computer's system clock may be anywhere from a few seconds to a few minutes "off" from the telephone company computer's system clock.)

6. Continue obtaining trap and trace orders as necessary to trace the intruder to the source of the phone calls.

7. If the intruder is using the Internet, seek assistance from the victim's Internet service provider. It may be able to track the intruder to the computer he is using. Arrange for the victim (or a consultant) to capture and examine the intruder's data packets for source/destination information.

8. Investigate whether the source of the intrusion as reported by the trap and trace or Internet service provider is the actual location of your intruder. Remember that intruders can route their calls through many different phone companies before reaching their target. They can also use accounts owned by others.

If the location returned by your trap and trace is an institution (e.g., a company or a university), contact that institution and seek assistance. If it is a residence, obtain records, such as utility bills, identifying the occupants of that residence. Consider checking whether your local school or police department is familiar with a juvenile living in the residence.

9. If the intruder is using dial-up lines, after obtaining the requisite order or search warrant, install a pen register on the location identified by your trap and trace. Use the results to:

Confirm that the intruder is using the telephone number(s) identified by your trap and trace. Remember to account for time zones if your intruder is dialing from out-of-state.

Determine whether the intruder is using a war dialer (look for dozens or hundreds of calls spaced every few seconds).

Identify other computers under assault by your intruder (look for numbers listed dozens or hundreds of times).

Identify the intruder's confederates, caches of stolen data, and pirate bulletin boards.

Arrest the intruder.

1. Prepare a search warrant for the intruder's location. You may find it easier to draft the warrant if you collect the following information before you begin:

Phone numbers for dial-in ports used by the intruder.

Passwords to the victim's computer system used by the intruder (make sure that the victim changes those passwords before you file the warrant).

The name of the account used by the intruder.

Information unique to the victim's computer system which you would expect the suspect to have downloaded to his computer, such as welcoming banners, the name of the victim, and even the name of the victim's computer (if named by its location, such as "Building 4 computer," or by number, such as "Computer X452").

Messages or commands sent by the intruder to the victim's computer system.

A description of software or data which you believe the intruder stole from the victim's computer system.

2. Consider whether you will be able to prove which occupant of that location is your intruder (e.g., which sibling or employee).

3. When obtaining a description of the residence to include in the search warrant, drive by the residence and look at the telephone line to make sure that it is not connected to an adjacent residence occupied by your intruder.

4. Arrange for a magistrate to sign the warrant.

5. Before serving the warrant, consider:

Do you have enough officers to allow the investigating officer to interview the suspect (after providing appropriate Miranda warnings)?

Are you better off serving the warrant when the suspect is not at home? If you are planning to "turn" the suspect into an informant, and are going to serve your warrant when he is not at home, determine his whereabouts in advance.

6. During the search, do not ignore the following items which may appear in plain view: