer geniuses dove into the IT portion of the investigation. From the forensics to the tools that would be used to obtain evidence from the target’s machine, the two put in twelve-hour days trying to develop the case. The emails had provided a starting point, and when Miguel agreed to cooperate with the Service, they started to work on getting the probable cause necessary to get an online search warrant from the AUSA. Their biggest problem revolved around the fact that as far as they could prove, the machine they were trying to search was located in another country.
To address the foreign aspect of the case, Morley had done two things the first day: called the Resident Agent In Charge of the Mexico City Office, Ed Loral, and notified AUSA Carpenter.
Loral and Morley were friends from their time on the Counter Assault Team. The fact that prior to going to protection Loral had been one of the first and sharpest ECSAP agents was an added bonus. Morley explained almost all aspects of the case to Loral over a classified line, only leaving out how the case was initiated.
“PJ, if this Alvaro is actually high up in the Kings, you’re gonna have difficulty getting a whole lotta cooperation from the locals down here.
“You’d have a chance if it were a large drug case or capital murder, but none of the federales I can trust would be too excited about going after a high-ranking gang member for a case without any payoff.”
“By payoff you mean?”
Loral laughed. “Unfortunately exactly like it sounds. There has to be the strong possibility of a large seizure of money or goods they could use to pay their bosses. Or at least a large shipment of drugs or merchandise that they can skim off.”
“Sad,” replied Morley.
“I know, but that’s just how things get done around here. I’ll do some discreet digging to see what I can get, but don’t expect too much. Anything more than a cursory check will certainly be detected by a dirty cop with gang connections.”
“That’s the last thing we want to happen, I’d rather you didn’t do anything than potentially jeopardize what we have,” said Morley.
“On the positive side, I do have a guy in what would be the equivalent of the Mexico City DA’s Office who would provide your AUSA a quasi-official authorization for an online search warrant. It probably wouldn’t hold up in a US court, but it might be enough for your AUSA to give you what you want to keep things moving.”
“Thanks brother, we’ve got a great relationship with the AUSA here. If he has anything that looks halfway official, he’ll let us keep going. If you could get us that document and see what you can find out about Alvaro Lopez without stirring up any dust, it’d be appreciated.”
“No problem. Give me a day. I’ll send anything I get to you via SIPR. That’ll keep it from any prying eyes.”
The next afternoon Morley received the email along with a short dossier on Alvaro Lopez. It too was not official.
PJ,
Sorry I don’t have more for you. I’m just afraid to dig any deeper for fear of the wrong person finding out and tipping off your suspect. If you have other options than using the Mexican authorities, exhaust all of them first. If not, call me and we can strategize on how to move forward. Good talking to you the other day. Stay safe.
Ed
The document on Alvaro didn’t say much other than the basics, and confirmed he was fairly high up within the Latin Kings; the legal document said less. It was from a local prosecutor and confirmed knowledge of an ongoing investigation involving computer and credit card fraud. It authorized agents of the Secret Service to conduct an online surveillance of individuals in or around the Mexico City area with a blank line for the ISP, and another one for the mac address. Both spaces were left blank so they could be filled in by the US Attorney. Other than that, the document was purposefully vague.
Even with the document from the Mexican district attorney, AUSA Carpenter was still not completely comfortable with the case and the probable cause. He told Morley he wanted more on the target. The two men agreed that if the Service could get some numbers from the target through the suspect email account, Carpenter would have enough to authorize an “online” search warrant. Considering all the holes in the case, Morley was more than satisfied.
Even before they had the required paperwork, Swann and Greere were hard at work. When the first email from Miguel to his brother-in-law produced new credit card numbers, they got their warrant and set things in motion.
While Miguel claimed that his brother-in-law wasn’t very technical, neither of the agents wanted to blow the case by underestimating their opponent. Miguel’s computer was set up in the office on an undercover line that resolved to his service provider. A set of homegrown programs that Swann had developed for this type of work were installed on the computer. The programs were almost impossible to detect and would provide the team as much information as if they had physical access to Alvaro’s machine. For the purposes of the search warrant—and as far as they would tell the AUSA—it was a modified key-logging program that recorded every keystroke. In reality, it was about as related to a key-logger as the Kitty Hawk was to a stealth fighter. When Alvaro opened the next email from Miguel, his machine was owned…again.
