SERIAL KILLER MIND

  Crime Classification Manual Part II Chapter 10 B 10 A STANDARD SYSTEM FOR INVESTIGATING AND CLASSIFYING VIOLENT CRIMES SECOND EDITIO N   Search Warrant Suggestions The search warrant should include all computers, computer-related storage, computer programs, and Internet accounts. The computers should be searched for multiple sets of financial transactions, which will be encrypted. Printed copies of the transactions should also be requested.

  Crime Classification Manual Part II Chapter 10 B 09 A STANDARD SYSTEM FOR INVESTIGATING AND CLASSIFYING VIOLENT CRIMES SECOND EDITIO N   Investigative Considerations The investigator needs to determine the amount of legitimate revenue; the excess is laundered money. In one case where a restaurant was used to launder money, the real revenue was determined by counting the linen napkins to determine the number of meals served. This was then compared to the number of computer-generated meals.

  Crime Classification Manual Part II Chapter 10 B 08 A STANDARD SYSTEM FOR INVESTIGATING AND CLASSIFYING VIOLENT CRIMES SECOND EDITIO N   Common Forensic Findings. In money laundering, false revenue will be generated by computer programs or user entry. The actual revenue will also be on the computer because the offenders need to know how much money was laundered.

  Crime Classification Manual Part II Chapter 10 B 07 A STANDARD SYSTEM FOR INVESTIGATING AND CLASSIFYING VIOLENT CRIMES SECOND EDITIO N   531: MONEY LAUNDERING Money laundering is a crime used to make illegal funds appear to be legal. An example was a programmer who was paid to modify code in banking programs to ignore banking regulations to alert the FBI for transactions in excess of ten thousand dollars for organized crime accounts. Another money-laundering scheme was creating programs to generate false revenues for crime-controlled businesses. Defining Characteristics Victimology. The victims are public and government tax agencies.

  Crime Classification Manual Part II Chapter 10 B 06 A STANDARD SYSTEM FOR INVESTIGATING AND CLASSIFYING VIOLENT CRIMES SECOND EDITIO N   In sentencing Ivanov, the district judge described his participation as a “manager or super- visor” in an “unprecedented, wide-ranging, organized criminal enterprise” that “engaged in numerous acts of fraud, extortion, and intentional damage to the property of others, involving the sophisticated manipulation of computer data, financial information, and credit card numbers.” The district judge found that Ivanov was responsible for an aggregate loss of approximately $25 million.

  Crime Classification Manual Part II Chapter 10 B 05 A STANDARD SYSTEM FOR INVESTIGATING AND CLASSIFYING VIOLENT CRIMES SECOND EDITIO N   Outcome Ivanov was sentenced to a term of imprisonment of forty-eight months, to be followed by three years of supervised release. He had previously pleaded guilty and admitted to numerous charges of conspiracy, computer intrusion, computer fraud, credit card fraud, wire fraud, and extortion.

  Crime Classification Manual Part II Chapter 10 B 04 A STANDARD SYSTEM FOR INVESTIGATING AND CLASSIFYING VIOLENT CRIMES SECOND EDITIO N Investigation All of the victim companies fully cooperated with the FBI during the investigation. Ivanov and his partner, twenty-five-year-old Vasili Gorchkov, were arrested in Seattle after traveling to the United States during an investigation by the FBI. Ivanov and Gorchkov, who is awaiting trial on similar charges in Seattle, came to the United States for a what he thought was a job interview with Seattle-based computer security company called Invita. In fact, Invita was an undercover FBI company that allowed investigators to obtain the evidence needed to charge the two Russians.

  Crime Classification Manual Part II Chapter 10 B 03 A STANDARD SYSTEM FOR INVESTIGATING AND CLASSIFYING VIOLENT CRIMES SECOND EDITIO N     The charges stemmed from the activities of Ivanov, age twenty-three, and others who operated from Russia and hacked into dozens of computers throughout the United States, stealing usernames, passwords, credit card information, and other financial data and then extorting the victims with the threat of deleting their data and destroying their computer systems.

