SERIAL KILLER MIND

  Crime Classification Manual Part II Chapter 10 A 87 A STANDARD SYSTEM FOR INVESTIGATING AND CLASSIFYING VIOLENT CRIMES SECOND EDITIO N   Common Forensic Findings. The victim’s computer will have copies of the transmitted messages as well as the address of the sender. The address of the offender may not be his or her real address, and the investigator will have to do online tracing when and if the offender sends additional messages. Investigative Considerations The investigator can try to hold the sender online to trace the sender’s location.

  Crime Classification Manual Part II Chapter 10 A 86 A STANDARD SYSTEM FOR INVESTIGATING AND CLASSIFYING VIOLENT CRIMES SECOND EDITIO N 523: CYBERSTALKING Cyberstalking is the use of the computer to follow a target of the stalker.   Victimology. Cyberstalking is similar to physical stalking except contact with the victim is with the Internet using e-mail, chatrooms, and instant messaging. The victim is typically female.

Crime Classification Manual Part II Chapter 10 A 85 A STANDARD SYSTEM FOR INVESTIGATING AND CLASSIFYING VIOLENT CRIMES SECOND EDITIO N   The search should look for the pornographic data as well as addresses of customers. Pornographic material at the offender’s site should be compared with the pornographic material at the victim’s site.

  Crime Classification Manual Part II Chapter 10 A 84 A STANDARD SYSTEM FOR INVESTIGATING AND CLASSIFYING VIOLENT CRIMES SECOND EDITIO N   This search warrant should list all forms of computer storage: disks, data CD-ROMs, DVDs, magnetic tapes, external hard drives, mini-drives (sometimes called memory sticks), flash memory modules, programming documentation, e-mail addresses (possible sources of malignant software creation programs), the computer and all its peripherals, and all program CD-ROMs.

Crime Classification Manual Part II Chapter 10 A 83 A STANDARD SYSTEM FOR INVESTIGATING AND CLASSIFYING VIOLENT CRIMES SECOND EDITIO N   Search Warrant Suggestions The investigator can obtain a warrant to the Internet service provider (ISP) to trace the path of the sender of pornographic data. When the location of the sender is determined, the investigator should obtain a search warrant for the offender’s location.

  Crime Classification Manual Part II Chapter 10 A 82 A STANDARD SYSTEM FOR INVESTIGATING AND CLASSIFYING VIOLENT CRIMES SECOND EDITIO N   Investigative Considerations The investigator should try to trace the path through the Internet or sign up for the service and do an online trace.

  Crime Classification Manual Part II Chapter 10 A 81 A STANDARD SYSTEM FOR INVESTIGATING AND CLASSIFYING VIOLENT CRIMES SECOND EDITIO N   Common Forensic Findings. Pornographic material will be found on the user’s computer as well as the address of the sender. In most cases, this ad- dress will not be real.

  Crime Classification Manual Part II Chapter 10 A 80 A STANDARD SYSTEM FOR INVESTIGATING AND CLASSIFYING VIOLENT CRIMES SECOND EDITIO N   Victimology. The victims of this type of crime are the users of the Internet. Pornographic spam is sent to a large number of sites in an attempt to recruit new customers.

  Crime Classification Manual Part II Chapter 10 A 79 A STANDARD SYSTEM FOR INVESTIGATING AND CLASSIFYING VIOLENT CRIMES SECOND EDITIO N   522: INVASION OF PRIVACY This crime involves sending spam or unsolicited sexually explicit material by computer user via the Internet

  Crime Classification Manual Part II Chapter 10 A 78 A STANDARD SYSTEM FOR INVESTIGATING AND CLASSIFYING VIOLENT CRIMES SECOND EDITIO N     In addition, an $800 special assessment was imposed. Prior to sentencing, Dinh paid full restitution to the victim investor in the amount of $46,986, which represented the entire amount of money taken from the investor’s account.

