💾 Archived View for aphrack.org › issues › phrack64 › 14.gmi captured on 2021-12-04 at 18:04:22. Gemini links have been rewritten to link to archived content

View Raw

More Information

⬅️ Previous capture (2021-12-03)

-=-=-=-=-=-=-

            _                                                  _
          _/B\_                                              _/W\_
          (* *)              Phrack #64 file 10              (* *)
          | - |                                              | - |
          |   |       Know your enemy : facing the cops      |   |
          |   |                                              |   |
          |   |                    By Lance                  |   |
          |   |                                              |   |
          |   |                                              |   |
          (______________________________________________________)





The following article is divided into three parts. The first and
second part are interviews done by The Circle of lost Hackers. The
people interviewed are busted hackers. You can learn, through their
experiences, how cops are working in each of their country. The last
part of this article is a description about how a Computer Crime Unit
proceeds to bust hackers. We know that this article will probably help
more policemen than hackers but if hackers know how the cops proceed
thay can counter them. That's the goal of this article.

Have a nice read.

(Hi Lance! :)


                      ------------------------------------------

                                    Willy's interview



<THE CIRCLE OF LOST HACKERS> Hi WILLY, can you tell us who are you,
what's your nationality, and what's your daily job ?

hi. i'm from germany. i actually finished law school.

--

<THE CIRCLE OF LOST HACKERS> QUESTION: Can you tell us what kind of
relationship you're having with the police in your country ? In some other
European country, the law is hardening these days, what about germany ?

Well, due to the nature of my finished studies, I can view the laws
from a professional point. The laws about computer crime did not change
since years. so you cant see they are getting harder. What we can say is,
that due to 9/11/01, some privacy laws got stricter .

--

<THE CIRCLE OF LOST HACKERS> QUESTION: Can you explain us what kind of
privacy laws got stricter ?

Yeah. for example all universities have to point students that are
muslims, between 20/30, not married, etc. so police can do a screen
search.  Some german courts said this is illegal, some said not. the
process is on-going, but the screen searches didnt have much results
yet. On the other hand, we have pretty active privacy-protection people
("datenschutzbeauftragte") which are trying to get privacy a fundamental
right written in the constitution. So, the process is like we have
certain people who want a stricter privacy law, e.g. observation due to
video-cameras on public places. (which does happen already somewhere).
But, again, we have active people in the cuntry who work against these
kind of observation methods. its not really decided if the supervision
is getting stronger. What is getting stronger are all these DNA-tests now
for certain kind of crimes, but its still not the way that any convicted
person is in a DNA database - luckly.

--

<THE CIRCLE OF LOST HACKERS> QUESTION: Do you have the feeling that
Computer related law is stricter since 09/11/01 ?

Definitly not.

--

<THE CIRCLE OF LOST HACKERS> QUESTION: Are these non-computer related
enforcements happened since the schroeder re-election ?

Nope. these enforcements ("sicherheitspaket") happened after 9/11. the
re-election of schroeder had nothing to do with enforcements. On
one hand, ISP's have to keep the logfiles of dial-in IP's for 90
days. but federal ministry of economics and technology is supporting
a project called "JAP" (java annonymous proxy) to realize anonymous
unobservable communication.  I dont know in details, but I'm pretty
sure the realisation of JAP is not ok with the actualy laws in germany,
because you can surf really completely anonymously with JAP. this is not
corresponding with the law to keep the logfiles. i dont know. from my
point of view, eventhough i (of course) like JAP, it is not compatible
with current german law. but its support by a federal ministry. thats
pretty strange i think. well, we'll see. You can get information about
this on http://anon.inf.tu-dresden.de/index_en.html .

--

<THE CIRCLE OF LOST HACKERS> QUESTION: now that we know a bit more about
the context, can you explain us how you get into hacking, and since when
you are involved in the scene ?

Well, how did i get contact to the scene? i guess it was a way pretty
much people started. i wanted to have the newest games. so I talked to
some older guys at my school, and they told me to get a modem and call
some BBS.  This was i guess 1991. you need to know that my hometown
Berlin was pretty active with BBS, due to a political reason : local
calls did only cost 23pf.  That was a special thing in west-berlin /
cold-war. I cant remember when it was abolished. but, so there amyn many
BBS in berlin due to the low costs.  Then, short time after, i got in
contact with guys who always got the newest stuff from USA/UK into the
BBS, and i though. "wham, that must be expensive" - it didnt take a long
time untill i found out that there are ways to get around this. Also,
I had a local mentor who introduced me to blueboxing and all the neat
stuff around PBX, VMBS and stuff.

--

<THE CIRCLE OF LOST HACKERS> QUESTION: when did you start to play with
TCP/IP network ?

I think that was pretty late. i heard that some of my oversea friends
had a new way of chatting. no chat on BBS anymore, but on IRC. I guess
this was in 1994. So, i got some informations, some accounts on a local
university, and i only used "the net" for irc'ing.

--

<THE CIRCLE OF LOST HACKERS> QUESTION: When (and why) did you get into
troubles for the first time,

Luckly, i only got into trouble once in 1997. I got a visit from four
policemen (with weapons), who had a search warrent and did search my
house. I was accused for espionage of data. thats how they call hacking
here. They took all my equipment and stuff and it took a long time untill
i heard of them again for a  questionning . I was at the police several
times. first time, I think after  6 month, was due to a meeting with the
attorny at state and the policemen.  This was just a meeting to see if
they can use my computer stuff as prove. It was like they switched the
computer on, the policemen said to the attorney "this could be a log file"
and the attorny said "ok this might be a prove".  this went for all cd's
and at least 20 papers with notes. ("this could be an IP adress". "this
could be a l/p, etc . Of course, the attorney didnt have much knowledge,
and i lost my notes with phone numbers on it ("yeah, but it could be
an IP") . However, this was just a mandatory meeting because I denied
anything and didnt allow them to use any of the stuff, so there has to
be a judge or an attorney to see if the police took things that can be a
prove at all. The second time I met them was for the crimes in question. I
was there for a questioning (more than 2 years after the raid, and almost
3 years after the actualy date where i should have done the crime) .