  Crime Classification Manual Part II Chapter 10 B 02 A STANDARD SYSTEM FOR INVESTIGATING AND CLASSIFYING VIOLENT CRIMES SECOND EDITIO N CASE STUDY: 530: CRIMINAL ENTERPRISE Background Alexey V. Ivanov, of Chelyabinsk, Russia, was indicted with eight counts of wire fraud, two counts of extortion, four counts of unauthorized computer intrusions, and one count of possessing usernames and passwords for an online bank.

  Crime Classification Manual Part II Chapter 10 B 01 A STANDARD SYSTEM FOR INVESTIGATING AND CLASSIFYING VIOLENT CRIMES SECOND EDITIO N   530: CRIMINAL ENTERPRISE Criminal enterprise is now performing money laundering with a computer, wire fraud, child pornography, and other types of fraud using a computer.

Crime Classification Manual Part II Chapter 10 A 89 A STANDARD SYSTEM FOR INVESTIGATING AND CLASSIFYING VIOLENT CRIMES SECOND EDITIO N   The search warrant should list all computers at the offender’s location and all forms of computer storage: disks, data CD-ROMs, DVDs, magnetic tapes, external hard drives, mini-drives (sometimes called memory sticks), flash memory modules, programming documentation, e-mail addresses (possible sources of malignant software creation programs), the computer and all its peripherals, and all program CD-ROMs. The search warrant should also include the search for copies of the messages sent previously to the victim.

Crime Classification Manual Part II Chapter 10 A 88 A STANDARD SYSTEM FOR INVESTIGATING AND CLASSIFYING VIOLENT CRIMES SECOND EDITIO N   Search Warrant Suggestions The investigator can obtain a warrant to trace the path of the sender of the stalking messages. This warrant will be to the Internet service provider (ISP). When the location of the sender is determined, the investigator should obtain a search warrant for the offender’s location.

  Crime Classification Manual Part II Chapter 10 A 87 A STANDARD SYSTEM FOR INVESTIGATING AND CLASSIFYING VIOLENT CRIMES SECOND EDITIO N   Common Forensic Findings. The victim’s computer will have copies of the transmitted messages as well as the address of the sender. The address of the offender may not be his or her real address, and the investigator will have to do online tracing when and if the offender sends additional messages. Investigative Considerations The investigator can try to hold the sender online to trace the sender’s location.

  Crime Classification Manual Part II Chapter 10 A 86 A STANDARD SYSTEM FOR INVESTIGATING AND CLASSIFYING VIOLENT CRIMES SECOND EDITIO N 523: CYBERSTALKING Cyberstalking is the use of the computer to follow a target of the stalker.   Victimology. Cyberstalking is similar to physical stalking except contact with the victim is with the Internet using e-mail, chatrooms, and instant messaging. The victim is typically female.

Crime Classification Manual Part II Chapter 10 A 85 A STANDARD SYSTEM FOR INVESTIGATING AND CLASSIFYING VIOLENT CRIMES SECOND EDITIO N   The search should look for the pornographic data as well as addresses of customers. Pornographic material at the offender’s site should be compared with the pornographic material at the victim’s site.

  Crime Classification Manual Part II Chapter 10 A 84 A STANDARD SYSTEM FOR INVESTIGATING AND CLASSIFYING VIOLENT CRIMES SECOND EDITIO N   This search warrant should list all forms of computer storage: disks, data CD-ROMs, DVDs, magnetic tapes, external hard drives, mini-drives (sometimes called memory sticks), flash memory modules, programming documentation, e-mail addresses (possible sources of malignant software creation programs), the computer and all its peripherals, and all program CD-ROMs.

Crime Classification Manual Part II Chapter 10 A 83 A STANDARD SYSTEM FOR INVESTIGATING AND CLASSIFYING VIOLENT CRIMES SECOND EDITIO N   Search Warrant Suggestions The investigator can obtain a warrant to the Internet service provider (ISP) to trace the path of the sender of pornographic data. When the location of the sender is determined, the investigator should obtain a search warrant for the offender’s location.

