[38460] in North American Network Operators' Group
Re: Rooted boxen and the law
daemon@ATHENA.MIT.EDU (Dalvenjah FoxFire)
Tue Jun 5 13:02:09 2001
X-Envelope-To: nanog@merit.edu
Date: Tue, 5 Jun 2001 09:57:30 -0700
From: Dalvenjah FoxFire <dalvenjah@DAL.NET>
To: Dalvenjah FoxFire <dalvenjah@DAL.NET>
Cc: Jamie Norwood <jnorwood@adelphia.net>, nanog@merit.edu
Message-ID: <20010605095729.B18608@dragonlair.dal.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20010605095400.A18608@dragonlair.dal.net>; from dalvenjah@DAL.NET on Tue, Jun 05, 2001 at 09:54:00AM -0700
Errors-To: owner-nanog-outgoing@merit.edu
I should've included a disclaimer with that; I don't speak for the FBI or
anyone but myself; the below is what I've gotten from experience. None
of this is guaranteed, take it with a grain of salt, etc. etc. etc. Call
it a "Best Practices" as far as I know. }:>
-dalvenjah
On Tue, Jun 05, 2001 at 09:54:00AM -0700, Dalvenjah FoxFire put this into my mailbox:
>
> Log what you can, including what software if any you found placed on the box,
> what was done/modified, and where the cracker(s) came in from if you can
> find that (as well as how they got in); keep a record of time spent and
> itemize the costs required to recover. Take this report (it doesn't have
> to be anything fancy, just something that's legible and easy-to-read),
> and send it to your local FBI office. If you can, put any software or
> binaries (or other items) deposited on the machine by a cracker on a CD
> and include that. Keep in mind you want to modify as little as possible
> while you do this; mount the disk read-only if you can and remove it
> from the network. If you really want to get technical, SANS.org or
> someplace probably has more detailed forensics tips.
>
> Basically, do as much computer forensics as you can, include estimates of
> monetary damages (be realistic), and pass along what you can to the feds.
> Chances are you won't get anything back from it personally, but the FBI
> might be able to use your info to link back to some other case they're
> working on, and it'll be that much more evidence against a person
> they're already tracking when it comes time to press charges. If you
> don't have time, oh well, but I'm sure the FBI will appreciate any
> information you can get them.
>
> If you really have time, see if your local field agent(s) want to review
> the machine personally; though chances are they're not going to insist
> that you leave the machine with them for months or anything like that.
>
> You may be able to report the case to the police as well, but unless
> you're heavily interested in pressing charges, chances are it'll just
> be filed and reported up the ladder to the feds anyhow.
>
> -dalvenjah
> --
> Dalvenjah FoxFire (aka Sven Nielsen) I'd like mornings better if they
> Founder, the DALnet IRC Network started later.
>
> e-mail: dalvenjah@dal.net WWW: http://www.dal.net/~dalvenjah/
> whois: SN90 Try DALnet! http://www.dal.net/
--
Dalvenjah FoxFire (aka Sven Nielsen) "Thy wit is as quick as the greyhound's
Founder, the DALnet IRC Network mouth - it catches."
e-mail: dalvenjah@dal.net WWW: http://www.dal.net/~dalvenjah/
whois: SN90 Try DALnet! http://www.dal.net/