_ _ _/B\_ _/W\_ (* *) Phrack #64 file 10 (* *) | - | | - | | | Know your enemy : facing the cops | | | | | | | | By Lance | | | | | | | | | | (______________________________________________________) The following article is divided into three parts. The first and second part are interviews done by The Circle of lost Hackers. The people interviewed are busted hackers. You can learn, through their experiences, how cops are working in each of their country. The last part of this article is a description about how a Computer Crime Unit proceeds to bust hackers. We know that this article will probably help more policemen than hackers but if hackers know how the cops proceed thay can counter them. That's the goal of this article. Have a nice read. (Hi Lance! :) ------------------------------------------ Willy's interview Hi WILLY, can you tell us who are you, what's your nationality, and what's your daily job ? hi. i'm from germany. i actually finished law school. -- QUESTION: Can you tell us what kind of relationship you're having with the police in your country ? In some other European country, the law is hardening these days, what about germany ? Well, due to the nature of my finished studies, I can view the laws from a professional point. The laws about computer crime did not change since years. so you cant see they are getting harder. What we can say is, that due to 9/11/01, some privacy laws got stricter . -- QUESTION: Can you explain us what kind of privacy laws got stricter ? Yeah. for example all universities have to point students that are muslims, between 20/30, not married, etc. so police can do a screen search. Some german courts said this is illegal, some said not. the process is on-going, but the screen searches didnt have much results yet. On the other hand, we have pretty active privacy-protection people ("datenschutzbeauftragte") which are trying to get privacy a fundamental right written in the constitution. So, the process is like we have certain people who want a stricter privacy law, e.g. observation due to video-cameras on public places. (which does happen already somewhere). But, again, we have active people in the cuntry who work against these kind of observation methods. its not really decided if the supervision is getting stronger. What is getting stronger are all these DNA-tests now for certain kind of crimes, but its still not the way that any convicted person is in a DNA database - luckly. -- QUESTION: Do you have the feeling that Computer related law is stricter since 09/11/01 ? Definitly not. -- QUESTION: Are these non-computer related enforcements happened since the schroeder re-election ? Nope. these enforcements ("sicherheitspaket") happened after 9/11. the re-election of schroeder had nothing to do with enforcements. On one hand, ISP's have to keep the logfiles of dial-in IP's for 90 days. but federal ministry of economics and technology is supporting a project called "JAP" (java annonymous proxy) to realize anonymous unobservable communication. I dont know in details, but I'm pretty sure the realisation of JAP is not ok with the actualy laws in germany, because you can surf really completely anonymously with JAP. this is not corresponding with the law to keep the logfiles. i dont know. from my point of view, eventhough i (of course) like JAP, it is not compatible with current german law. but its support by a federal ministry. thats pretty strange i think. well, we'll see. You can get information about this on http://anon.inf.tu-dresden.de/index_en.html . -- QUESTION: now that we know a bit more about the context, can you explain us how you get into hacking, and since when you are involved in the scene ? Well, how did i get contact to the scene? i guess it was a way pretty much people started. i wanted to have the newest games. so I talked to some older guys at my school, and they told me to get a modem and call some BBS. This was i guess 1991. you need to know that my hometown Berlin was pretty active with BBS, due to a political reason : local calls did only cost 23pf. That was a special thing in west-berlin / cold-war. I cant remember when it was abolished. but, so there amyn many BBS in berlin due to the low costs. Then, short time after, i got in contact with guys who always got the newest stuff from USA/UK into the BBS, and i though. "wham, that must be expensive" - it didnt take a long time untill i found out that there are ways to get around this. Also, I had a local mentor who introduced me to blueboxing and all the neat stuff around PBX, VMBS and stuff. -- QUESTION: when did you start to play with TCP/IP network ? I think that was pretty late. i heard that some of my oversea friends had a new way of chatting. no chat on BBS anymore, but on IRC. I guess this was in 1994. So, i got some informations, some accounts on a local university, and i only used "the net" for irc'ing. -- QUESTION: When (and why) did you get into troubles for the first time, Luckly, i only got into trouble once in 1997. I got a visit from four policemen (with weapons), who had a search warrent and did search my house. I was accused for espionage