For Incident Handlers and Other Information Security Professionals
Version 1.0 - Updated January 15, 2004
If we are going to turn the tide against computer attacks, the entire information security community must cooperate more effectively than ever before. The private sector, government agencies, and law enforcement must cooperate in responding to computer attacks. Yet, many security personnel aren't familiar with how to engage law enforcement effectively. For example, when should you call local or national law enforcement to help handle a case? How can you develop communication channels with law enforcement? This FAQ addresses these questions and more, with the goal of helping to foster communication with the law enforcement community. This project was developed as part of the SANS Institute's Cyber Defense Initiative (CDI). Each year, SANS polls the security community for ideas about CDI collaborative projects we can all use to help improve our security. Volunteers from around the world pour enormous amounts of effort to bring these projects to fruition, including this FAQ.
Disclaimers & Caveats
Although it is crucial for international cooperation with law enforcement, this document focuses on laws inside the United States. Work is ongoing regarding legal issues outside the US.
This document should not be construed as legal advice. It is designed to help incident handling, but does not supplant the need for solid legal counsel.
Law Enforcement FAQ
Should information security policies include incident-handling procedures for computer crimes?
Yes. A principal purpose of documented incident-handling procedures is to establish steps that further the preservation of potential evidence for later use by law enforcement. As with any crime, the proper collection of evidence is important, and poor incident response can result in the loss of evidence.
Incident-handling procedures will expedite the response to the incident. These procedures should establish critical personnel during and after the incident and identify the stage at which law evidencenforcement should be contacted. Generally, law enforcement should be contacted as early as practicable after a security breach has been identified as a possible crime.
Finally, incident-handling procedures may also protect your organization from the loss of an insurance claim or a subsequent lawsuit. Some insurance companies may require an immediate notification to law enforcement, or have procedures for computer crime incidents in place. Appropriate procedures may make a difference in the validity of your claim. In addition, clients who stored their data on your organizations systems may expect that you have a procedure in place when dealing with a computer crime incident. Failing to have a procedure in place to handle an incident may prompt the client to seek legal action against you. These are just some of the many reasons why it can be valuable to have procedures for computer crime incidents in your security policies.
For additional information, please reference SANS www.sans.org/score/incident-forms.
Are computer forensic evidence handling and analysis procedures helpful to business and law enforcement?
Yes. Electronic evidence is becoming increasingly used in court More than ever, organizations are aware of the potential cybercrimes that may be subject to criminal prosecution. Insider misconduct, external attack and fraud are only a few quick examples.
Proper computer forensic evidence handling and analysis procedures are helpful in ensuring that the collected evidence may be admitted in court. In a criminal referral, law enforcement will normally conduct its own forensic analysis. However, careful evidence handling and collection, as defined in comprehensive security policy and procedures can be helpful in providing law enforcement with accurate and complete information.
Are there standardized guidelines or procedures for reporting an incident to law enforcement? If not, what information will I need to have ready to report?
There is no single proper way to report a suspected computer crime. However, many law enforcement agencies make it very easy to report suspected crimes. Some even include on-line reporting forms.
At the federal level, your local FBI or Secret Service field office are your main contact points for computer and network security incidents.
When you report an incident, you should have the following available:
- Names, location, and purpose of operating systems involved;
- Names and location of programs accessed;
- Highest classification of information stored in the systems;
- Impact (compromise of information or dollar loss).
- How intrusion access was obtained; how attack was carried out.
- Status of attack;
- Steps taken to mitigate or remediate.
- Other organizations affected.
- Potential suspects, such as outsiders or current or former employees/contractors
- Available evidence to assist in the investigation (i.e., logs, physical evidence)
An important part of this process is to develop a relationship with law enforcement prior to an emergency management situation. To develop such relationships, consider joining a local chapter of Infragard (www.infragard.net) or the High Technology Crime Investigation Association (HTCIA at www.htcia.org).
What type of access to evidence and key personnel should I expect upon the involvement of Law Enforcement?
Law enforcement needs access to personnel who have information about the incident and the relevant evidence. In a typical case, interviews by law enforcement investigators may take two or three hours per person, depending on how much the person knows. Prosecutors and investigating agents understand that they must be sensitive to the business operations of the victim. The investigation will always be conducted with these business concerns in mind. For more information on how law enforcement works with victims of computer intrusions, and guidelines for law enforcement, please refer to www.usdoj.gov/criminal/cybercrime/usamarch2001_6.htm.
Will law enforcement obstruct my business if I call them?
Law enforcement is trained to respond with a minimum of disruption to your business, and will take steps to keep sensitive business information confidential. Although, if a case goes to trial evidence may necessarily become public, law enforcement can shape its charges and use other measures to keep public disclosure to a minimum.
Law enforcements goal is not to obstruct your business. If you call law enforcement and cooperate with them, it is in their interest to minimize the impact on your business. In almost every case the impact on the business can be minimized with adequate planning and coordination.
How does law enforcement deal with the investigation of an active computer intrusion on a live network?
An active computer intrusion can provide significant investigative leads to law enforcement. At times, allowing the unauthorized connection to be maintained can provide key information to pursue prosecution. Law enforcement understands that victims may choose to terminate the connection of an active intrusion to protect network assets. However, with the cooperation of law enforcement, there may be alternative actions that would both preserve investigative leads and protect the network. Victims should not instinctively kick attackers off the network without at least considering the alternatives (i.e., filtering, constructing a jail system, etc.) and the possible value of keeping the connection alive (i.e., understanding the depth of intrusion, inventorying impacted systems, determining motives and methods, etc.).
How do I maintain the proper chain of custody of my electronic evidence?
