Anatomy of a Digital Investigation: FBI Rapidly IDs Sender of High School Threats

Logo for South Burlington High School (VT)

Logo for South Burlington High School (VT)

It is a problem that has afflicted numerous schools around the country: threats of violence sent from anonymous email accounts, messenger apps, and transient phone numbers. In the wake of multiple serious school attacks, administrators cannot afford to take such threats lightly, notwithstanding the fact that the majority of the threats are little more than empty bluster.

Last week, it was South Burlington High School’s turn to deal with the disruption, worry, and fear that are caused by these types of threats. Beginning on the morning of Monday, April 18 and continuing throughout the week, SBHS staff received multiple clusters of threats of harm to the school and to specifically named teachers and students. The threats, which were delivered from numerous email accounts and phone numbers, resulted in campus-wide lockdowns on Tuesday, Wednesday, and Thursday, as well as the complete cancellation of school on Friday, April 22.

The week ended, however, with the arrest of 18-year-old Josiah Leach on Friday evening. A criminal complaint alleging a violation of 18 U.S.C. § 875(c) [“Knowingly transmitting in interstate commerce a communication containing a threat to injure the person of another”] was filed in U.S. District Court (D. Vt.) by FBI Special Agent Jennifer Vander Veer. Attached to the complaint was Vander Veer’s detailed affidavit explaining how, despite his attempts to remain anonymous, Leach was quickly identified and located.

The specifics of the affidavit were thoroughly summarized by Burlington Free Press reporter April McCullum (h/t to my friend Nancy Kaplan for bringing this all to my attention). McCullum’s article (and/or this blog post) should be required reading for school administrators and for IT departments, since it describes the type of information that a school district should preserve when these types of events occur. I also think that this incident can be a powerful tool for helping high school students understand just how easily their identity can be discovered online, particularly when the FBI gets involved.

The following is my somewhat more-distilled timeline of Vander Veer’s investigation.

Threat #1 — April 18, 2017

  • Six SBHS staff email accounts received emails containing threats from an account subedimukesh@outlook.com.
  • Vander Veer contacted Microsoft (which operates outlook.com) and learned that the email account was accessed using IP address 104.200.140.118.
  • That IP address resolves to a Virtual Private Network (VPN) called betternet.co.
  • That normally would be the end of that particular digital trail. However, the SBHS IT Department took screen captures of deleted draft emails from Leach’s SBHS Google Apps account. The drafts were written shortly before the email threats were sent.

Threat #2 — April 18, 2017

  • Following the email threats, a threat was posted on the SB Police Department Facebook page. The account which posted the threat ended in 9596.
  • Vander Veer contacted Facebook and obtained records regarding that account.
  • The account was newly created on the morning of April 18 by someone using the name Mukesh Mukesh. All of the activity occurred using IP address 104.200.140.188, the same IP address associated with the email threats.
  • Facebook reported two email addresses associated with the account: jimmymukie98@outlook.com and sjsjsjsis@gmail.com.
  • Microsoft told Vander Veer that the jimmymukie98 address created on the morning of April 18 and was accessed using IP address 64.30.37.252, which resolves to the servers used by SBHS.
  • Vander Veer reviewed the SBHS server logs and found that three students (one of whom was Josiah Leach) accessed Web sites associated with Microsoft Outlook at or about the time the jimmymukie98 account was created.
  • The server logs also recorded the MAC address and name of the device used by Leach to access the SBHS network (an Intel laptop provided to Leach by the school).

Threat #3 — April 18, 2017

  • The SBHS school secretary received a telephone threat from someone using the number 802-472-1939.
  • The SBHS phone service provider, Sovernet, told Vander Veer that the phone number is serviced by TextNow.
  • TextNow, a Voice over IP (VOIP) service, told Vander Veer that the account using that number was created on the morning of April 18 using the email address snsjsajab@gmail.com. Activity on the account came from IP address 73.114.21.114, which resolves to Comcast Xfinity Wifi.
  • SBHS server logs showed that a device had connected to TextNow over the school network just before the TextNow account was created. Leach’s username (leachj) and password were used to connect the device to the school network.

Threat #4 — April 19, 2017

  • Five threatening emails were sent to SBHS accounts by user rustyslack@outlook.com.
  • Vander Veer contacted Microsoft and learned that the account was created shortly before the emails were sent. The IP address used to access the account was 172.98.87.72.
  • That IP address resolves to Total Server Solutions, which is the listed registrant for the IP address associated with Betternet.co.

Threat #5 — April 20, 2017

  • Three threatening emails were sent to SBHS accounts by user sbhsmurder2017@outlook.com. Those emails specifically threatened five SBHS teachers and eleven students (including Leach).
  • Vander Veer obtained information from Microsoft indicating that the sbhsmurder2017 account was accessed using IP address 71.61.92.56. That IP address resolves to an Internet Service Provider called Fairpoint Communications Inc.
  • Fairpoint told Vander Veer that the subscriber using that IP address is Leon McKenzie, Leach’s brother. The service address for the account is Leach’s home address.