  Crime Classification Manual Part II Chapter 10 A 82 A STANDARD SYSTEM FOR INVESTIGATING AND CLASSIFYING VIOLENT CRIMES SECOND EDITIO N   Investigative Considerations The investigator should try to trace the path through the Internet or sign up for the service and do an online trace.

  Crime Classification Manual Part II Chapter 10 A 81 A STANDARD SYSTEM FOR INVESTIGATING AND CLASSIFYING VIOLENT CRIMES SECOND EDITIO N   Common Forensic Findings. Pornographic material will be found on the user’s computer as well as the address of the sender. In most cases, this ad- dress will not be real.

  Crime Classification Manual Part II Chapter 10 A 80 A STANDARD SYSTEM FOR INVESTIGATING AND CLASSIFYING VIOLENT CRIMES SECOND EDITIO N   Victimology. The victims of this type of crime are the users of the Internet. Pornographic spam is sent to a large number of sites in an attempt to recruit new customers.

  Crime Classification Manual Part II Chapter 10 A 79 A STANDARD SYSTEM FOR INVESTIGATING AND CLASSIFYING VIOLENT CRIMES SECOND EDITIO N   522: INVASION OF PRIVACY This crime involves sending spam or unsolicited sexually explicit material by computer user via the Internet

  Crime Classification Manual Part II Chapter 10 A 78 A STANDARD SYSTEM FOR INVESTIGATING AND CLASSIFYING VIOLENT CRIMES SECOND EDITIO N     In addition, an $800 special assessment was imposed. Prior to sentencing, Dinh paid full restitution to the victim investor in the amount of $46,986, which represented the entire amount of money taken from the investor’s account.

  Crime Classification Manual Part II Chapter 10 A 77 A STANDARD SYSTEM FOR INVESTIGATING AND CLASSIFYING VIOLENT CRIMES SECOND EDITIO N   He was sentenced to one year and one month in prison, to be followed by three years of supervised release and a $3,000 fine for unauthorized access to a protected computer and other crimes in connection with his unlawfully accessing a computer belonging to the investor, and using information gained through that intrusion to make unlawful trades with funds in the investor’s online brokerage account.

  Crime Classification Manual Part II Chapter 10 A 76 A STANDARD SYSTEM FOR INVESTIGATING AND CLASSIFYING VIOLENT CRIMES SECOND EDITIO N   Outcome Van T. Dinh pleaded guilty on February 9, 2004, to an eight-count indictment charging him with causing damage in connection with unauthorized access to a protected computer, committing mail and wire fraud, and knowingly executing a scheme and artifice to defraud the investor and others in connection with a security and to obtain by means of false and fraudulent pretenses, money and property in connection with the purchase and sale of a security.

  Crime Classification Manual Part II Chapter 10 A 75 A STANDARD SYSTEM FOR INVESTIGATING AND CLASSIFYING VIOLENT CRIMES SECOND EDITIO N   Dinh had placed additional purchase orders from the investor’s account, which went unfilled only because the investor’s account had already been depleted of funds by Dinh.

  Crime Classification Manual Part II Chapter 10 A 74 A STANDARD SYSTEM FOR INVESTIGATING AND CLASSIFYING VIOLENT CRIMES SECOND EDITIO N   On July 11, Dinh used the password and log-in information for the investor’s online account to place a series of buy orders for the Cisco options, depleting almost all the account’s available cash—ap- proximately $46,986. The buy orders for the investor’s account were filled with 7,200 Cisco put options sold from Dinh’s account. As a result of the execution of these buy orders, Dinh avoided at least $37,000 of losses (some of the $46,986 in funds taken from the investor’s account went to commission costs).

  Crime Classification Manual Part II Chapter 10 A 73 A STANDARD SYSTEM FOR INVESTIGATING AND CLASSIFYING VIOLENT CRIMES SECOND EDITIO N   By July 10, nine days before the expiration date of Dinh’s Cisco options, Cisco’s stock was trading at approximately $19.00 per share, making it likely that Dinh’s $15.00 Cisco put options would be worthless at the time they expired and he would stand to lose the entire $91,200 he had paid to purchase the options.