Chain of custody is a legal term that describes the collection, transportation, and storage of evidence to prevent alteration, loss, physical damage, or destruction. The goals of a chain of custody policy are accountability and appropriate handling and storage of the evidence.
It may be helpful to have a policy that defines requirements, responsible parties, and procedures to be followed when potential evidence is collected.
Each individual in the chain should understand that he or she is responsible for an item of evidence. This responsibility includes its safe keeping while under his or her control until properly released to another authorized person. This control can be accomplished through physical means such as secure packaging and locked storage areas with mandatory access logs, or electronically such as making exact digital copies, signing and/or hashing data files, and transmitting them through secure private channels. Note that these measures should be conducted so that no change is made to the evidence (or copy).
What is admissible evidence in court?
Although it would be impossible to define exactly what is admissible in a certain court in any given situation, it is important to note that business records, including computer records, are generally admissible in court. A business record is any record or memorandum made at or near the time in the course of a regularly conducted activity of the business. Business records could include computer logs, incident reports, and written policies. Therefore, make sure you gather and archive such information in the normal course of conducting business.
What are the federal, state, and local law enforcement agencies that I may contact?
Law enforcement in the United States serves at three levels: local (e.g., a city police department or a county sheriffs office), state, and federal.
Many local police departments have robust electronic crimes programs. Your local police department or sheriffs office is equipped to deal with non-technical aspects of electronic crime and can provide contacts to state or federal law enforcement. Most state police departments have good contacts with colleges and universities.
At the federal level, the Federal Bureau of Investigation and the United States Secret Service each has full-time agents who specialize in electronic crimes, including investigation, forensics, and prevention strategies. These two agencies also have valuable contacts with other resources, as well as foreign law enforcement, including through INTERPOL.
You do not need to be concerned about jurisdictional issues among various law enforcement agencies. After the incident is reported, the report will be routed so that the appropriate agency will conduct the investigation. Established relationships with each level of law enforcement will be invaluable during and after an incident.
Phone numbers for all three agencies will be in the front of your phone book. Local office for the US Secret Service and FBI can also be located online at www.secretservice.gov/field_offices.shtml and www.fbi.gov/contact/fo/fo.htm.
If you elect to report to multiple agencies, try to obtain the case number and assigned contact person. Share this information regarding each agency with the other agencies. Each agency normally will contact the other agencies to determine who will lead the investigation and coordinate the prosecution (at times, a single crime will be pursued concurrently in different judicial jurisdictions).
Should I report a computer crime to law enforcement, and if so, at what stage of an investigation?
Computer-related crime, like any other crime, should be reported to appropriate law enforcement investigative authorities at the local, state, or federal levels. Citizens who are aware of federal crimes should report them to local offices of federal law enforcement.
Part of security awareness training should instill that sharing information with law enforcement can help prevent future incidents. Reporting computer crime furthers two business interests: deterrence and restitution. Deterrence can be both specific in that the attacker who is convicted is no longer a threat, and general because other attackers will be less likely to attack a company with a reputation for reporting incidents. In addition, reporting computer crime may increase the likelihood of restitution from attackers or payment of claims made under insurance policies that may cover security incidents.
What guidelines should be provided to employees in case they are personally contacted by law enforcement as part of an incident investigation?
Your incident response policy should explicitly identify who will serve as the contact for law enforcement investigations. Your employees should be trained so that, if any employees are contacted by law enforcement, they will involve this centralized contact within your organization immediately. There may be corporate policies in place that the legal department will need to review as to the data that you are providing.
If confidential business information is involved in the incident, will law enforcement take any efforts to preserve its confidentiality during the investigation? During any subsequent prosecution?
Law enforcement carefully and securely stores evidence collected, including business information. Law enforcement is trained to keep sensitive information confidential. Although evidence may be revealed publicly if an investigation leads to a prosecution and trial, law enforcement can take steps to define the charges in a manner that minimizes disclosure.
How do I identify and preserve the crime scene or crime scenes in computer crime incidents?
Computer crime scenes vary from case to case. The investigator needs to assess the type of crime and the potential for evidence related to the crime. The investigator can then determine what is important to the case and what evidence needs to be collected. At the scene of an incident involving computers the obvious items of interest are the computers, the peripherals and any storage media.
Preserving the crime scene involves ensuring that evidence is not altered or lost. In the area of digital evidence, the National Institute of Justice (NIJ) has produced a guide for First Responders. This document provides investigators with a guide to the computer crime scene. The NIJ guide can be found at www.ojp.usdoj.gov/nij/pubs-sum/219941.htm.
How long do I need to retain evidence?
There is no federal legal rule that requires a business to keep evidence for prescribed length of time. Normally, law enforcement will keep for a stipulated period its copies of evidence associated with a prosecution. However, this should not affect a company's decision to keep or not keep material that was used as evidence in a prosecution. Generally, the statute of limitations for a computer crime is five years, which may be used as a guide for corporate document retention policies.
- Charles Hornat, Project Lead
- Richard Salgado, Project Lead
- Anthony Teelucksingh, Project Coordinator
- Ed Skoudis, Project Coordinator
- Rohan Amin
- Bill Anderson
- Stephen Bradley
- Don Burlack
- Tom Conley
- Shawn Duffy
- Gary Hall
- Lance Hawk
- Scott Higgins
- Marc Hodies
- Mike Horner
- Joe Juchniewicz
- Steve Karrick
- John Mason
- Kenneth Newman
- Eric Niewoehner
- Patrick Nolan
- Joseph Ponnoly
- Michaela Poole
- Anthony Reyes
- Andrew Rourke
- Todd Sharp
- Robert Shaw
- Todd Shipley
- David Smith
- Kirsty Still
- William Tatun
- David Thompson
- Bret Watson
- Frazier Young