In addition to working between the two teams of agents, Posada helped make sure Miguel’s responses to his brother-in-law didn’t seem too contrived or out of character for his level of education. Sending the responses via email had advantages over and above being able to infect the machine with Swann’s program. It also allowed Posada to craft Miguel’s responses.
Morley monitored the case and kept Mak and Brown apprised. As the case had blossomed after the arrest of Miguel, Morley was able to openly focus more resources without raising eyebrows. Brown, still angry at Morley’s slight but stymied by the success of the operation, brooded and bided his time.
In private, Morley pored over the data, hoping to find the senator’s information; it wasn’t included.
The first day after being downloaded, Swann’s bug lay dormant collecting information. Most importantly, it reported the MAC address and that the host was not in an always-on state. The MAC address specifically identified the machine the emails were generated from, which was the next stage in attribution of the suspect. The fact the machine was not always-on
meant the user only turned it on when he or she was going to use it, and then turned it off when done. This fact bounded the ability of the agents to use their program and search the machine. It also corroborated what Miguel had told them—Alvaro wasn’t a real computer criminal. Those individuals lived on their machines, upwards of eighteen hours on any given day. The computer being searched was only being used a couple times a day, normally for less than an hour. It was consistent with the patterns of most home users, a good sign.
Next, Swann’s bug took an inventory of Alvaro’s machine and identified all its programs. When the machine was turned on again and connected to the internet, the program accessed a proxy and forwarded the information—in small packets so as not to be obvious if the user was watching outbound traffic—back to the Service.
In New York, an undercover system received the data and compiled it. It listed all the programs and files on Alvaro’s computer and the times the machine was in use and connected to the internet since the bug had installed itself. To speed up the review process, Swann had developed a back-end program that the probe fed into. This program was designed to use the hash values of the programs being searched to segregate all the basic programs, like the operating system, and all the Microsoft products, etc. Those standard applications were put to the side, and the remaining programs were searched. A quick review of the nonstandard programs on the machine didn’t reveal anything unusual, which was telling. Lastly there were no tools indicating the machine was being used as a pass through or proxy. It was the true source of the emails sent to Miguel.
Other than the lack of tools on the machine there didn’t seem to be any unusual programs. There were a few kids’ educational games, a learn English for adults program, and the immensely popular MMORPG game, World of Warcraft.
A quick review of the activity log led to a conversation between Swann and Greere as to when they should set the program to “phone home.” The general rule was to avoid having the computer do anything unusual when the target was using it. Based upon their conversations with Miguel and their knowledge of computer users in general, they assumed Alvaro was using the machine in the evening, not during the day. Since the program list showed several educational programs, and knowing that Alvaro had children, they made the assumption that the computer was being used by the whole family. With that, they assumed that the usage during the day was by the children. That was the time they programmed the bug to phone home and pass along its information. While they were making these calculations, the program itself was secretly going about its business and harvesting any usernames and passwords as they were typed. When it received the agents’ commands regarding when to respond, it acknowledged and sent the passwords and an updated listing of when the computer was in use, and a status of the applications on the machine.
With the passwords and a basic knowledge of when the users were normally on, Swann set about looking at the accounts. This part of the investigation, while highly illegal, was generally very fruitful. It was an area that tinged Swann’s white hat grey. In this instance they were going after an individual who was not a computer criminal, just an individual who used the computer to facilitate his crimes. There were not a lot of passwords to harvest. Unlike most true computer hackers or even substantial users, Alvaro hardly used the machine. He didn’t pay his bills online or do his banking via the internet. While his wife did some shopping online, he didn’t do any. There was little information to be gleaned. The Favorites and Cookies search didn’t reveal anything out of the ordinary. The electronic footprint for the Lopez family was small. There were account numbers for a few programs and the online game, but not much else.
Swann received the program’s next data dump the following day and found it much more interesting, partially because it showed how the machine was configured. Having done hundreds of these analyses in the past, he knew that ninety percent of the machines would be poorly configured and secured. Another eight or nine percent were well protected, obviously by a user who knew what he or she was doing. Then there was the remaining one or two percent that were extremely well configured. This was almost never done by the owner.
These small percentages of machines were the ones that had been infected by a hacker, who didn’t want to have to fight off other hackers. Hackers would only go to this much trouble for machines that were of significant value to them. Unbeknownst to the user the hacker would lock the machine down tight, leaving open only the vulnerability they needed to allow continued access and/or control. Everything else on these machines was better secured than a computer at the NSA. Swann had expected to see a 90% box, so he was stunned the following day when he looked closely at the configuration and saw how thoroughly the security on the computer was implemented. It was only then that he really became interested in the case. He spent the next seven hours straight examining the configuration, looking for hacking tools or residuals. As it turned out, the NYFO received another piece of information that same day that forced Agent Swann to pull his first all-nighter on investigative work since joining the Service.
