Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Rooted boxen and the law

  • From: Dalvenjah FoxFire
  • Date: Tue Jun 05 13:04:20 2001

I should've included a disclaimer with that; I don't speak for the FBI or
anyone but myself; the below is what I've gotten from experience. None
of this is guaranteed, take it with a grain of salt, etc. etc. etc. Call
it a "Best Practices" as far as I know. }:>

-dalvenjah

On Tue, Jun 05, 2001 at 09:54:00AM -0700, Dalvenjah FoxFire put this into my mailbox:
> 
> Log what you can, including what software if any you found placed on the box,
> what was done/modified, and where the cracker(s) came in from if you can
> find that (as well as how they got in); keep a record of time spent and
> itemize the costs required to recover. Take this report (it doesn't have
> to be anything fancy, just something that's legible and easy-to-read),
> and send it to your local FBI office. If you can, put any software or
> binaries (or other items) deposited on the machine by a cracker on a CD
> and include that. Keep in mind you want to modify as little as possible
> while you do this; mount the disk read-only if you can and remove it
> from the network. If you really want to get technical, SANS.org or
> someplace probably has more detailed forensics tips.
> 
> Basically, do as much computer forensics as you can, include estimates of
> monetary damages (be realistic), and pass along what you can to the feds.
> Chances are you won't get anything back from it personally, but the FBI
> might be able to use your info to link back to some other case they're
> working on, and it'll be that much more evidence against a person
> they're already tracking when it comes time to press charges. If you
> don't have time, oh well, but I'm sure the FBI will appreciate any
> information you can get them.
> 
> If you really have time, see if your local field agent(s) want to review
> the machine personally; though chances are they're not going to insist
> that you leave the machine with them for months or anything like that.
> 
> You may be able to report the case to the police as well, but unless
> you're heavily interested in pressing charges, chances are it'll just
> be filed and reported up the ladder to the feds anyhow.
> 
> -dalvenjah
> -- 
>  Dalvenjah FoxFire (aka Sven Nielsen)  I'd like mornings better if they
>  Founder, the DALnet IRC Network       started later.
>  
>  e-mail: dalvenjah@dal.net             WWW: http://www.dal.net/~dalvenjah/
>  whois: SN90                           Try DALnet! http://www.dal.net/

-- 
 Dalvenjah FoxFire (aka Sven Nielsen) "Thy wit is as quick as the greyhound's
 Founder, the DALnet IRC Network       mouth - it catches."
 
 e-mail: dalvenjah@dal.net             WWW: http://www.dal.net/~dalvenjah/
 whois: SN90                           Try DALnet! http://www.dal.net/




Discussion Communities


About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home


Merit Network, Inc.