of data. thats how they call hacking here. They took all my equipment and stuff and it took a long time untill i heard of them again for a questionning . I was at the police several times. first time, I think after 6 month, was due to a meeting with the attorny at state and the policemen. This was just a meeting to see if they can use my computer stuff as prove. It was like they switched the computer on, the policemen said to the attorney "this could be a log file" and the attorny said "ok this might be a prove". this went for all cd's and at least 20 papers with notes. ("this could be an IP adress". "this could be a l/p, etc . Of course, the attorney didnt have much knowledge, and i lost my notes with phone numbers on it ("yeah, but it could be an IP") . However, this was just a mandatory meeting because I denied anything and didnt allow them to use any of the stuff, so there has to be a judge or an attorney to see if the police took things that can be a prove at all. The second time I met them was for the crimes in question. I was there for a questioning (more than 2 years after the raid, and almost 3 years after the actualy date where i should have done the crime) . -- QUESTION: How long did you stay at the police station just after your first perquisition ? First time, that was only 15 minutes. It was really only to see if the police took the correct stuff. e.g. if they had taken a book, I would have to get it back. because a book cant have anything to do with my accused crime. (except i had written IP numbers in that book, hehe) -- QUESTION: what about the crime itself ? Did you earn money or make people effectively loose money by hacking ? No, i didnt earn any money. it was just for fun, to learn, and to see how far you can push a border. see what is possible, whats not. People didnt loose any money, too. -- QUESTION: How did they find you ? I still dont really know how they found me. the accused crime was (just) the unauthorized usage of dial-in accounts at one university. Unluckly, it was the starting point of my activities, so was a bit scared at first. You have to dial-in somwhere, if if that facility buists you, it could have been pretty bad. At the end, after the real questioning and after i got my fine, they had to drop ALL accuses of hacking and i was only guilty for having 9 warez cd's) -- QUESTION: were you dialing from your home ? Yeah from my home. but i didnt use ISDN or had a caller ID on my analoge line, and it is not ok to tap a phone line for such a low-profile crime like hacking here in germany . So, since all hacking accuses got dropped, I didnt see what evidence they had, or how they get me at all. -- QUESTION: Can you tell more about the policemen ? WHat kind of organisation did bust you ? It was a special department for computer crime organzied from the state police, the "landeskriminalamt" LKA. They didnt know much about computers at all i think. They didnt find all logfiles I had on my computer, they didnt find my JAZ disks with passwd files, they didnt find passwd files on my comp., etc . -- QUESTION: Where did they bring u after beeing busted at the raid, and the second time for the interview ? After the raid, I could stay at home ! For the interview, I went the headquater of the LKA, into the rooms of the computer crime unit. simple room with one window, a table & chair, and a computer where the policemen himself did type what he asked, and what i answered. -- QUESTION: have you heard interresting conversation between cops when you were in there ? hehe nope. not at all. and, of course, the door to the questioning room was closed when i was questioned. so i couldnt hear anything else . I have been interviewed by only one guy from "polizeihauptkommisar", no military grade, only a captain like explained in http://police-badges.de/online/sammeln/us-polizei.html . Another thing about the raid: they did ring normally, nothing with bashing the door. if my mother hadnt opened the door, i had enough time to destroy things. but unluckly, as most germans, she did open the door when she heard the word "police" hehe. I didnt not have a trial, i accepted a "order of summary punishment" this is the technical term i looked up in the dictonary :-) This is something that a judge decides after he has all information. he can open a trial or use this order of summary punishment. they mail it you you, and if you dont say "no, i deny" within one week, you accpeted it :-) When you deny it, THEN you definitly decide to go to court and have a trial . -- QUESTION: do you advise hackers to accept it ? You cant generally give an advice about that. in my case, i found it important that i do not have any crime record at all and that i count as "first offender" if i ever have a trial in the future. so with that accpetion of the summary, i knew what i get, which was acceptable for my case. if you go to court, you can never know if the fine will be much higher. but you cant generalize it. if its below "90 tagessaetze" (--> over 90 you get a crime recoard), i guess i would accept it, but again, better go to a lawyer of your trust :-) -- QUESTION: