spaf@cs.purdue.edu (Gene Spafford) wrote: > 2) Don't push an investigation yourself until you have contacted law >enforcement, if you have any possible intent in prosecution. The >reason for this is that certain acts must be done in the right order, >and with proper record keeping. If you investigate too far, you may >contaminate evidence that is needed for prosecution. Furthermore, you >may actually muck up the trail to where it is not possible to track >the intruder. The majority of system admins do not have the necessary >training or legal background to do this by themselves. Get law >enforcement and other professionals involved early. This is a very important issue and can not be overemphasized. If your company/organization decides for whatever reason (policy, deterrence, revenge, etc. ) to proceed with investigating with the hopes of prosecuting, the law enforcement agents will advise you along every step of the way. Even to the point where they can determine whether the case can be brought to court. Its just like any other criminal law, if there is enough evidence to prosecute and convict, then it might be worth bringing a case to court. If the evidence lacks minimum criteria such as proving a hacker's intent as defined in the Federal Computer Fraud and Abuse Act of 1986, they will tell you this as well. It's not that it isn't worth their time, its that the laws state you must provide hard facts of such activity and this can sometimes be a very difficult thing to do. > 3) The field of computer crime investgation is new. Law enforcement >personnel are learning as they go. They need good cases and cooperation to >get that experience, though. The "learning as they go" is quite true and most unfortunate, because it instills a lack of confidence when you deal with the law enforcement agents that exhibit such deficiencies. It's typical that they aren't as familiar with all the ins and outs of, say, a Unix box as you would expect, but it also does not mean that they don't know the law, which is where they will benefit you the most. Perhaps the field *is* too new for law officers to be up to par with expectations of system proficiency, but I think it goes deeper than that. How many law enforcement officers turned computer crime investigators do you expect to become overnight systems experts or even have the time to invest in doing so? :-( Probably not too many, but it still does not mean that, for example, while reviewing a keystroke monitoring log with them, you shouldn't share your in depth knowledge of the hackers activites if you notice that the law officer is not up to par. Remember what comes around goes around :-) I would like to add one more thing since I am on the topic of sharing information with the law officers. I personally know of an unfortunate change in policy that one law enforcement agency has recently undergone. They have decided to keep a tight lip on their knowledge of the on going hacking activity in which your systems are involved (i.e., the victims get very little feedback as to the overall activities of the hackers). IMO, this a bad idea. In dealing with them in the past, they have given much needed information to track down and prosecute hackers. In two investigations of which I know led to arrests, this information pacified and calmed management as tracking and tracing the hackers continued for over a month. Without the intelligence feedback, the investigation would have been halted by management because there was too much at risk. By deciding to not provide this "crucial" feedback, it will become much harder for companies and organizations to want to pursue the investigation till arrests are made mostly because management does not know what is going on and that is too much liability to put on their shoulders. The result of this is that many companies unable to hire private investigators will simply employ security measures to shut the door on the hacker(s) and not investigate. This, in return, will probably undermind the comes around goes around :-) I would like to add one more thing since I am on the topic of sharing information with the law officers. I personally know of an unfortunate change in policy that one law enforcement agency has recently undergone. They have decided to keep a tight lip on their knowledge of the on going hacking activity in which your systems are involved (i.e., the victims get very little feedback as to the overall activities of the hackers). IMO, this a bad idea. In dealing with them in the past, they have given much needed information to track down and prosecute hackers. In two investigations of which I know led to arrests, this information pacified and calmed management as tracking and tracing the hackers continued for over a month. Without the intelligence feedback, the investigation would have been halted by management because there was too much at risk. By deciding to not provide this "crucial" feedback, it will become much harder for companies and organizations to want to pursue the investigation till arrests are made mostly because management does not know what is going on and that is too much liability to put on their shoulders. The result of this is that many companies unable to hire private investigators will simply employ security measures to shut the door on the hacker(s) and not investigate. This, in return, will probably undermind the ability to create an ora of deterrence on the Internet as Spaf had talked about. Diane Davidowicz