North American Network Operators Group|
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Re: Rooted boxen and the law
- From: Dalvenjah FoxFire
- Date: Tue Jun 05 13:04:20 2001
I should've included a disclaimer with that; I don't speak for the FBI or
anyone but myself; the below is what I've gotten from experience. None
of this is guaranteed, take it with a grain of salt, etc. etc. etc. Call
it a "Best Practices" as far as I know. }:>
On Tue, Jun 05, 2001 at 09:54:00AM -0700, Dalvenjah FoxFire put this into my mailbox:
> Log what you can, including what software if any you found placed on the box,
> what was done/modified, and where the cracker(s) came in from if you can
> find that (as well as how they got in); keep a record of time spent and
> itemize the costs required to recover. Take this report (it doesn't have
> to be anything fancy, just something that's legible and easy-to-read),
> and send it to your local FBI office. If you can, put any software or
> binaries (or other items) deposited on the machine by a cracker on a CD
> and include that. Keep in mind you want to modify as little as possible
> while you do this; mount the disk read-only if you can and remove it
> from the network. If you really want to get technical, SANS.org or
> someplace probably has more detailed forensics tips.
> Basically, do as much computer forensics as you can, include estimates of
> monetary damages (be realistic), and pass along what you can to the feds.
> Chances are you won't get anything back from it personally, but the FBI
> might be able to use your info to link back to some other case they're
> working on, and it'll be that much more evidence against a person
> they're already tracking when it comes time to press charges. If you
> don't have time, oh well, but I'm sure the FBI will appreciate any
> information you can get them.
> If you really have time, see if your local field agent(s) want to review
> the machine personally; though chances are they're not going to insist
> that you leave the machine with them for months or anything like that.
> You may be able to report the case to the police as well, but unless
> you're heavily interested in pressing charges, chances are it'll just
> be filed and reported up the ladder to the feds anyhow.
> Dalvenjah FoxFire (aka Sven Nielsen) I'd like mornings better if they
> Founder, the DALnet IRC Network started later.
> e-mail: email@example.com WWW: http://www.dal.net/~dalvenjah/
> whois: SN90 Try DALnet! http://www.dal.net/
Dalvenjah FoxFire (aka Sven Nielsen) "Thy wit is as quick as the greyhound's
Founder, the DALnet IRC Network mouth - it catches."
e-mail: firstname.lastname@example.org WWW: http://www.dal.net/~dalvenjah/
whois: SN90 Try DALnet! http://www.dal.net/