can you compare LKA with an american and/or european organisation ? What is their activity if their are not skilled with computers ? Mmmm every country within germany has its special department called LKA. Its not like the FBI (that would be BKA), but it would be like a state in the usa, say florida, has a police department for whole florida which does all the special stuff, like organzied crime. Computer crime in germany belongs to economic crime, and therefore, the normal police isnt the correct department, but the LKA. By the way, I heard from different people that they are more skilled now. but at that time, I think only one person had an idea about UNIX at all. I know that the BKA has a special department for computer crime, because a friend of mine got visited by the BKA, but, most computer crime departments here are against child-porn. I dont think that too many people get busted for hacking in germany at all. they do bust child porn, they do bust warez guys, they do bust computer fraud, related to telco-crimes. but hacking, I dont know lots of people who had problems for real hacking. except one guy . -- QUESTION: is there special services in your country who are involved in hacking ? Special services ? what do you mean? like CIA ? hehe ?! We have BND (counter-spying), MAD (military spying), verfassungsschutz (inland-spying), but I dont think we a service that is concentrating on computer crime. What we do have is a lot of NSA (echelon) stations from the US. I guess because of the cold war, we're still pretty much under the supervision of these services :-) so the answer is: we dont have such services, or they do work so secret that noone knows, but i doubt this in germany hehe. -- QUESTION: Except for the crime they inculped you, did you have any relations with the police ? (phone calls, non related interview, job proposition) ? Hehe, no, not at all. -- QUESTION: what kind of information was the police asking you during your interview ? Were they asking non crime-related information ? (like: who are you chilling with, etc ?) Yeah, that was the part they where most interested in ! They had printed my /etc/passwd and said "thats your nick, right?" . I didnt say anything to that whole complex, but they continued, and I mean, if you have one user in your /etc/passwd, it is pretty easy to guess thats your nick. So, they had searched the net for that nick, they found a page maintained by some hackers who formed some kind of crew. they had printed the whole website of that crew, pointing out my name anywhere where it appeared. They tried to play the good-cop game, the "you're that cool dude there eh?" etc. I didnt say anything again. It took several minutes, and they wanted to pin-point me that i'm using this nick they found in /etc/passwd and that i am a member of that group which they had the webpage printed. They knew that there was a 2nd hacker at that university. They asked me all the time if i know him. I dont know why he had more luck. of course i did know him, it was my mate with whom i did lots of the stuff together. -- QUESTION: You didnt say anything ? How did they accepted this ? hehe. they had to accept it. i think thats in most countries that, if you are accused, you have the right to say nothing. I played an easy game: I accepted to have copied the 9 cd's. because the cd's are prove enough at all, then the cops where happy. I didnt say anything to that hacking complex, which was way more interesting for them. I though "I have to give them something, if I dont want to go before court" . I said "I did copy that windows cd" so they have at least something. -- QUESTION: did you feel some kind of evolution in your relation with police ? Did they try to be friend with you at some point ? yeah, they did try to be friend at several stages. a) At the raid. my parents where REALLY not amuzed, i think you can imagine that. having policemen sneaking through your cloth, your bedroom, etc. So, they noticed my mom was pretty much nervous and "at the end" . They said "make it easy for your mother, be honest, be a nice guy, its the first time, tell us something ..." (due to my starting law school at that time, I, of course knew that its the best thing to stay calm and say nothing.) b) At the questioning, of course. after I admitted the warez stuff, they felt pretty good, which was my intention. they allowed me to smoke, and stuff like that. when it came to hacking, and i didnt say anything, They continued to be "my friend", and tried to convince me "thats its easier and better if i admit it, because eveidence is so high" . They where friendly all the time, yeah. -- QUESTION: What do you think they were really knowing ? They definitly knew I used unauthorized dial-in accounts at that university, they knew I was using that nick, and that I am a member of that hacking group (nothing illegal about that, though) . I was afraid that they might know my real activities, because, again, that university was JUST my starting point, so all i did was using accounts i shouldnt use. Thats no big deal at all, dial-ins. but i didnt know what they knew about the real