Rooted boxen and the law

Dalvenjah FoxFire dalvenjah at DAL.NET
Tue Jun 5 16:54:00 UTC 2001


On Tue, Jun 05, 2001 at 08:38:54AM -0400, Jamie Norwood put this into my mailbox:
> 
> I am just curious, in these days where every script kiddie with a few spare
> hours is out cracking into every box in sight, what do you all do when it
> happens? I know the isolate/reinstall stuff, I am specifically more
> interested in administrative stuff. Do you log it? Report it to the
> police? FBI? Who?
> 
> Basically, I just had a box cracked, and have time to kill before I get
> access to it to reinstall (Damn cheap colo provider...) and am wondering
> if I should just reinstall and get on with life, or if I should be covering
> my ass, since I have things on their that will make me unhappy if they are
> taken and released to the public domaine (Reg codes for software and the
> like.)

Log what you can, including what software if any you found placed on the box,
what was done/modified, and where the cracker(s) came in from if you can
find that (as well as how they got in); keep a record of time spent and
itemize the costs required to recover. Take this report (it doesn't have
to be anything fancy, just something that's legible and easy-to-read),
and send it to your local FBI office. If you can, put any software or
binaries (or other items) deposited on the machine by a cracker on a CD
and include that. Keep in mind you want to modify as little as possible
while you do this; mount the disk read-only if you can and remove it
from the network. If you really want to get technical, SANS.org or
someplace probably has more detailed forensics tips.

Basically, do as much computer forensics as you can, include estimates of
monetary damages (be realistic), and pass along what you can to the feds.
Chances are you won't get anything back from it personally, but the FBI
might be able to use your info to link back to some other case they're
working on, and it'll be that much more evidence against a person
they're already tracking when it comes time to press charges. If you
don't have time, oh well, but I'm sure the FBI will appreciate any
information you can get them.

If you really have time, see if your local field agent(s) want to review
the machine personally; though chances are they're not going to insist
that you leave the machine with them for months or anything like that.

You may be able to report the case to the police as well, but unless
you're heavily interested in pressing charges, chances are it'll just
be filed and reported up the ladder to the feds anyhow.

-dalvenjah
-- 
 Dalvenjah FoxFire (aka Sven Nielsen)  I'd like mornings better if they
 Founder, the DALnet IRC Network       started later.
 
 e-mail: dalvenjah at dal.net             WWW: http://www.dal.net/~dalvenjah/
 whois: SN90                           Try DALnet! http://www.dal.net/



More information about the NANOG mailing list