The Pharmaceutical Hack Investigation
While Swann was the lead on the “hack-back” portion of the investigation, Greere and Posada were responsible for reviewing the machines from the online pharmaceutical company that had been victimized to start the case. The company’s corporate HQ, along with the data center, was located in Wilmington, Delaware. That was the location of the evidence. To expedite the process, Morley contacted the Wilmington SAIC and asked that his ECSAP agent preserve the evidence discreetly, take a quick image, and send it up to NYC. Shortly after Greere looked at the machine, he realized there was a potential for a serious problem. Posada and Pencala confirmed his suspicion, but it wasn’t until they had verification from Swann that they started to worry a little…and become excited. They called Morley and told him they were on their way up to his office to have a conversation about a potential problem…and opportunity.
“Okay, waddya got?” asked Morley as his four group leaders found seats.
Swann answered, “Not sure, but we think it’s big, and more importantly, challenging.”
Morley knew that the juxtaposition of the two adjectives in the sentence was not a mistake. For these agents, anything that had caught their interest would by its very nature be important. He decided to play with them a bit. “Did you find another nude midget Jell-O wrestling site?”
“He said big, not huge,” replied Greere.
“Hey, you assigned me the project,” Posada said defensively. “‘Look for any information you can find on a small fight involving the Bush daughters.’ How could I know one of the midgets’ names was ‘Little Bush’? I still wake up with cold sweats sometimes because of that.”
Pencala closed her eyes and shook her head.
“Listen, if you don’t wanna have a serious conversation, the four of us have a lot of good work to do.” Swann feigned getting up and heading toward the door.
Morley ignored the gesture. “I’ll accept ‘a lot of work,’ but after looking over your paperwork, I’m not sure about the ‘good’ claim. Back to my original question, waddya have?”
Greere started this time. “You had Jaime and me working on the images from the online pharmaceutical that got hacked. We started working on that as soon as we got the evidence from Delaware. We both expected to find something within the first couple hours. By seven that night we were no further along, other than we had eliminated ninety-five percent of the hacks and tools that we had ever seen before. We were stumped. When I saw Jaime starting to fade, I told him we should get some sleep and start fresh the next morning.”
Greere gave Posada a sideways glance before he continued.
“The next morning things were about the same; we’d gone over the system backwards and forwards, up one side and down the other, and had not found anything out of the ordinary. We were starting to wonder if the Delaware agent had somehow screwed up and imaged the wrong system.”
Po
sada took over. “Then we,” he emphasized the word to make it clear to everyone in the room that it was his idea, “decided to look at the operating system bios. Sure enough, we found a program that wasn’t supposed to be there. Neither one of us are programmers, but from where it was hidden and what we could see, it was pretty sophisticated. Based on the programming aspect and the supposed tie-in between this hack and the machine in Mexico, we talked to Doc.”
Posada turned to Swann, who picked up the thread. “You know that we didn’t find any of the tools we would normally expect on the box in Mexico. I also told you it was too well patched to believe it wasn’t under someone else’s control. When Jaime and Ron told me what they found on the Delaware system, I started lookin’ at the bios on the Mexico box. Bingo, I found something. I made a copy of the program and exported it to the machine back here in the lab. I took it off and made another copy to look at. It did exactly what ours would do—it erased itself.”
Morley cut in. “You say that it erased itself when you tried to analyze it?”
Swann continued, “Yeah, it’s a relatively standard process used by elite hackers. When you try to do a standard decompiling of the code, it recognizes what’s happening and starts to erase itself. That way it makes it difficult for anyone to associate the code with a particular programmer. It’s called DOA: dead on analysis. Pretty standard stuff at a certain level…a level that makes this very interesting. That was just about twenty-two hours in for me, so I decided to do what you are always tellin’ me to do…”
“Your monthly activity report from January?” asked Morley.
Swann smiled and continued, “No, I decided to delegate. Before I went home, I sent the code to a few of the cows I know who aren’t the author, and I can trust. I also sent it out as a challenge to a number of the prelates I can trust who have talent. I told ’em they’d get a thousand dollars if they could identify the author of the code, and five hundred if they could decompile it.”