Computer Intrusion Investigation Guidelines - United States, Department of Defense

FBI Law Enforcement Bulletin,The, Jan, 2001 by J. Bryan Davis

Possible Conclusions

The investigator continues this process of tracing back the hacker's jumps. This investigative process leads to one of three conclusions:

* The hacker is located. At this point, traditional law enforcement techniques such as arrest warrants, search warrants, trap and trace, or other techniques come into play.

* The trace back leads to a foreign country. Depending on the particulars, this case may now fall into the area of foreign counterintelligence. It may lead to a joint investigation with foreign law enforcement organizations. Or, it may result in an investigative dead end.

* The trace back leads to a dead end within the United States. This typically happens when one of the victim sites cannot provide useful records, when records could not be obtained in a timely manner, or when the hacker was able to "spoof," or fake, the IP address.

Step Eleven

Make arrangements to have the source logs examined.

Step Twelve

Conduct appropriate interviews.

CONCLUSION

As computer intrusion crimes increase and hackers become more efficient, the investigator's role and task will become more difficult. However, these guidelines should help answer some basic questions encountered at the onset of any computer intrusion investigation.

Special Agent Davis serves with the Defense Criminal Investigative Service, Department of Defense, in Arlington, Virginia.