Feds offer cybercrime tips to local cops

Because many police agencies may lack computer skills, the Justice Department created an investigator's manual.

Declan McCullagh
Declan McCullagh Former Senior Writer
Declan McCullagh is the chief political correspondent for CNET. You can e-mail him or follow him on Twitter as declanm. Declan previously was a reporter for Time and the Washington bureau chief for Wired and wrote the Taking Liberties section and Other People's Money column for CBS News' Web site.
2 min read
Police trying to learn how to use the Internet to investigate everything from cyberstalking to spam and illegal hacking have some new advice, thanks to the U.S. Department of Justice.

The department's Office of Justice Programs on Tuesday published what amounts to a manual for tech-challenged gumshoes, covering everything from how to track suspects through an Internet Relay Chat network to targeting copyright thieves on peer-to-peer networks.

Local and state law enforcement have bungled some high-tech investigations recently. The Pennsylvania Supreme Court rejected prosecutors' attempts to seize newspaper reporters' hard drives, and the 8th Circuit Court of Appeals ruled that police illegally seized a computer in a methamphetamine investigation. A federal judge permitted an Internet service provider to sue police after it was raided because of Usenet posts its employees knew nothing about.

The new 137-page manual (click for PDF) appears to represent the Justice Department's attempt to offer at least some basic technical and legal tips to law enforcement agencies that may not have computer experts on the payroll.

"Criminals can trade and share information, mask their identity, identify and gather information on victims, and communicate with co-conspirators," the manual says. "Web sites, electronic mail, chat rooms, and file sharing networks can all yield evidence in an investigation of computer-related crime."

The manual warns of the perils of assuming that the owner of a computer--especially Windows PCs, which can be vulnerable to security breaches--is responsible for what's actually on it.

"Because investigations involving the Internet and computer networks mean that the suspect's computer communicated with other computers, investigators should be aware that the suspect may assert that the incriminating evidence was placed on the media by a Trojan program," it says. "A proper seizure and forensic examination of a suspect's hard drive may determine whether evidence exists of the presence and use of Trojan programs."

Defendants in criminal cases have been known to raise what's become known as the Trojan defense. In a dawn raid, Arizona police stormed into the house of a 16-year-old boy named Matthew Bandy and accused him of downloading child pornography--which carried a maximum penalty of 90 years in prison.

It turned out that, contrary to claims by police and Maricopa County District Attorney Andrew Thomas, Bandy's home computer was thoroughly infected by malware. After being contacted by reporters, the Maricopa County Attorney's Office offered the boy a plea bargain without jail time.

The Trojan defense was also tried by an eighth-grade math teacher in Georgia, but with less success. In November, the 11th U.S. Circuit Court of Appeals upheld the teacher's conviction on federal child pornography charges.