  Crime Classification Manual Part II Chapter 10 A 77 A STANDARD SYSTEM FOR INVESTIGATING AND CLASSIFYING VIOLENT CRIMES SECOND EDITIO N   He was sentenced to one year and one month in prison, to be followed by three years of supervised release and a $3,000 fine for unauthorized access to a protected computer and other crimes in connection with his unlawfully accessing a computer belonging to the investor, and using information gained through that intrusion to make unlawful trades with funds in the investor’s online brokerage account.

  Crime Classification Manual Part II Chapter 10 A 76 A STANDARD SYSTEM FOR INVESTIGATING AND CLASSIFYING VIOLENT CRIMES SECOND EDITIO N   Outcome Van T. Dinh pleaded guilty on February 9, 2004, to an eight-count indictment charging him with causing damage in connection with unauthorized access to a protected computer, committing mail and wire fraud, and knowingly executing a scheme and artifice to defraud the investor and others in connection with a security and to obtain by means of false and fraudulent pretenses, money and property in connection with the purchase and sale of a security.

  Crime Classification Manual Part II Chapter 10 A 75 A STANDARD SYSTEM FOR INVESTIGATING AND CLASSIFYING VIOLENT CRIMES SECOND EDITIO N   Dinh had placed additional purchase orders from the investor’s account, which went unfilled only because the investor’s account had already been depleted of funds by Dinh.

  Crime Classification Manual Part II Chapter 10 A 74 A STANDARD SYSTEM FOR INVESTIGATING AND CLASSIFYING VIOLENT CRIMES SECOND EDITIO N   On July 11, Dinh used the password and log-in information for the investor’s online account to place a series of buy orders for the Cisco options, depleting almost all the account’s available cash—ap- proximately $46,986. The buy orders for the investor’s account were filled with 7,200 Cisco put options sold from Dinh’s account. As a result of the execution of these buy orders, Dinh avoided at least $37,000 of losses (some of the $46,986 in funds taken from the investor’s account went to commission costs).

  Crime Classification Manual Part II Chapter 10 A 73 A STANDARD SYSTEM FOR INVESTIGATING AND CLASSIFYING VIOLENT CRIMES SECOND EDITIO N   By July 10, nine days before the expiration date of Dinh’s Cisco options, Cisco’s stock was trading at approximately $19.00 per share, making it likely that Dinh’s $15.00 Cisco put options would be worthless at the time they expired and he would stand to lose the entire $91,200 he had paid to purchase the options.

  Crime Classification Manual Part II Chapter 10 A 72 A STANDARD SYSTEM FOR INVESTIGATING AND CLASSIFYING VIOLENT CRIMES SECOND EDITIO N   Once the investor had installed the program on his computer, Dinh was able to use the intrusion programs to identify this investor’s online TD Waterhouse account and to extract password and log-in information for that account.

  Crime Classification Manual Part II Chapter 10 A 71 A STANDARD SYSTEM FOR INVESTIGATING AND CLASSIFYING VIOLENT CRIMES SECOND EDITIO N   The purported application sent to the potential investor was actually a disguised Trojan horse that contained a series of keystroke-logging programs that enable one Internet user to remotely monitor the keystrokes of another user.

  Crime Classification Manual Part II Chapter 10 A 70 A STANDARD SYSTEM FOR INVESTIGATING AND CLASSIFYING VIOLENT CRIMES SECOND EDITIO N     On July 8, he received an e-mail sent to his personal e-mail address inviting him to participate in a so-called beta test of a new stock-charting tool. The sender, identified as Tony T. Riechert, provided a link in the e-mail message to enable this potential investor to download a computer program that purported to be the stock-charting application. Tony Riechert was another name that Dinh used in connection with this scheme.

  Crime Classification Manual Part II Chapter 10 A 69 A STANDARD SYSTEM FOR INVESTIGATING AND CLASSIFYING VIOLENT CRIMES SECOND EDITIO N     On July 7, 2003, a member of Stockcharts.com’s stock-charting forum, who lived in Westborough, Massachusetts, received a message from an individual named “Stanley Hirsch,” who turned out to be Dinh. He responded to the e-mail, thus providing his personal e-mail address to Dinh.

