Bad passwords.

Electronic mail. Specifically the sendmail program which handles electronic mail in most UNIX systems.

Telnet. If crackers have compromised the "calling machine," they can record the passwords typed in by users using that computer to call the victim's computer, thus intercepting those passwords for their own use.

TFTP and FTP. Owners may inadvertently place password files in these areas and lose them. Crackers may use the anonymous FTP area to penetrate into "the rest" of the computer. Finally, where the owner has allowed outsiders to place files in the anonymous FTP, crackers and others may store stolen data, illegally copied programs and pornography.

Network "spoofing." The victim's computer may have been fooled into believing that it is being "called" by another computer on the network.

If you suspect an employee (including a user whose account was penetrated), do you have records documenting which employees were at the victim's facility, and what they were doing?

What did the intruder do after gaining access?

Are there any new files that were not there before the intruder arrived? If the victim does not have computer security experts on staff, suggest that it hire a consultant to check for back doors, trojan horses, viruses, logic bombs, etc.

Gather the following evidence as soon as possible

(and after each intrusion).

1. All records of the unauthorized access.

Again, make sure that your victim keeps those records in a secure area of the computer, preferably encrypted. Also caution the victim not to use the computer to discuss the intrusion (i.e., by e-mail).

2. All records of system activity on the day (or within a few hours) of the access.

3. Backup tapes of the above.

Make an exact copy of that data in the form in which it existed in the computer (i.e., onto a backup tape). Make more than one copy if possible. You should also print out that data to have a hard-copy record which you can display at trial.

Create evidence of ongoing intrusions.

1. The law usually allows victims to use their computers to track an intruder's activity. Discuss this issue with your victim at the beginning of your investigation. At a minimum, ensure that the computer is configured to "time-stamp" each log-in and log-off for each account.

Track damage to the victim.

1. Advise the victim to keep a log of the time employees spend responding to the intrusion. This includes time spent verifying that the intruder did not damage the computer and that the intruder has not left any "trap doors" behind.

Track the intruder.

1. Discuss with the victim whether the risk of damage from allowing the intruder to continue his attack on the system is so great that the victim must eject the intruder. Ejecting the intruder will usually end your investigation.

2. If the victim has the capability and inclination to do so, consider creating a "virtual sandbox" inside the victim's computer to contain the intruder.

3. If the intruder is using dial-up lines, obtain a court order allowing a trap and trace. (See below for ideas on what to do when the intruder is using the Internet.) Some states require a search warrant to authorize a trap and trace. The victim usually pays for the installation, and you should discuss this issue with the victim before drafting an order. File the order (or search warrant) under seal.

4. Arrange for the telephone company to install the trap and trace.

5. Assuming that your intruder attacks while your trap and trace is operating, match the calls "trapped" by the trap and trace against the logs of the victim's computer. Look for calls occurring at or about the time of the intrusion. (Remember that the