activities after the dial-in, so i was afraid that they know more about this. -- QUESTION: did they know personnal things about the other people in your hacking group ? nope, not at all. -- QUESTION: How skilled are the forensics employed by german police in 2002 ? huh, i luckly dont know. I read that they do have some forensic experts at the BKA, but the usually busting LKA isnt very skilled, in my opinion. they have too less people to cover all the computer crimes. they work on low money with old equipment. and they use much of their time to go after kiddie-porn. -- QUESTION: how does the police perceived your group ? (front-side german hacking group you guyz all know) I think they thought we're a big active crew which does hacking, hacking and hacking all the time. i guess they wanted to find out if we e arn money with that, e.g., of if we're into big illegal activities. because of course, it might be illegal just to be a member of an illegal group. like organzied crime. -- QUESTION: in the other hand, what do you think the other hacking crew think about your group ? We and other hackers saw us as group which shares knowledge, exchange security related informations, have nice meetings, find security problems and write software to exploit that problems. I definitly did not see us as organzied hacking group which earns money, steal stuff or make other people loose money, but, I mean, you cant know what a group really does just from visiting a webpage and looking at some papers or tools. -- QUESTION: are the troubles over now ? yeah, troubles are completely over now. i got a fine, 75 german marks per cd, so i had to pay around 800 german marks. I am not previously convicted, no crime record at all. no civil action. -- QUESTION: Now that troubles are over, do you have some advices for hackers in your country, to avoid beeing busted, or to avoid having troubles like you did ? hehe yeah, in short words: a) Always crypt your ENTIRE harddisk b) Do NOT own any, i repeat, any illegal warez cd. reason: any judge knows illegal copied cds. he understands that. so, like in my case, you get accused for hacking and you end up with a fine for illegal warez. Thats definitly not necessary. and, furthermore, you get your computer stuff back MUCH easier & faster if you dont have any warez cd. usually, they cant prove your hacking. but warez cd's are easy. c) do not tell ANYTHING at the raid. d) if you are really into trouble, go to a lawyer after the raid. -- Thanks for the interview WILLY ! De nada, you are welcomed ;) ------------------------------------------ Zac's interview Hello Zac, nice to meet you . Hi new staff, how's life ? QUESTION: Can you tell us what kind of relationship you're (as a hacker) having with the police in your country ? I live in France, as a hacker I never had troubles with justice . In my country, you can have troubles in case you are a stupid script kiddy (most of the time), or if you disturb (even very little) intelligence services . Actually we have very present special services inside the territory, whereas the police itself is too dumb to understand anything about computers . Some special non-technical group called BEFTI usually deals with big warezers, dumb carders, or people breaking into businesses's PABX and doing free calls from there, and stuffs like that . -- Explain to us how you got into hacking, since when you are involved in the scene, and when you started to play with TCP/IP networks . I started quite late in the 90' when I met friends who were doing warez and trying to start with hacking and phreaking . I have only a few years of experience on the net, but I learnt quite fast beeing always behind the screen, and now I know a lot of people, all around the world, on IRC and IRL . Beside this, I had my first computer 15 years ago, owned many INTEL based computers, from 286 to Pentium II . I have now access to various hardware and use these ressources to do code . I used to share my work with other (both whitehats and blackhats) peoples, I dont hide myself particulary and I am not involved in any kind of dangerous illegal activity . -- QUESTION: When did you get into troubles for the first time ? Last year (2001), when DST ('Direction de la Surveillance du Territoire', french inside-territory intelligence services) contacted me and asked if I was still looking for a job . I said yes and accepted to meet them . I didnt know it was DST at that time, but I catched them using google ;) They first introduced themself from 'Ministere de l'Interieur', which is basicaly Ministery charged of police coordination and inside-territory intelligence services . In another later interview, they told me they were DST, I'll call them 'the feds' . -- QUESTION: How did they find you ? I still have no idea, I guess someone around me taught them about me . When I asked, they told me it was from one of the various (very few) businesses I had contacted at that time . Take care when you give your CV or anything, keep it encrypted when it travels on the net, because they probably sniff a lot of traffic . I also advise to mark it in a different way each time