11 June 1999. Thanks to Anonymous.
Six pages of hardcopy, each page with fax heading "DOJ-AAG, CRIMINAL". From an appendix to the agenda of the next meeting of the G8 Subcommittee on High-tech Crime.
[Undated, apparently prior to April 30, 1999]
DOJ-AAG, CRIMINAL (distributed in Konigswinter)
[Flags of the G-8 Nations omitted]
** This exercise is intended to serve as a process to share information on specific procedural issues and investigative tools associated with the investigation of computer crime and computer forensic examinations. This exercise will not address individual considerations related to legal/policy issues associated with the various respondents. Distribution of the responses compiled as a result of this exercise should be strictly limited to government and law enforcement personnel tasked with the investigation of high-tech crime.
The exercise includes specific questions designed to encourage respondents to share investigative techniques. The questions should not limit respondents in sharing any tool or techniques not described in the exercise that have proven successful in actual circumstances such as specific hardware, software and domain name resources.
An internet service provider has reported a system failure as a result of hacking activity. The system consists of a network setup in a Windows NT environment. The owner of the victim company had provided copies of email messages containing information from the hacker as to his motives and the extent of the hacking activity.
Message #1: (Email from .edu site)
* Respondents should include sites specific in their country and teh tracing methods specific to those sites as an additional educational tool for investigators. For example, the Japanese provided a helpful suggestion to include information on other domain names with the same meaning as "ac.jp" in Japan.
Message #2: (Email from free email site (juno, hotmail, etc.) with attached encrypted Word document)
Message #3: (Email from anonymous remailer)
1) What investigative information is available from the header of each of these messages?
2) What tool(s) would you use to trace/identify the information?
a) List source software (tool) or internet site used to identify the email server.
3) The Word document attached to the second email requests a password when the attempt is made to open the document. How would you identify the method of encryption/password protection? The "Word" document was selected as a known type of software with a commercially available solution to break the password protection (Access Data Software). Please include any information regarding commercially or openly available software or techniques that have proven successful in completing analysis of password-protection or encrypted data.
4) You have discovered the document is encrypted/protected using the Microsoft Word proprietary option. How do you gain access to the clear text version of the file? (list software/hardware options utilized.)
5) To further identify future hacking activity, how would you advise the victim to record (keystroke monitoring/logging) additional activity as evidence? (List all software or network tools recommended.
*** (Second set of questions for a unix environment)
6) List the interview questions you would pose to the victim system administrator to provide investigative leads. (List the question and evidentiary value of the information requested.)
Your investigation has revealed that there was an internet site that posted information about the victim and informed visitors to the site that the victim was vulnerable to attack. How would you identify the source of the site? What information is available through internet tools about the site? (date of posting, number of hits at the site, etc.).
7) List all tools utilized to research this issue along with website addresses if applicable.
8) The investigation has led you to request the victim to communicate with the hacker via email to his hotmail account. How would you set up this communication to provide tracking data on the hacker?
9) The investigation has revealed that the suspect is using internet chat communications as well. How can you find more information about his use of this chat software? What information should you search for on the suspect's computer related to internet chat activity?
The investigation and tracking data has provided you with information that led to the preparation of a search warrant for the hacker's residence. Prior to executing the search warrant with the goal of seizing the hacker's computer equipment, answer the following questions:
10) What are the main points of the briefing you provide to all members of the search team?
11) What tools are taken to the warrant site to facilitate the seizure of the computer equipment and what procedures are utilized?
12) What questions are posed to the suspect at the time of the interview (and why)?
a) To provide information on the hacking activity;
b) To provide information that will assist you in searching the hacker's computer equipment.
As a result of the search, the following evidence was seized:
1 Hewlett Packard 400mhz desktop computer with the following configuration:2 hard drives -- ( 10 gig IDE Seagate and a 18 gig SCSI Maxtor)
128 mg RAM ["mg" as written]
3-1/2 floppy drive
36x CD rom drive
1 Compaq 266 mhz notebook computer with the following configuration:1 8-gig hard drive
96 mg RAM
3-1/2 floppy drive
36x CD rom drive
Iomega Zip Drive with 5 (100 mg) zip disks
Writeable CD Drive
8mm tapes with drive
13) The Hewlett Packard computer was found on and connected to an internet site at the time of the search. What did you do with it prior to seizing and transporting it to your office?
14) What precautions did you take to ensure this evidence was protected prior to transporting it to your office?
15) The evidence seized was turned over to your forensic specialists for examination.
a) The Hewlett Packard computer was found to be CMOS password protected. What steps did you take to examine the data on the two hard drives seized with this machine?
List all hardware and software used to process the computer and explain the steps taken. List vendors of all commercial software/hardware utilized and explain availability of any government-produced tools.Image Drives
Check for Virus Programs
Review Erased Files
Review Slack Space
Review Hidden Files
Review All File Content
Explain any capability utilized that expedites or improves accuracy of
review in light of the size of the hard drive
View Graphic Files
Review Contents of Temp Files
Review Internet Cache
(Additional Search Issues .....)
b) The Compaq laptop computer is found to be in an inoperable status. Would you attempt to repair the computer? If it is left in an inoperable status, what would you do to review the contents of the hard drive? (This question applies to techniques used to both to examine inoperable hard drives and inoperable computer system units.)
c) What procedures would you use to review the contents of the 150 disks?Image contents
d) What procedures would you use to review the contents of the CD's?
e) The zip disks are found to be password protected using Iomega's proprietary utility. What steps would you take to bypass that password, write-protect the data and review the data?
f) The tapes were found to contain backup files. What steps did you take to review the contents? Did you fully restore the data?
16) Provide an outline of the training provided to your forensic examiners.
17) Provide a list of working groups (domestic and international) or organizations your agency participates in with regard to computer forensics and computer crimes.
Respondents may also include investigative tools and techniques related to other forms of electronic evidence including but not limited to:
MacIntosh Computers (Imac)
Color copiers with printer interface
All responses to this exercise should be received not later than April 30th, 1999.
U.S. Secret Service
Attn: ATSAIC Mary Riley
1800 G Street, NW Room 942
Washington, DC 20223
The compiled set of all responses will be distributed at the May meeting of the High-Tech Subcommittee. Delegations may submit as many responses as desired. For example several law enforcement agencies from the United States will be asked to respond to the exercise.
[Flags of the G-8 Nations omitted]
Standard Request for Information
Provide the following information related to the account identified as:
(Provide complete detail related to the items checked)
|[ ] Email Address
[ ] Subscriber Data
[ ] Method of Payment
|[ ] Domain Name
[ ] Day of Account Activation
[ ] Has Account Been Used to
|[ ] IP Address/Range
[ ] Date/Amt of Last Payment
[ ] Are Web Site Hosting
|[ ] How long are opened/unopened email messages stored at your
[ ] Are there currently opened/unopened messages available for this subject?______________
|[ ] Is There Customer Complaint or Comment
Data Recorded About This Subscriber?
|[ ] Is There Any Information Available to
Relate this Subscriber to Others?
(Buddy Lists, Links, etc.)
|[ ] Provide Any Activity Logs Available to This Account for the
Begin Date/Time ________________________ End Date/Time _________________________
(Include Time Zone) (Include Time Zone)
Transcription and HTML by JYA/Urban Deadline.