Crime Classification Manual Part II Chapter 10 A 68 A STANDARD SYSTEM FOR INVESTIGATING AND CLASSIFYING VIOLENT CRIMES SECOND EDITIO N Each put contract Dinh purchased gave him the right to sell 100 shares of Cisco common stock at $15.00 per share, if the share value fell to that price or below, until the contract’s expiration, which was set for July 19, 2003. Dinh paid $10.00 per contract, for a total purchase price of approximately $91,200. If the value of Cisco shares had fallen relatively precipitously during the short period of the life of the contracts, Dinh would have stood to make a large profit—a highly speculative but potentially lucrative gamble.

  Crime Classification Manual Part II Chapter 10 A 67 A STANDARD SYSTEM FOR INVESTIGATING AND CLASSIFYING VIOLENT CRIMES SECOND EDITIO N   CASE STUDY: 521: IDENTITY THEFT Background and Victimology From June 18 through June 27, 2003, Van T. Dinh purchased approximately 9,120 put option contracts for the common stock of Cisco Systems at the strike price of $15.00 per share through his online trading account at Cybertrader.com.

  Crime Classification Manual Part II Chapter 10 A 66 A STANDARD SYSTEM FOR INVESTIGATING AND CLASSIFYING VIOLENT CRIMES SECOND EDITIO N   Search Warrant Suggestions The search warrant for the offender’s location should list all computers and all forms of computer storage: disks, data CD-ROMs, DVDs, magnetic tapes, external hard drives, mini-drives (sometimes called memory sticks), flash memory modules, programming documentation, e-mail addresses (possible sources of malignant software creation programs), the computer and all its peripherals, and all CD-ROMs programs. The search warrant should also include the offender’s Internet accounts.

  Crime Classification Manual Part II Chapter 10 A 65 A STANDARD SYSTEM FOR INVESTIGATING AND CLASSIFYING VIOLENT CRIMES SECOND EDITIO N     Investigative Considerations The victim should register with all credit services to report the possible identity theft. The investigator should trace addresses and the location of erroneous credit card charges and look for possible travel patterns of the offender.

  Crime Classification Manual Part II Chapter 10 A 64 A STANDARD SYSTEM FOR INVESTIGATING AND CLASSIFYING VIOLENT CRIMES SECOND EDITIO N     Common Forensic Findings. Common findings are unauthorized credit card charges, credit card accounts unknown to the victim, unauthorized bank account withdrawals, and addresses on the illegal accounts different from the victim’s address.

  Crime Classification Manual Part II Chapter 10 A 63 A STANDARD SYSTEM FOR INVESTIGATING AND CLASSIFYING VIOLENT CRIMES SECOND EDITIO N   Defining Characteristics Victimology. The victims of this type of crime are those who use the computer for online activities such as shopping, banking, and paying bills.

  Crime Classification Manual Part II Chapter 10 A 62 A STANDARD SYSTEM FOR INVESTIGATING AND CLASSIFYING VIOLENT CRIMES SECOND EDITIO N   The typical user responds by quickly providing the information requested. It is estimated that in 2004, some 57 million people were targets of phishing. In June 2004 alone, there were 1,422 phishing at- tacks. The number of attacks in 2004 increased over those in 2003 by an estimated 1,126 percent. About 19 percent of recipients open the e-mail and click the link. About 3 to 5 percent of recipients divulge the personal financial information.

  Crime Classification Manual Part II Chapter 10 A 61 A STANDARD SYSTEM FOR INVESTIGATING AND CLASSIFYING VIOLENT CRIMES SECOND EDITIO N A good example is the use of bank logos and Web site layout to appear to be a legitimate bank site requesting information to update its online account. The request usually makes it appear to be an urgent matter by stating that if the user does not update the information, his or her online account will be canceled.

    Crime Classification Manual Part II Chapter 10 A 60 A STANDARD SYSTEM FOR INVESTIGATING AND CLASSIFYING VIOLENT CRIMES SECOND EDITIO N   A new type of identity theft by means of the computer is now referred to as phishing. It is the stealing of personal information such as credit cards and bank data from the Internet. This is done by sending an e-mail to a person requesting his or her social security number, credit card, or bank account information under the guise of being a legitimate vendor used by this computer user.

