Computer Intrusion Investigation Guidelines - United States, Department of Defense

FBI Law Enforcement Bulletin,The, Jan, 2001 by J. Bryan Davis

The process of catching the hacker may be simple, but obtaining and analyzing the evidence can be very complex. First, the investigator needs to understand the basics of a "hack" or an "intrusion." The hacker, or intruder, essentially breaks into a number of computers or computer systems to obtain either root or user level access to a computer. A hacker does this for three reasons.

* Storage: the hacker finds a victim computer to store tools and programs that can be used to exploit other computers;

* Protection: the hacker typically establishes a number of "jumps," or stepping stones in route to a particular computer or computer system. This process hides the location of the hacker, including protecting the original Internet provider (IP) of the hack; and

* Exploitation: the hacker wants to exploit a computer or computer system to obtain information or vandalize the computer.

The investigator can track the hacker by implementing three investigative techniques:

* Operations: the investigator goes undercover;

* Sources: the investigator develops sources that provide information about hackers and their activities; and

* Investigation: the investigator uses various methods to legally obtain computer records (normally security and audit logs). These records are then examined in an effort to surface evidence. These records give the investigator the opportunity to track, or trace, back the hacker. This should not to be confused with "hacking back," which is illegal.

INVESTIGATION BASICS

As with any investigation, investigators have many leads to follow. In the computer intrusion investigation, the initial steps are the same. This is because most computer intrusions are remarkably similar in nature. When hackers break into a government computer system, the Department of Defense (DOD) typically learns of it through intrusion detection systems, from other law enforcement agencies, or by obvious Web page defacement. Computer intrusion cases are directed to the DOD's Defense Criminal Investigative Service's Computer Crimes Investigation Program. Hackers make a number of jumps from their computer through various other computers or computer system. For technical reasons, the number of these jumps is limited, but each of these jumps is probably a victim.

To track down these hackers, federal agents must obtain and review various logs from each of the jumps or victims. If these logs are obtained in a timely fashion, the investigation will lead quickly to either the hacker or a dead end. Generally, the dead end often results when hackers jump through or from foreign countries. Sometimes, the dead end occurs because the investigator could not obtain the computer logs.

It should be noted that, due to the nature of the hacker culture, hackers commonly share their exploits with other hackers. This means that it is very common to find out that more than one hacker has broken into a particular computer or computer system. Although the intrusion may have just occurred, it is typically at least a few hours or a few days old.

Most investigations begin when the investigator receives a call or complaint from a DOD Computer Emergency Response Team (CERT); a systems administrator or computer security personnel; or a witness or confidential or registered source. The initial phases of a computer intrusion investigation can be broken down into 12 steps.

THE TWELVE STEPS

Step One

Obtain the identifying data on the caller.

Step Two

Obtain the identifying data on the victim computer. What is the victim IP? What agency does it belong to? Who is the system point of contact (POC)? Is the victim computer "mission critical?"

Step Three

Obtain the known particulars of the intrusion. This is sometimes called the "ticket" information. What is the source IP? When did the incident occur? What method of intrusion was used? Was it a root or user level intrusion?

Step Four

Determine if the victim computer has been secured (i.e., has it been taken off line and stored to protect the evidence). Has the system administrator removed all hacker programs, sniffers, and tools? Have the appropriate security patches been installed?

Step Five

Meet with the system administrator and determine if the victim computer should be taken off-line and taken into evidence or if the victim computer can be left on-line and used to monitor the hacker's future activity.

Step Six

Arrange to have the computer seized as evidence, or have a mirror image made of the victim computer's hard drive.

Step Seven

Determine the appropriate method of obtaining computer records from the source (e.g., the source computer/computer system/network). Depending on the type of computer or computer system, investigators can use five methods to obtain computer records. The method the investigator uses is determined by the Stored Wire & Electronic Communications Act. The five methods are--

* official request;

* inspector general subpoena;

* grand jury subpoena;

* court order; or

* search warrant

Step Eight

Contact the source and obtain its computer logs.