Computer Intrusion Checklist

Here's a law-enforcement checklist for investigating unauthorized access to a computer system.

by / September 30, 1996
Questions for the victim:

1. Who has been notified of the intrusion?

Is the security division of the local telephone company aware of the intrusion?
If the intruder is using the Internet, who is the victim's local Internet service provider? Is that provider aware of the intrusion?
2. Information about the computer system:

What type of computer or computer system was accessed without authorization?
Is the computer used:
as a PBX?
for voicemail?
to store proprietary information?
3. Telephone connections:

Is the computer connected to external phone lines? What are the numbers for each of those lines?
Who is able to dial in on the line(s) used by the intruder?
Are those lines reserved for maintenance or other use which is not companywide? If reserved for maintenance, determine whether the intrusion is part of normal maintenance activity.
4. Computer security measures in place before the intrusion:

Does the system require a "log-on" identification?
Does the system require users to enter a password?
Are there restrictions on the type of password which users may select? If the password is reasonably secure (i.e., at least six characters long), it is likely the intruder is a current or former employee, knows an employee, or has obtained the password through "social engineering" of a gullible employee.
How often is that password changed? Knowing the date on which the password was last changed may narrow your field of suspects.
Does the computer allow different levels of access? The level of access gained by the intruder may provide information about the source of your problem, particularly if the intruder is a former employee.
How does the computer record when a user logs on and off the system? Make sure that the victim configures the computer to create logs, and stores those logs off the compromised system. If they are stored on the system, they should be encrypted.
Is the computer configured to record the commands typed by the intruder?
5. Information about the intrusion.

When did the intrusion begin?
How many calls has the intruder made? A series of attempts repeated every few seconds suggests a war dialer.
Does the intruder always use the same phone line? This pattern suggests that the intruder knows only that number. If employees know more than one number, your intruder may be a cracker (or a lazy employee).
Did anyone unsuccessfully attempt to access the computer within 30 days before the first intrusion? Unsuccessful attempts suggest an intruder guessing a password or probing for a security flaw. No prior attempts suggests that the intruder is a current or former employee, or a cracker who obtained the password by social engineering or by intercepting a password sent by an authorized user.
For each access:
What was the date and time of that call?
How long did the call last?
What account(s) was/were accessed?
Who are the authorized users who have access to that account? (Some companies allocate accounts for particular work groups which anyone in that group may access.)
Interviewing the authorized user:
Warning: Interviewing a group of employees who share a password may alert any intruder who is a fellow employee to your investigation.
Determine whether the authorized user is your intruder. Does the user have a motive to misuse the computer (e.g., a departing employee stealing proprietary information)?
Ask whether the authorized user disclosed his or her password to anyone, including seemingly authorized users (i.e., social engineering), or displayed the password on scraps of paper taped to the terminal or left in an unlocked drawer.
What is the victim's theory concerning how the intruder was able to access the computer? Consider some of the common security "holes":
Bad passwords.
Electronic mail. Specifically the sendmail program which handles electronic mail in most UNIX systems.
Telnet. If crackers have compromised the "calling machine," they can record the passwords typed in by users using that computer to call the victim's computer, thus intercepting those passwords for their own use.
TFTP and FTP. Owners may inadvertently place password files in these areas and lose them. Crackers may use the anonymous FTP area to penetrate into "the rest" of the computer. Finally, where the owner has allowed outsiders to place files in the anonymous FTP, crackers and others may store stolen data, illegally copied programs and pornography.
Network "spoofing." The victim's computer may have been fooled into believing that it is being "called" by another computer on the network.
If you suspect an employee (including a user whose account was penetrated), do you have records documenting which employees were at the victim's facility, and what they were doing?
What did the intruder do after gaining access?
Are there any new files that were not there before the intruder arrived? If the victim does not have computer security experts on staff, suggest that it hire a consultant to check for back doors, trojan horses, viruses, logic bombs, etc.
Gather the following evidence as soon as possible

(and after each intrusion).

1. All records of the unauthorized access.

Again, make sure that your victim keeps those records in a secure area of the computer, preferably encrypted. Also caution the victim not to use the computer to discuss the intrusion (i.e., by e-mail).
2. All records of system activity on the day (or within a few hours) of the access.

3. Backup tapes of the above.

Make an exact copy of that data in the form in which it existed in the computer (i.e., onto a backup tape). Make more than one copy if possible. You should also print out that data to have a hard-copy record which you can display at trial.
Create evidence of ongoing intrusions.

1. The law usually allows victims to use their computers to track an intruder's activity. Discuss this issue with your victim at the beginning of your investigation. At a minimum, ensure that the computer is configured to "time-stamp" each log-in and log-off for each account.

Track damage to the victim.

1. Advise the victim to keep a log of the time employees spend responding to the intrusion. This includes time spent verifying that the intruder did not damage the computer and that the intruder has not left any "trap doors" behind.

