|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: Rooted boxen and the law
I should've included a disclaimer with that; I don't speak for the FBI or anyone but myself; the below is what I've gotten from experience. None of this is guaranteed, take it with a grain of salt, etc. etc. etc. Call it a "Best Practices" as far as I know. }:> -dalvenjah On Tue, Jun 05, 2001 at 09:54:00AM -0700, Dalvenjah FoxFire put this into my mailbox: > > Log what you can, including what software if any you found placed on the box, > what was done/modified, and where the cracker(s) came in from if you can > find that (as well as how they got in); keep a record of time spent and > itemize the costs required to recover. Take this report (it doesn't have > to be anything fancy, just something that's legible and easy-to-read), > and send it to your local FBI office. If you can, put any software or > binaries (or other items) deposited on the machine by a cracker on a CD > and include that. Keep in mind you want to modify as little as possible > while you do this; mount the disk read-only if you can and remove it > from the network. If you really want to get technical, SANS.org or > someplace probably has more detailed forensics tips. > > Basically, do as much computer forensics as you can, include estimates of > monetary damages (be realistic), and pass along what you can to the feds. > Chances are you won't get anything back from it personally, but the FBI > might be able to use your info to link back to some other case they're > working on, and it'll be that much more evidence against a person > they're already tracking when it comes time to press charges. If you > don't have time, oh well, but I'm sure the FBI will appreciate any > information you can get them. > > If you really have time, see if your local field agent(s) want to review > the machine personally; though chances are they're not going to insist > that you leave the machine with them for months or anything like that. > > You may be able to report the case to the police as well, but unless > you're heavily interested in pressing charges, chances are it'll just > be filed and reported up the ladder to the feds anyhow. > > -dalvenjah > -- > Dalvenjah FoxFire (aka Sven Nielsen) I'd like mornings better if they > Founder, the DALnet IRC Network started later. > > e-mail: [email protected] WWW: http://www.dal.net/~dalvenjah/ > whois: SN90 Try DALnet! http://www.dal.net/ -- Dalvenjah FoxFire (aka Sven Nielsen) "Thy wit is as quick as the greyhound's Founder, the DALnet IRC Network mouth - it catches." e-mail: [email protected] WWW: http://www.dal.net/~dalvenjah/ whois: SN90 Try DALnet! http://www.dal.net/
|