SANS Digital Forensics and Incident Response Blog

Cryptome Spying guides as a Digital Forensic Resource

Since December 2009, Cryptome.org has been publishing the legal spying guides from a variety of services and Service Providers. There was publicity this past week when the Microsoft Legal Spying Guide was posted and a DMCA takedown notice was placed against Cryptome domain and its owner John Young. The DMCA restraint has since been lifted. This blog entry is not intended to defend or decry the DMCA notice. It is intended to provide Digital Forensic investigators a resource for appropriate contact and process logic contained in the Legal Spy guides published.

These documents were created to assist Law enforcement and appropriate investigators of what can be provided and the methodology for request. The guides were generally considered confidential in nature when distributed. It is not my intent to break confidentiality of the source or creator. It is intended to assist in digital forensic discovery. Many of these documents are strictly intended for Law Enforcement and not corporate investigations. This should not deter the reader in my opinion using the contact information provided.

The published documents contain appropriate process for requests and available detail from the source. Some links listed are example documents or public record examples of evidence gathered. The guides/handbooks were originally created and provided for informational purposes to all law enforcement and legal requests.

The following sources have been referenced and published from Cryptome.org:

Microsoft - http://cryptome.org//isp-spy/microsoft-spy.zip
Paypal - http://cryptome.org/isp-spy/paypal-spy.zip
MySpace - http://cryptome.org/isp-spy/myspace-spy.pdf
Facebook - http://cryptome.org/isp-spy/comcast-spy.pdf
AOL - http://cryptome.org/isp-spy/aol-spy.pdf
Skype - http://cryptome.org/isp-spy/skype-spy.pdf
Cox Communications - http://cryptome.org/isp-spy/cox-spy.pdf
Ning - http://cryptome.org/isp-spy/ning-spy.pdf
MyYearbook - http://cryptome.org/isp-spy/myyearbook-spy.pdf
Stickam - http://cryptome.org/isp-spy/stickam-spy.pdf
USPS Requests http://cryptome.org/isp-spy/usps-spy.pdf / http://cryptome.org/isp-spy/usps-spy2.pdf
Cisco - http://cryptome.org/isp-spy/cisco-spy.pdf
3GPP - http://cryptome.org/3gpp/3gpp-spy.htm
ATT - http://cryptome.org/isp-spy/att-spy-doc-01.pdf / http://cryptome.org/isp-spy/att-spy-doc-02.zip

Verizon - http://cryptome.org/isp-spy/verizon-spy.pdf
Sprint CALEA Delivery - http://cryptome.org/isp-spy/sprint-spy2.pdf
Sprint - http://cryptome.org/isp-spy/sprint-spy.zip
Nextel - http://cryptome.org/isp-spy/nextel-spy.pdf
Voicestream - http://cryptome.org/isp-spy/voicestream-spy.zip
Yahoo - http://cryptome.org/isp-spy/yahoo-spy.pdf
SBC-Ameritech - http://cryptome.org/isp-spy/sbc-ameritech-spy.pdf
Ameritech - http://cryptome.org/isp-spy/ameritech-spy.pdf
SBC-LEA - http://cryptome.org/isp-spy/ameritech-spy.pdf
Cingular - http://cryptome.org/isp-spy/cingular-spy.pdf
Cricket - http://cryptome.org/isp-spy/cricket-spy.pdf
Pactel - http://cryptome.org/isp-spy/pactel-spy.pdf
GTE - http://cryptome.org/isp-spy/gte-spy.pdf

There are three key elements found in each guide. These assist the investigator when conducting an authorized investigation and they are:

  1. Contact address, Phone number, email address and hours of access for the Provider/Corporate Security
  2. What detail can and cannot be delivered by the provider. This includes retention duration of the data available.
  3. Description on the process and requirements for making a request. The capability of the provider response depends upon the authority of the request. A Statute or Judicial request is handled differently than a Law Enforcement inquiry as is a corporation's legal request.

It should be understood; these requests do not come without cost. The cost to process a request may exceed $10,000 depending upon request and duration. Some requests cost much less. There are some providers that do not appear to have a charge associated with the service.

In many of the guides, there is also a template or form to use when making a request. It is useful to know these details when conducting an investigation. The same logic of Time Based Security can be applied to responding to evidence acquisition. The clock is ticking, the longer the delay, the greater the potential for lost evidence.

Steven is the senior member of an IT Security team for a Bio-Pharma company. He has presented to a variety audiences including SANS, Midwest Consolidated Security Forum and various local chapters of HTCIA and ISACA. His current focus is Certificate Management, Encryption and Incident Response. With a science degree unrelated to IT, Steven has over 20 years in Information Technology with the past 13 years in Security. He has earned among the various vendor certificates, his CISSP (#3700), CISA (#153869) as well as GIAC G7799 (#151) GSNA (2849) Silver and GCFA (#18) gold certifications.

3 Comments

Posted March 3, 2010 at 4:16 AM | Permalink | Reply

Ali

I'm quite happy to you posted these links as I spent quite a while yesterday at cryptome download all their spy docs.
Just a quick note, you've got the Comcast link next the Facebook reference. Incidentally your missing the Facebook link.

Posted March 3, 2010 at 4:26 AM | Permalink | Reply

Steven

Apologies: The following is the Facebook link
http://cryptome.org/isp-spy/facebook-spy.pdf
Steven

Posted March 4, 2010 at 4:07 AM | Permalink | Reply

Rob Lee

This is a great and useful article. While many may interpret this as an infringement on their privacy, law enforcement is solving many serious crimes by being able to successfully submit court approved subpoena requests to help them in solving many terrible crimes. Being able to point them to this page is useful for many reasons. Thanks for collecting and posting.