you give it, so that you can know from where it leaked using SE at the feds . -- QUESTION: Can you tell more about the organization ? Some information about them has already been disclosed in french electronic fanzines like Core-Dump (92') and NoWay (94'), both written by NeurAlien . I heard he got mad problem because of this, I dont really want to experiment the same stuff . -- QUESTION: is there other special services in your country who are involved in hacking ? Besides DST, there is DGSE ('Direction General de la Securite Exterieur'), these guys most focuss on spying, military training, and information gathering outside the territory . There is also RG ('Renseignement generaux', trans. : General Information) , a special part of police which is used to gather various information about every sensible events happening . The rumor says there's always 1 RG in each public conference, meeting, etc and its not very difficult to believe . -- QUESTION: can you compare the organization with an equivalent one in another country ? Their tasks is similar to CIA's and NSA's one I guess . DST and DGSE used to deal with terrorists and big drugs trafic networks also, they do not target hackers specifically, their task is much larger since they are the governemental intelligence services in France . -- Is DST skilled with computers ? They -seem- quite skilled (not too much, but probably enough to bust a lot of hackers and keep them on tape if necessary) . They also used to recruite people in order to experiment all the new hacking techniques (wireless, etc) . However, I feel like their first job is learning information, all the technical stuff looks like a hook to me . Moreover, they pay very bad, they'll argue that having their name on your CV will increase your chances to get high payed jobs in the future . Think twice before signing, this kind of person has very converging tendances to lie . -- QUESTION: what kind of information did they ask during the interviews ? The first time, it was 2 hours long, and there was 2 guyz . One was obviously understanding a bit about hacking (talking about protocols, reverse engineering, he assimilated the vocabulary as least), the other one wasnt doing the difference between an exploit and a rootkit, and was probably the 'nice fed around' . They asked everything about myself (origin, family, etc), one always taking notes, both asking questions, trying to appear like interrested in my life . They asked everything from the start to the end . They asked if the official activity I have right now wasnt too boring, who were the guy I was working with, in what kind of activity I was involved, and the nature of my personnal work . They also asked me if I was aware of 0day vulnerabilities into widely-used software . I knew I add not to tell them anything, and try to get as much information about them during the interview . You can definitely grab some if you ask them questions . Usually, they will tell you 'Here I am asking the questions', but sometimes if you are smart, you can guess from where they got the information, what are their real technical skills level, etc . At the end of the interview, they'll ask what they want to know if you didnt tell them . They can ask about groups they think you are friend with, etc . If you just tell them what is obviously known (like, 'oh yeah I heard about them, its a crew interrested in security, but I'm not in that group') and nothing else, its ok . -- QUESTION: What do you think they were really knowing ? I guess they are quite smart, because they know a lot of stuff, and ask everything as if they were not knowing anything . This way, they can spot if you are lying or not . Also, if you tell them stuffs you judge irrevelant, they will probably use it during other interviews, in order to guess who you are linked to . -- QUESTION: are the troubles over now ? I hope they will let me where I am, anyway I wont work for them, I taught a few friends of mine about it and they agreed with me . Their mind changes over time and government, I highly advise -NOT- to work for them unless you know EXACTLY what you are doing (you are a double agent or something lol) . -- do you have some advices for hackers in your country, to avoid beeing busted, or to avoid having troubles ? Dont have a website, dont release shits, dont write articles, dont do conference, dont have a job in the sec. industry . In short : it's very hard . If they are interrested in the stuffs you do and hear about it, they'll have to meet you one day or another . They will probably just ask more about what you are doing, even if they have nothing against you . Dont forget you have the right to refuse an interview and refuse answering questions . I do not recommand to lie to them, because they will guess it easily (dont forget information leakage is their job) . I advise all the hackers to talk more about feds in their respective groups because it helps not beeing fucked . Usually they will tell you before leaving 'Dont forget, all of this is CONFIDENTIAL', it is just their way to tell you 'Okay, thanks, see you next time !' . Dont be impressed, dont