[lug] Reporting an Intrusion

Shannon Johnston sjohnston at cavionplus.com
Tue Sep 13 10:21:02 MDT 2005

On Tue, 2005-09-13 at 09:59 -0600, Bill Thoen wrote:
> Before I go off 
> half-cocked, what's the proper procedure in terms of reporting and 
> collecting evidence so that there's a chance of getting a conviction 
> should I be able to get any authority to do anything about this?

Gathering and keeping evidence is essential. It especially helps to
ghost the drive so that if the FBI wants to further investigate the
intrusion, you don't have to take your system off-line.
As far as getting a conviction, you'll need to come up with a projected
monetary loss caused by the actions of the individual. Keep in mind that
about the minimum loss needs to be higher than $5,000 for the Feds to do
anything. If it's less than that, you should probably hit up local law
enforcement first.
Coming from first-hand experience, unless the loss is a LOT higher than
that $5,000, it's really unlikely a federal prosecutor will take the
case. The exception is if the individual is suspected of doing this
multiple times (or if you can link them to a suspected terrorist

Make sure you keep EVERYTHING. I would also suggest that you contact the
security department of the originating ISP to see if they will cooperate
in an investigation. Once the authorities get moving on it (if they get
moving) the evidence will be getting old and will be tougher to track

Hope this helps a bit.

Shannon Johnston 

More information about the LUG mailing list