U.S. flag

An official website of the United States government, Department of Justice.

NCJRS Virtual Library

The Virtual Library houses over 235,000 criminal justice resources, including all known OJP works.
Click here to search the NCJRS Virtual Library

Computer Intrusion Investigation Guidelines

NCJ Number
187020
Journal
FBI Law Enforcement Bulletin Volume: 70 Issue: 1 Dated: January 2001 Pages: 8-11
Author(s)
J. Bryan Davis
Editor(s)
John E. Ott
Date Published
January 2001
Length
4 pages
Annotation
This article briefly describes investigative techniques and guidelines during the initial phases of a computer intrusion investigation.
Abstract
A computer “hacker” or intruder breaks into a number of computers or computer systems to obtain either root or user level access to a computer. A hacker does this for three reason: storage for tools and programs; protection from disclosure of the hacker’s location; and exploitation in obtaining information or to vandalize the computer. The investigator utilizes three techniques to track the hacker: (1) the investigator goes undercover; (2) the investigator develops sources that provide information about the hacker; and (3) the investigator uses various methods to legally obtain computer records. In the computer intrusion investigation, the initial steps are the same because most intrusions are very similar in nature. There are 12 steps: (1) obtain the identifying data on the caller; (2) obtain the identifying data on the victim computer; (3) obtain the known particulars of the intrusion; (4) determine if the victim computer has been secured; (5) meet with the system administrator and determine if the victim computer should be taken into evidence; (6) arrange to have the computer seized as evidence; (7) determine the appropriate method of obtaining computer records; (8) contact the source and obtain its computer logs; (9) make arrangements to have the victim system examined; (10) review the computer system and determine the next jump back; (11) make arrangements to have the source logs examined; and (12) conduct appropriate interviews. As computer intrusion crimes increase and hackers become more efficient, the investigator’s role and job become more difficult.