spread information on the net about a particular guy (targetted hacker, or fed), you'll obviously have troubles because of it, and its definitely not the good way to hope better deals with feds in the future . To FEDS: do not threat hackers and dont put them in jail, we are not terrorists . Dont forget, we talk about you to each other, and jailing one of us is like jailing all of us . Thanks zac =) At your service, later . ------------------------------------------ Big Brother does Russia by ALiEN Assault This file is a basic description of russian computer law related issues. Part 1 contains information gathered primarily from open sources. As this sources are all russian, information may be unknown to those who doesn't know russian language. Part 2 consists of instructions on computer crime investigation: raid guidelines and suspect's system exploration. 0 - DISCLAIMER 1 - LAW 1.1 - Basic Picture 1.2 - Criminal Code 1.3 - Federal Laws 2 - ORDER 2.1 - Tactics of Raid 2.2 - Examining a Working Computer 2.3 - Expertise Assignment --[ 0.DISCLAIMER. INFORMATION PROVIDED FOR EDUCATIONAL PURPOSES ONLY. IT MAY BE ILLEGAL IN YOUR COUNTRY TO BUST HACKERS. IT MUST BE ILLEGAL AT ALL. THERE ARE BETTER THINGS TO DO. EXPLORE YOURSELF AND THIS WORLD. SMILE. LIVE. --[ 1. LAW. ----[ 1.1. Basic Picture. Computer-related laws are very draft and poorly describes what are ones about. Seems that these are simply rewritten instructions from 60's *Power Computers* that took a truck to transport. Common subjects of lawsuits include carding, phone piracy (mass LD service thievery) and... hold your breath... virii infected warez trade. Russia is a real warez heaven - you can go to about every media shop and see lots of CDs with warez, and some even has "CRACKS AND SERIALS USAGE INSTRUCTIONS INCLUDED" written on front cover (along with "ALL RIGHTS RESERVED" on back)! To honour pirates, they include all .nfo files (sometimes from 4-5 BBSes warez was courriered through). It is illegal but not prosecuted. Only if warez are infected (and some VIP bought them and messed his system up) shop owners faces legal problems. Hacking is *not that common*, as cops are rather dumb and busts mostly script kiddies for hacking their ISPs from home or sending your everyday trojans by email. There are three main organisations dealing with hi-tech crime: FAPSI (Federal Government Communications and Information Agency - mix of FCC and secret service), UKIB FSB (hi-tech feds; stands for departamernt of computer and information security) and UPBSWT MVD (hi-tech crime fightback dept.) which incorporates R unit (R for radio - busts ham pirates and phreaks). FSB (secret service) also runs NIIT (IT research institute). This organisation deals with encryption (reading your PGPed mail), examination of malicious programs (revealing Windoze source) and restoration of damaged data (HEXediting saved games). NIIT is believed to possess all seized systems so they have tools to do the job. UPBSWT has a set of special operations called SORM (operative and detective measures system). Media describes this as an Echelon/Carnivore-like thing, but it also monitors phones and pagers. Cops claims that SORM is active only during major criminal investigations. ----[ 1.2. Criminal Code. Computer criminals are prosecuted according to this articles of the Code: - 159: Felony. This mostly what carders have to do with, accompanied by caught-in-the-act social engineers. Punishment varies from fine (minor, no criminal record) to 10 years prison term (organized and repeated crime). - 272: Unauthorized access to computer information. Easy case will end up in fine or up to 2 years probation term, while organized, repeated or involving "a person with access to a computer, computer complex or network" (!#$@!) crime may lead to 5 years imprisonment. Added to this are weird comments on what are information, intrusion and information access. - 273: Production, spreading and use of harmful computer programs. Sending trojans by mail considered to be lame and punished by up to 3 years in prison. Part II says that "same deeds *carelessly* caused hard consequences" will result in from 3 to 7 years in jail. - 274: Computer, computer complex or network usage rules breach. This one is tough shit. In present, raw and somewhat confused state this looks, say, *incorrect*. It needs that at least technically literate person should provide correct and clear definitions. After that clearances this could be useful thing: if someone gets into a poorly protected system, admin will have to take responsibility too. Punisment ranges from ceasing of right to occupy "defined" (defined where?) job positions to 2 years prison term (or 4 if something fucked up too seriously). ----[ 1.3. Federal Law. Most notable subject related laws are: "On Information, Informatization and Information Security" (20.02.95). 