  Crime Classification Manual Part II Chapter 10 A 59 A STANDARD SYSTEM FOR INVESTIGATING AND CLASSIFYING VIOLENT CRIMES SECOND EDITIO N   It is estimated that 25 percent of state, county, and city Web sites contain social security numbers of property owners, government employees, taxpayers, and others. At one time the Pentagon Web site contained the social security numbers of high-ranking military officers. This practice was stopped when many of these top-ranking military officers became victims of credit card fraud.

  Crime Classification Manual Part II Chapter 10 A 58 A STANDARD SYSTEM FOR INVESTIGATING AND CLASSIFYING VIOLENT CRIMES SECOND EDITIO N   521: IDENTITY THEFT This classification covers crimes where the information needed to accomplish identity theft, such as social security numbers, credit card, and bank PINs, is obtained from a user’s computer using the Internet. This classification does not include identity theft when the personal data are obtained by other means, such as trash or loss of wallet and credit cards.

  Crime Classification Manual Part II Chapter 10 A 57 A STANDARD SYSTEM FOR INVESTIGATING AND CLASSIFYING VIOLENT CRIMES SECOND EDITIO N   Heckenkamp was sentenced to eight months in prison and eight months of electronic monitoring and home confinement; was ordered to pay restitution to the victim companies in the amount of $268,291; and was ordered to serve a three-year term of supervised release, during which time he would be prohibited from using a computer with Internet access absent approval from a probation officer.

  Crime Classification Manual Part II Chapter 10 A 56 A STANDARD SYSTEM FOR INVESTIGATING AND CLASSIFYING VIOLENT CRIMES SECOND EDITIO N   Heckenkamp also agreed that the court could consider losses from other indicted counts in determining his sentence, including unauthorized access to computer systems of Exodus Communications, Juniper Networks, Lycos, and Cygnus Solutions.

  Crime Classification Manual Part II Chapter 10 A 55 A STANDARD SYSTEM FOR INVESTIGATING AND CLASSIFYING VIOLENT CRIMES SECOND EDITIO N   Under the terms of a plea agreement joined by the U.S. Attorney’s Offices for both districts, Heckenkamp pleaded guilty to one count from each of those indictments, each charging unauthorized access into a computer and recklessly causing damage.

  Crime Classification Manual Part II Chapter 10 A 54 A STANDARD SYSTEM FOR INVESTIGATING AND CLASSIFYING VIOLENT CRIMES SECOND EDITIO N   On September 5, a grand jury in the Southern District of California returned a ten-count indictment charging him with computer intrusions and unlawful interception of electronic communications. The cases were consolidated in the U.S. District Court for the Northern District of California in March 2003.

  Crime Classification Manual Part II Chapter 10 A 53 A STANDARD SYSTEM FOR INVESTIGATING AND CLASSIFYING VIOLENT CRIMES SECOND EDITIO N     On March 13, 2002, a grand jury in the Northern District of California returned a sixteen-count indictment charging him with computer intrusions, unlawful interception of electronic communications, and witness tampering.

  Crime Classification Manual Part II Chapter 10 A 52 A STANDARD SYSTEM FOR INVESTIGATING AND CLASSIFYING VIOLENT CRIMES SECOND EDITIO N   Outcome Heckenkamp pleaded guilty in federal court to gaining unauthorized access and recklessly damaging computer systems of several high-technology companies. His guilty pleas resulted from felony charges filed against him in both the Northern and Southern Districts of California.

  Crime Classification Manual Part II Chapter 10 A 51 A STANDARD SYSTEM FOR INVESTIGATING AND CLASSIFYING VIOLENT CRIMES SECOND EDITIO N   Heckenkamp had gained unauthorized access to Qualcomm computers in San Diego in late 1999 using a computer from his dorm room at the University of Wisconsin–Madison. Once he gained this unauthorized access, he installed multiple Trojan horse programs that captured usernames and passwords that he later used to gain unauthorized access into more Qualcomm computers.