Since December 2009, Cryptome.org has been publishing the legal spying guides from a variety of services and Service Providers. There was publicity this past week when the Microsoft Legal Spying Guide was posted and a DMCA takedown notice was placed against Cryptome domain and its owner John Young. The DMCA restraint has since been lifted. This blog entry is not intended to defend or decry the DMCA notice. It is intended to provide Digital Forensic investigators a resource for appropriate contact and process logic contained in the Legal Spy guides published.
These documents were created to assist Law enforcement and appropriate investigators of what can be provided and the methodology for request. The guides were generally considered confidential in nature when distributed. It is not my intent to break confidentiality of the source or creator. It is intended to assist in digital forensic discovery. Many of these documents are strictly intended for Law Enforcement and not corporate investigations. This should not deter the reader in my opinion using the contact information provided.
The published documents contain appropriate process for requests and available detail from the source. Some links listed are example documents or public record examples of evidence gathered. The guides/handbooks were originally created and provided for informational purposes to all law enforcement and legal requests.
The following sources have been referenced and published from Cryptome.org:
- Microsoft - http://cryptome.org//isp-spy/microsoft-spy.zip
- Paypal - http://cryptome.org/isp-spy/paypal-spy.zip
- MySpace - http://cryptome.org/isp-spy/myspace-spy.pdf
- Facebook - http://cryptome.org/isp-spy/comcast-spy.pdf
- AOL - http://cryptome.org/isp-spy/aol-spy.pdf
- Skype - http://cryptome.org/isp-spy/skype-spy.pdf
- Cox Communications - http://cryptome.org/isp-spy/cox-spy.pdf
- Ning - http://cryptome.org/isp-spy/ning-spy.pdf
- MyYearbook - http://cryptome.org/isp-spy/myyearbook-spy.pdf
- Stickam - http://cryptome.org/isp-spy/stickam-spy.pdf
- USPS Requests http://cryptome.org/isp-spy/usps-spy.pdf / http://cryptome.org/isp-spy/usps-spy2.pdf
- Cisco - http://cryptome.org/isp-spy/cisco-spy.pdf
- 3GPP - http://cryptome.org/3gpp/3gpp-spy.htm
- ATT - http://cryptome.org/isp-spy/att-spy-doc-01.pdf / http://cryptome.org/isp-spy/att-spy-doc-02.zip
- Verizon - http://cryptome.org/isp-spy/verizon-spy.pdf
- Sprint CALEA Delivery - http://cryptome.org/isp-spy/sprint-spy2.pdf
- Sprint - http://cryptome.org/isp-spy/sprint-spy.zip
- Nextel - http://cryptome.org/isp-spy/nextel-spy.pdf
- Voicestream - http://cryptome.org/isp-spy/voicestream-spy.zip
- Yahoo - http://cryptome.org/isp-spy/yahoo-spy.pdf
- SBC-Ameritech - http://cryptome.org/isp-spy/sbc-ameritech-sy.pdf
- Ameritech - http://cryptome.org/isp-spy/ameritech-spy.pdf
- SBC-LEA - http://cryptome.org/isp-spy/ameritech-spy.pdf
- Cingular - http://cryptome.org/isp-spy/cingular-spy.pdf
- Cricket - http://cryptome.org/isp-spy/cricket-spy.pdf
- Pactel - http://cryptome.org/isp-spy/pactel-spy.pdf
- GTE - http://cryptome.org/isp-spy/gte-spy.pdf
There are three key elements found in each guide. These assist the investigator when conducting an authorized investigation and they are:
- Contact address, Phone number, email address and hours of access for the Provider/Corporate Security
- What detail can and cannot be delivered by the provider. This includes retention duration of the data available.
- Description on the process and requirements for making a request. The capability of the provider response depends upon the authority of the request. A Statute or Judicial request is handled differently than a Law Enforcement inquiry as is a corporation's legal request.
It should be understood; these requests do not come without cost. The cost to process a request may exceed $10,000 depending upon request and duration. Some requests cost much less. There are some providers that do not appear to have a charge associated with the service.
In many of the guides, there is also a template or form to use when making a request. It is useful to know these details when conducting an investigation. The same logic of Time Based Security can be applied to responding to evidence acquisition. The clock is ticking, the longer the delay, the greater the potential for lost evidence.
Steven is the senior member of an IT Security team for a Bio-Pharma company. He has presented to a variety audiences including SANS, Midwest Consolidated Security Forum and various local chapters of HTCIA and ISACA. His current focus is Certificate Management, Encryption and Incident Response. With a science degree unrelated to IT, Steven has over 20 years in Information Technology with the past 13 years in Security. He has earned among the various vendor certificates, his CISSP (#3700), CISA (#153869) as well as GIAC G7799 (#151) GSNA (2849) Silver and GCFA (#18) gold certifications.