5 chapters of this law defines /* usually not correct or even intelligent */ various aspects of information and related issues. Nothing really special or important - civil rights (nonexistent), other crap, but still having publicity (due to weird and easy-to-remember name i suppose) and about every journalist covering ITsec pastes this name into his article for serious look maybe. "National Information Security Doctrine" (9.9.2K) is far more interesting. It will tell you how dangerous Information Superhighway is, and this isn't your average mass-media horror story - it's a real thing! Reader will know how hostile foreign governments are busy imlpementing some k-rad mind control tekne3q to gain r00t on your consciousness; undercover groups around the globe are engaging in obscure infowarfare; unnamed but almighty worldwide forces also about to control information...ARRGGH! PHEAR!!! {ALiEN special note: That's completely true. You suck Terrans. We'll own your planet soon and give all of you a nice heavy industry job}. Liberal values are covered too (message is BUY RUSSIAN). Also there are some definitions (partly correct) on ITsec issues. "On Federal Government Communications and Information" (19.2.93, patched 24.12.93 and 7.11.2K). Oh yes, this one is serious. Everyone is serious about his own communications - what can i say? Main message is "RESPONSIBLES WILL BE FOUND. OTHERS KEEP ASIDE". Interesting entity defined here is Cryptographic Human Resource - a special unit of high qualified crypto professionals which must be founded by FAPSI. To be in Cryptographic Human Resource is to serve wherever you have retired or anything. Also covered are rights of government communications personnel. They have no right to engage in or to support strike. Basically they have no right to fight for rights. They don't have a right to publish or to tell mass-media anything about their job without previous censorship by upper level management. Cryptography issues are covered in "On Information Security Tools Certification" (26.6.95 patched 23.4.96 and 29.3.99) and "On Electronic Digital Signature" (10.2.02). Not much to say about. Both mostly consists of strong definitions of certification procedures. --[ 2. ORDER. ----[ 2.1. Tactics of Raid. Given information is necessary for succesful raid. Tactics of raid strongly depends on previously obtained information. It is necessary to define time for raid and measures needed to conduct it suddenly and confidentially. In case of presence of information that suspect's computer contains criminal evidence data, it is better to begin raid when possibility that suspect is working on that computer is minimal. Consult with specialists to define what information could be stored in a computer and have adequate technics prepared to copy that information. Define all measures to prevent criminals from destroying evidence. Find raid witnesses who are familiar with computers (basic operations, programs names etc.) to exclude possibility of posing raid results as erroneous at court. Specifity and complexity of manipulations with computer technics cannot be understood by illiterate, so this may destroy investigator's efforts on strengthening the value of evidence. Witness' misunderstanding of what goes on may make court discard evidence. Depending on suspect's qualification and professional skills, define a computer technics professional to involve in investigation. On arrival at the raid point is necessary to: enter fast and sudden to drive computer stored information destruction possibility to the minimum. When possible and reasonable, raid point power supply must be turned off. Don't allow no one touch a working computer, floppy disks, turn computers on and off; if necessary, remove raid personnel from the raid point; don't allow no one turn power supply on and off; if the power supply was turned off at the beginning of raid, it is necessary to unplug all computers and peripherals before turning power supply on; don't manipulate computer technics in any manner that could provide inpredictable results. After all above encountered measures were taken, it is necessary to preexamine computer technics to define what programs are working at the moment. If data destruction program is discovered active it should be stopped immediately and examination begins with exactly this computer. If computers are connected to local network, it is reasonable to examine server first, then working computers, then other computer technics and power sources. ----[ 2.2. Examining a Working Computer. During the examination of a working computer is necessary to: - define what program is currently executing. This must be done by examining the screen image that must be described in detail in raid protocol. While necessary, it should be photographed or videotaped. Stop running program and fix results of this action in protocol, describing changes occured on computer screen; - define presence of external storage devices: a hard drive (a winchester*), floppy and ZIP type drives, presence of a virtual drive (a temporary disc which is being created on computer startup for increasing performance speed) and describe this data in a protocol of raid; - define presence of remote system access devices and also the current state of ones (local network connection, modem presence), after what disconnect the computer and modem, describing