Threat #6 — April 20, 2017

  • Three threatening emails were sent to SBHS accounts by user jimcollins9797@outlook.com.
  • Vander Veer obtained information from Microsoft indicating that the jimcollins9797 account was accessed at or about the same time using IP address 73.114.21.93.
  • That IP address resolves to Comcast Xfinity Wifi.

Threat #7 — April 21, 2017

  • Just after midnight on the 21st, a video was shared on Facebook by user taylor.isabelle.5496. The video showed a young male with his face blurred and voice altered. In the video, the male discussed the threats against SBHS and showed images of the emails sent as part of Threats #5 and #6.
  • Vander Veer obtained information from Facebook indicating that taylor.isabelle.5496 had communicated with Leach on Facebook, including most recently around midnight on April 19.

Threat #8 — April 21, 2017

  • Nine emails were sent to SBHS accounts by user theycallmejim98@gmail.com. Attached to each email was the video posted to Facebook as part of Threat #7.
  • Vander Veer obtained information from Google indicating that the theycallmejim98 account was created shortly before the emails were sent. The account was accessed using IP address 71.161.92.56.
  • That IP address was previously identified by Vander Veer as being associated with the account of Leach’s brother, Leon McKenzie.

Reflections and Discussion Points

Endless Possibilities for Disruption — As this timeline illustrates, there are a seemingly endless number of digital tools and communication services that can be used to engage in this type of disruption. It obviously takes no great imagination to invent fake names to use in setting up email accounts. It takes only slightly more technical savvy to use a virtual private network in an effort to make online activity more difficult to trace.

Increasing Amounts of Data Collected Online — At the same time, however, this case also illustrates the power of routine data collection by internet service providers and online service providers like Microsoft and Google. As many, many people have learned to their dismay, an IP address is a powerful investigative tool, particularly when it is connected to a physical address through a subscriber account.

This case also illustrates that efforts to hide behind digital masks (either the use of a virtual private network or obscuring software) can be defeated by extrinsic evidence. For instance, online friends and connections can help reveal identity (as in the case of Leach’s Facebook buddy). Similarly, identifying information (a MAC address for a cell phone, for instance, or the careless use of login credentials) can provide clues to the identity of an otherwise anonymous Internet user.

There was a case in Cambridge, MA a couple of years ago that illustrates this point. A bomb threat was emailed to Harvard University officials during finals week; the evacuations disrupted the exams scheduled at the time. At first, investigators were stymied, since the perpetrator sent the threat using the TOR network, which provides powerful protection for user identities. However, when they examined the network logs for the University, they discovered that three students had accessed the TOR network at about the time the threat was sent. (In this case, Harvard’s network log was like someone watching a truck enter a highway on-ramp; the observer might not know what is in the truck or its final destination, but a note can be made that the truck entered the highway.) The FBI looked at the exam schedules of the three students and saw that just one had a final scheduled around the time the threat was made. An arrest and confession quickly followed.

Prevention Is Difficult — As with so many other types of misbehavior (particularly digital), the reality is that there is not much that can be done to prevent mischievous or malicious students from engaging in this type of behavior. As a practical matter, it is simply too easy.

While perhaps not very satisfying, the only course of action likely to have a long-term impact is ongoing education about the legal, social, and moral consequences of digital misconduct. Incidents like this are frustrating and upsetting, but they can be used as powerful teachable moments not only in the affected school but in schools across the country. Schools can and should incorporate digital citizenship and cyberethics into every aspect of their curricula. And lastly, parents should be provided with the educational tools and encouragement to provide moral and ethical instruction to their children, based in no small part upon reasonable rules regarding the use of devices.

Training for IT Departments Is a Good Investment — When digital incidents occur in a school, members of the IT department are typically first responders. As this case illustrates, they are often in a good position to preserve important evidence for use by law enforcement. School districts should think seriously about investing the time and money to provide their IT staff with basic instruction regarding the relevant types of data that should be preserved and how best to do it.

The chief challenge is helping members of an IT department know the fine line between preservation of evidence and possible interference with an investigation. It is far too easy, particularly during a crisis when administrators may be clamoring for answers, for IT staff to get overzealous in their own sleuthing. A little training, particularly with input from area law enforcement, can go a long ways towards preventing any problems that might interfere with an investigation or prosecution.

[embeddoc url=”https://www.cybertraps.com/wp-content/uploads/2017/04/2017-04-21-Josiah-Leach-Criminal-Complaint.pdf”]

Share this!

Leave Comment

Your email address will not be published.