Computer Intrusion Investigation Guidelines
Davis, J. Bryan, The FBI Law Enforcement Bulletin
The process of catching the hacker may be simple, but obtaining and analyzing the evidence can be very complex. First, the investigator needs to understand the basics of a "hack" or an "intrusion." The hacker, or intruder, essentially breaks into a number of computers or computer systems to obtain either root or user level access to a computer. A hacker does this for three reasons.
* Storage: the hacker finds a victim computer to store tools and programs that can be used to exploit other computers;
* Protection: the hacker typically establishes a number of "jumps," or stepping stones in route to a particular computer or computer system. This process hides the location of the hacker, including protecting the original Internet provider (IP) of the hack; and
* Exploitation: the hacker wants to exploit a computer or computer system to obtain information or vandalize the computer.
The investigator can track the hacker by implementing three investigative techniques:
* Operations: the investigator goes undercover;
* Sources: the investigator develops sources that provide information about hackers and their activities; and
* Investigation: the investigator uses various methods to legally obtain computer records (normally security and audit logs). These records are then examined in an effort to surface evidence. These records give the investigator the opportunity to track, or trace, back the hacker. This should not to be confused with "hacking back," which is illegal.
As with any investigation, investigators have many leads to follow. In the computer intrusion investigation, the initial steps are the same. This is because most computer intrusions are remarkably similar in nature. When hackers break into a government computer system, the Department of Defense (DOD) typically learns of it through intrusion detection systems, from other law enforcement agencies, or by obvious Web page defacement. Computer intrusion cases are directed to the DOD's Defense Criminal Investigative Service's Computer Crimes Investigation Program. Hackers make a number of jumps from their computer through various other computers or computer system. For technical reasons, the number of these jumps is limited, but each of these jumps is probably a victim.
To track down these hackers, federal agents must obtain and review various logs from each of the jumps or victims. If these logs are obtained in a timely fashion, the investigation will lead quickly to either the hacker or a dead end. Generally, the dead end often results when hackers jump through or from foreign countries. Sometimes, the dead end occurs because the investigator could not obtain the computer logs.
It should be noted that, due to the nature of the hacker culture, hackers commonly share their exploits with other hackers. This means that it is very common to find out that more than one hacker has broken into a particular computer or computer system. Although the intrusion may have just occurred, it is typically at least a few hours or a few days old.
Most investigations begin when the investigator receives a call or complaint from a DOD Computer Emergency Response Team (CERT); a systems administrator or computer security personnel; or a witness or confidential or registered source. The initial phases of a computer intrusion investigation can be broken down into 12 steps.
THE TWELVE STEPS
Obtain the identifying data on the caller.
Obtain the identifying data on the victim computer. What is the victim IP? What agency does it belong to? Who is the system point of contact (POC)? Is the victim computer "mission critical?"
Obtain the known particulars of the intrusion. This is sometimes called the "ticket" information. What is the source IP? When did the incident occur? …