  Crime Classification Manual Part II Chapter 10 A 72 A STANDARD SYSTEM FOR INVESTIGATING AND CLASSIFYING VIOLENT CRIMES SECOND EDITIO N   Once the investor had installed the program on his computer, Dinh was able to use the intrusion programs to identify this investor’s online TD Waterhouse account and to extract password and log-in information for that account.

  Crime Classification Manual Part II Chapter 10 A 71 A STANDARD SYSTEM FOR INVESTIGATING AND CLASSIFYING VIOLENT CRIMES SECOND EDITIO N   The purported application sent to the potential investor was actually a disguised Trojan horse that contained a series of keystroke-logging programs that enable one Internet user to remotely monitor the keystrokes of another user.

  Crime Classification Manual Part II Chapter 10 A 70 A STANDARD SYSTEM FOR INVESTIGATING AND CLASSIFYING VIOLENT CRIMES SECOND EDITIO N     On July 8, he received an e-mail sent to his personal e-mail address inviting him to participate in a so-called beta test of a new stock-charting tool. The sender, identified as Tony T. Riechert, provided a link in the e-mail message to enable this potential investor to download a computer program that purported to be the stock-charting application. Tony Riechert was another name that Dinh used in connection with this scheme.

  Crime Classification Manual Part II Chapter 10 A 69 A STANDARD SYSTEM FOR INVESTIGATING AND CLASSIFYING VIOLENT CRIMES SECOND EDITIO N     On July 7, 2003, a member of Stockcharts.com’s stock-charting forum, who lived in Westborough, Massachusetts, received a message from an individual named “Stanley Hirsch,” who turned out to be Dinh. He responded to the e-mail, thus providing his personal e-mail address to Dinh.

Crime Classification Manual Part II Chapter 10 A 68 A STANDARD SYSTEM FOR INVESTIGATING AND CLASSIFYING VIOLENT CRIMES SECOND EDITIO N Each put contract Dinh purchased gave him the right to sell 100 shares of Cisco common stock at $15.00 per share, if the share value fell to that price or below, until the contract’s expiration, which was set for July 19, 2003. Dinh paid $10.00 per contract, for a total purchase price of approximately $91,200. If the value of Cisco shares had fallen relatively precipitously during the short period of the life of the contracts, Dinh would have stood to make a large profit—a highly speculative but potentially lucrative gamble.

  Crime Classification Manual Part II Chapter 10 A 67 A STANDARD SYSTEM FOR INVESTIGATING AND CLASSIFYING VIOLENT CRIMES SECOND EDITIO N   CASE STUDY: 521: IDENTITY THEFT Background and Victimology From June 18 through June 27, 2003, Van T. Dinh purchased approximately 9,120 put option contracts for the common stock of Cisco Systems at the strike price of $15.00 per share through his online trading account at Cybertrader.com.

  Crime Classification Manual Part II Chapter 10 A 66 A STANDARD SYSTEM FOR INVESTIGATING AND CLASSIFYING VIOLENT CRIMES SECOND EDITIO N   Search Warrant Suggestions The search warrant for the offender’s location should list all computers and all forms of computer storage: disks, data CD-ROMs, DVDs, magnetic tapes, external hard drives, mini-drives (sometimes called memory sticks), flash memory modules, programming documentation, e-mail addresses (possible sources of malignant software creation programs), the computer and all its peripherals, and all CD-ROMs programs. The search warrant should also include the offender’s Internet accounts.

  Crime Classification Manual Part II Chapter 10 A 65 A STANDARD SYSTEM FOR INVESTIGATING AND CLASSIFYING VIOLENT CRIMES SECOND EDITIO N     Investigative Considerations The victim should register with all credit services to report the possible identity theft. The investigator should trace addresses and the location of erroneous credit card charges and look for possible travel patterns of the offender.

  Crime Classification Manual Part II Chapter 10 A 64 A STANDARD SYSTEM FOR INVESTIGATING AND CLASSIFYING VIOLENT CRIMES SECOND EDITIO N     Common Forensic Findings. Common findings are unauthorized credit card charges, credit card accounts unknown to the victim, unauthorized bank account withdrawals, and addresses on the illegal accounts different from the victim’s address.