results of that in a protocol; - copy programs and files from the virtual drive (if present) to the floppy disk or to a separate directory of a hard disk; - turn the computer off and continue with examining it. During this is necessary to describe in a raid protocol and appended scheme the location of computer and peripheral devices (printer, modem, keyboard, monitor etc.) the purpose of every device, name, serial number, configuration (presence and type of disk drives, network cards, slots etc.), presence of connection to local computing network and (or) telecommunication networks, state of devices (are there tails of opening); - accurately describe the order of mentioned devices interconnection, marking (if necessary) connector cables and plug ports, and disconnect computer devices. - Define, with the help from specialist, presence of nonstandard apparatus inside the computer, absence of microschemes, disabling of an inner power source (an accumulator); - pack (describing location where were found in a protocol) storage disks and tapes. Package may be special diskette tray and also common paper and plastic bags, excluding ones not preventing the dust (pollutions etc.) contact with disk or tape surface; - pack every computer device and connector cable. To prevent unwanted individuals' access, it is necessary to place stamps on system block - stick the power button and power plug slot with adhesive tape and stick the front and side panels mounting details (screws etc.) too. If it is necessary to turn computer back on during examination, startup is performed with a prepared boot diskette, preventing user programs from start. * winchester - obsolete mainstream tech speak for a hard drive. Seems to be of western origin but i never met this term in western sources. Common shortage is "wint". ----[ 2.3. Expertise Assignment. Expertise assignment is an important investigation measure for such cases. General and most important part of such an expertise is technical program (computer technics) expertise. MVD (*) divisions have no experts conducting such expertises at the current time, so it is possible to conduct such type of expertises at FAPSI divisions or to involve adequately qualified specialists from other organisations. Technical program expertise is to find answers on following: - what information contains floppy disks and system blocks presented to expertise? - What is its purpose and possible use? - What programs contains floppy disks and system blocks presented to expertise? - What is their purpose and possible use? - Are there any text files on floppy disks and system blocks presented to expertise? - If so, what is their content and possible use? - Is there destroyed information on floppy disks presented to expertise? - If so, is it possible to recover that information? - What is that information and what is its possible use? - What program products contains floppy disks presented to expertise? - What are they content, purpose and possible use? - Are between those programs ones customized for passwords guessing or otherwise gaining an unauthorized computer networks access? - If so, what are their names, work specifications, possibilities of usage to penetrate defined computer network? - Are there evidence of defined program usage to penetrate the abovementioned network? - If so, what is that evidence? - What is chronological sequence of actions necessary to start defined program or to conduct defined operation? - Is it possible to modify program files while working in a given computer network? - If so, what modifications can be done, how can they be done and from what computer? - Is it possible to gain access to confidential information through mentioned network? - How such access is being gained? - How criminal penetration of the defined local computer network was committed? - What is the evidence of such penetration? - If this penetration involved remote access, what are the possibilites of identifying an originating computer? - If an evidence of a remote user intrusion is absent, is it possible to point computers from which such operations can be done? Questions may be asked about compatibility of this or that programs; possibilities of running a program on defined computer etc. Along with these, experts can be asked on purpose of this or that device related to computer technics: - what is the purpose of a given device, possible use? - What is special with its construction? - What parts does it consist of? - Is it industrial or a homemade product? - If it is a homemade device, what kind of knowledge and in what kind of science and technology do its maker possess, what is his professional skill level? - With what other devices could this device be used together? - What are technical specifications of a given device? Given methodic recommendments are far from complete list of questions that could be asked in such investigations but still does reflect the important aspects of such type of criminal investigation. * MVD (Ministry of Inner Affairs) - Russian police force. CREDITS I like to mention stiss and BhS group for contibutions to this file.