Cybercrime and the Law: Challenges, Issues, and Outcomes

5. Cyber CSI: The Evidentiary Challenges of Digital Crime Scenes

>chapter:5 cyber csi: the evidentiary challenges of digital crime scenes This chapter examines the challenges cybercrime investigations create for law and law enforcement. These challenges arise because cybercrime investigations target conduct in the virtual world of cyberspace, where evidence is amorphous and ephemeral and the lines between public and private places are uncertain. This chapter uses a famous—or infamous—hacking prosecution as a case study. The next section outlines the crime, the investigation, and the trial; the next two sections use this case to demonstrate the challenges cybercrime cases pose for prosecutors and investigators. The Port of Houston Attack On September 20, 2001, the computer system at the Port of Houston in Houston, Texas, was shut down by a massive distributed denial of service (DDoS) attack.1 It crashed the system, denying pilots and support companies access to databases they needed to help ships navigate the eighthbusiest harbor in the world. As one observer noted, the attack “could have hadcatastrophic repercussions”but fortunatelydidnot.2 But eventhough Cyber csi | 119 thedamagewasminimal,theattackwasunnervingforacountrystillreeling from the 9/11 attacks. U.S.authoritieseventually“followedanelectronictrail”tothehomein the United Kingdom where eighteen-year-old Aaron Caffrey lived. More precisely,investigators examined thesystemlogfilesforthePortofHouston computer system and identified the Internet protocol (IP) address of the computer that launched the attack and the IP address of the system he targeted. An Internet protocol address is a numerical formula identifying a computer or other device that is connected to a computer network; each IP address is unique. And each IP address identifies the network a computer belongs to and the computer itself. So once the Houston investigatorsfoundtheIPaddressthatlaunchedtheattackandtheIPaddressof the system that was the real target of the attack, they could begin to track down the person responsible. The investigation revealed that the attacker’s target was not the Port of Houston computers but a computer in a different country. The Houston system was shut down when the software the attacker used seized that system—and others—to use as tools in an attack on the real target. The investigators identified the software used in the attack as custom-written software (“coded by Aaron”) intended to exploit a known vulnerability in the software the servers were using.3 And they traced the attack to the home in Fairland, Shaftesbury, Dorset, where Aaron Caffrey lived with his parents. InJanuary2002,British officers confiscatedCaffrey’scomputersystem andarrestedhimon“suspicionofunauthorizedmodificationofcomputer material,”acrimeunderUKlaw.4 AfterofficersfromtheComputerCrime Squad examined the computer, Caffrey was officially charged with hacking the Port of Houston system. The case went to trial in October 2003. The prosecution did not claim CaffreyintendedtoshutdownthePortofHoustoncomputersystem.The Crown’stheorywasthattheattackontheHoustonsystemwasaninadvertent but foreseeable consequence of a “revenge” attack Caffrey launched against someone he believed had insulted his American girlfriend. According to the prosecution, Caffrey was “deeply in love” with Jessica, an American with whom he had an online relationship, and launched the attack after a South African Internet Relay Chat (IRC) user called Bokkie made anti-American comments in an IRC chat room.5 Crown investiga- 120 | cybercrime and the law torsnot onlytrackeddownBokkie’scommentsbut also founda comment from“Aaron”thatsaidhewantedtoseeBokkie“time-out”because,“ifshe hates America, she hates Jessica. That is a no-no.”6 The Crown’s evidence not only showed a link between Caffrey’s computer and the Port of Houston system but also showed that, after Bokkie madetheanti-Americancomments,Caffreyusedwhatisknownasa“who is”searchtofindherIPaddress.7 WhenCaffreyhadBokkie’sIPaddress,he feditinto thecustom-codedDDoS attacksoftwarehehadonhiscomputer and launched the attack that, incidentally, shut down the Port of Houston system. That was the Crown’s theory, and it was supported by the digital evidence the Crown’s forensic examiners had found and analyzed. Because the evidence against Caffrey was so strong, his defense attorney did not challengemostoftheelementsoftheprosecution’scase.Thedefenseconceded that Caffrey’s computer had launched a DDoS attack that effectively shut down the Port of Houston computers; but instead of arguing that he should not be held liable because his real intention (at least according to the prosecution) was to attack Bokkie, the defense took a very different approach. The defense’s theory was that, while Caffrey’s computer launched the attack,Caffreydidnot.Accordingtohisattorney,someoneinstalledaTrojanhorseprogramonCaffrey ’scomputerwithouthisknowledgeandused it to launch the attack that shut down the Port of Houston system.8 Caffrey blamed “Turkish hackers” for trying to frame him, claiming they regularly seized control of chat rooms and other Internet sites.9 He said his computer’s operating system allowed remote access and control and was therefore vulnerable to Trojan horse programs...