Track the intruder.

1. Discuss with the victim whether the risk of damage from allowing the intruder to continue his attack on the system is so great that the victim must eject the intruder. Ejecting the intruder will usually end your investigation.

2. If the victim has the capability and inclination to do so, consider creating a "virtual sandbox" inside the victim's computer to contain the intruder.

3. If the intruder is using dial-up lines, obtain a court order allowing a trap and trace. (See below for ideas on what to do when the intruder is using the Internet.) Some states require a search warrant to authorize a trap and trace. The victim usually pays for the installation, and you should discuss this issue with the victim before drafting an order. File the order (or search warrant) under seal.

4. Arrange for the telephone company to install the trap and trace.

5. Assuming that your intruder attacks while your trap and trace is operating, match the calls "trapped" by the trap and trace against the logs of the victim's computer. Look for calls occurring at or about the time of the intrusion. (Remember that the computer's system clock may be anywhere from a few seconds to a few minutes "off" from the telephone company computer's system clock.)

6. Continue obtaining trap and trace orders as necessary to trace the intruder to the source of the phone calls.

7. If the intruder is using the Internet, seek assistance from the victim's Internet service provider. It may be able to track the intruder to the computer he is using. Arrange for the victim (or a consultant) to capture and examine the intruder's data packets for source/destination information.

8. Investigate whether the source of the intrusion as reported by the trap and trace or Internet service provider is the actual location of your intruder. Remember that intruders can route their calls through many different phone companies before reaching their target. They can also use accounts owned by others.

If the location returned by your trap and trace is an institution (e.g., a company or a university), contact that institution and seek assistance. If it is a residence, obtain records, such as utility bills, identifying the occupants of that residence. Consider checking whether your local school or police department is familiar with a juvenile living in the residence.
9. If the intruder is using dial-up lines, after obtaining the requisite order or search warrant, install a pen register on the location identified by your trap and trace. Use the results to:

Confirm that the intruder is using the telephone number(s) identified by your trap and trace. Remember to account for time zones if your intruder is dialing from out-of-state.
Determine whether the intruder is using a war dialer (look for dozens or hundreds of calls spaced every few seconds).
Identify other computers under assault by your intruder (look for numbers listed dozens or hundreds of times).
Identify the intruder's confederates, caches of stolen data, and pirate bulletin boards.
Arrest the intruder.

1. Prepare a search warrant for the intruder's location. You may find it easier to draft the warrant if you collect the following information before you begin:

Phone numbers for dial-in ports used by the intruder.
Passwords to the victim's computer system used by the intruder (make sure that the victim changes those passwords before you file the warrant).
The name of the account used by the intruder.
Information unique to the victim's computer system which you would expect the suspect to have downloaded to his computer, such as welcoming banners, the name of the victim, and even the name of the victim's computer (if named by its location, such as "Building 4 computer," or by number, such as "Computer X452").
Messages or commands sent by the intruder to the victim's computer system.
A description of software or data which you believe the intruder stole from the victim's computer system.
2. Consider whether you will be able to prove which occupant of that location is your intruder (e.g., which sibling or employee).

3. When obtaining a description of the residence to include in the search warrant, drive by the residence and look at the telephone line to make sure that it is not connected to an adjacent residence occupied by your intruder.

4. Arrange for a magistrate to sign the warrant.

5. Before serving the warrant, consider:

Do you have enough officers to allow the investigating officer to interview the suspect (after providing appropriate Miranda warnings)?
Are you better off serving the warrant when the suspect is not at home? If you are planning to "turn" the suspect into an informant, and are going to serve your warrant when he is not at home, determine his whereabouts in advance.
6. During the search, do not ignore the following items which may appear in plain view:

Printouts containing phone numbers, credit card numbers, or any string of numbers which may be access codes. Also look for names of bulletin boards (BBSs) which may reveal data caches.
Pads of paper. In addition to strings of numbers and BBSs, look for passwords.
Evidence identifying the user of the computer (i.e., your intruder). Look for names inside manuals, or on labels affixed to floppy disks.
Evidence of confederates.
Magazines relating to cracking (e.g., 2600).
Computer manuals for the computer used by your victim.
7. Subject to Miranda, interview the suspect.

Ask him whether the computer you find on the premises is rigged.
If you are going to use your suspect to cooperate in investigating his friends, secure his cooperation immediately. A long delay (more than a day) before your "turned" suspect returns "online" may warn confederates that he is no longer their ally.
Kenneth S. Rosenblatt is a prosecutor in the Office of the Santa Clara County, Calif., District Attorney, and this checklist is excerpted from his book, High-Technology Crime: Investigating Cases Involving Computers (KSK Publications, 1995, 603 pp. plus diskette, $69.95; call 408/296-7072 for more information). The book offers step-by-step instruction in investigating crimes involving computers and searching, seizing and analyzing evidence stored within computers.

Here's a
checklist for
access to a
computer system.