--

<THE CIRCLE OF LOST HACKERS> QUESTION: How long did you stay at the
police station just after your first perquisition ?

First time, that was only 15 minutes. It was really only to see if the
police took the correct stuff. e.g. if they had taken a book, I would
have to get it back. because a book cant have anything to do with my
accused crime. (except i had written IP numbers in that book, hehe)

--

<THE CIRCLE OF LOST HACKERS> QUESTION: what about the crime itself ? Did
you earn money or make people effectively loose money by hacking ?

No, i didnt earn any money. it was just for fun, to learn, and to see
how far you can push a border. see what is possible, whats not. People
didnt loose any money, too.

--

<THE CIRCLE OF LOST HACKERS> QUESTION: How did they find you ?

I still dont really know how they found me. the accused crime was (just)
the unauthorized usage of dial-in accounts at one university. Unluckly,
it was the starting point of my activities, so was a bit scared at
first. You have to dial-in somwhere, if if that facility buists you,
it could have been pretty bad. At the end, after the real questioning
and after i got my fine, they had to drop ALL accuses of hacking and i
was only guilty for having 9 warez cd's)

--

<THE CIRCLE OF LOST HACKERS> QUESTION: were you dialing from your home ?

Yeah from my home. but i didnt use ISDN or had a caller ID on my analoge
line, and it is not ok to tap a phone line for such a low-profile crime
like hacking here in germany . So, since all hacking accuses got dropped,
I didnt see what evidence they had, or how they get me at all.

--

<THE CIRCLE OF LOST HACKERS> QUESTION: Can you tell more about the
policemen ? WHat kind of organisation did bust you ?

It was a special department for computer crime organzied from the state
police, the "landeskriminalamt" LKA. They didnt know much about computers
at all i think. They didnt find all logfiles I had on my computer, they
didnt find my JAZ disks with passwd files, they didnt find passwd files
on my comp., etc .

--

<THE CIRCLE OF LOST HACKERS> QUESTION: Where did they bring u after
beeing busted at the raid, and the second time for the interview ?

After the raid, I could stay at home ! For the interview, I went the
headquater of the LKA, into the rooms of the computer crime unit. simple
room with one window, a table & chair, and a computer where the policemen
himself did type what he asked, and what i answered.

--

<THE CIRCLE OF LOST HACKERS> QUESTION: have you heard interresting
conversation between cops when you were in there ?

hehe nope. not at all. and, of course, the door to the
questioning room was closed when i was questioned. so i couldnt
hear anything else . I have been interviewed by only one guy from
"polizeihauptkommisar", no military grade, only a captain like explained
in http://police-badges.de/online/sammeln/us-polizei.html .

Another thing about the raid: they did ring normally, nothing with
bashing the door. if my mother hadnt opened the door, i had enough time
to destroy things. but unluckly, as most germans, she did open the door
when she heard the word "police" hehe.

I didnt not have a trial, i accepted a "order of summary punishment" this
is the technical term i looked up in the dictonary :-) This is something
that a judge decides after he has all information. he can open a trial
or use this order of summary punishment. they mail it you you, and if
you dont say "no, i deny" within one week, you accpeted it :-) When you
deny it, THEN you definitly decide to go to court and have a trial .

--

<THE CIRCLE OF LOST HACKERS> QUESTION: do you advise hackers to accept
it ?

You cant generally give an advice about that. in my case, i found it
important that i do not have any crime record at all and that i count
as "first offender" if i ever have a trial in the future. so with that
accpetion of the summary, i knew what i get, which was acceptable for
my case.  if you go to court, you can never know if the fine will be
much higher. but you cant generalize it.  if its below "90 tagessaetze"
(--> over 90 you get a crime recoard), i guess i would accept it, but
again, better go to a lawyer of your trust :-)

--

<THE CIRCLE OF LOST HACKERS> QUESTION: can you compare LKA with an
american and/or european organisation ? What is their activity if their
are not skilled with computers ?

Mmmm every country within germany has its special department called LKA.
Its not like the FBI (that would be BKA), but it would be like a state
in the usa, say florida, has a police department for whole florida
which does all the special stuff, like organzied crime. Computer crime
in germany belongs to economic crime, and therefore, the normal police
isnt the correct department, but the LKA. By the way, I heard from
different people that they are more skilled now. but at that time, I
think only one person had an idea about UNIX at all. I know that the BKA
has a special department for computer crime, because a friend of mine got
visited by the BKA, but, most computer crime departments here are against
child-porn. I dont think that too many people get busted for hacking in
germany at all. they do bust child porn, they do bust warez guys, they
do bust computer fraud, related to telco-crimes. but hacking, I dont
know lots of people who had problems for real hacking. except one guy .

--

<THE CIRCLE OF LOST HACKERS> QUESTION: is there special services in your
country who are involved in hacking ?

Special services ? what do you mean? like CIA ? hehe ?! We have
BND (counter-spying), MAD (military spying), verfassungsschutz
(inland-spying), but I dont think we a service that is concentrating
on computer crime. What we do have is a lot of NSA (echelon) stations
from the US. I guess because of the cold war, we're still pretty much
under the supervision of these services :-) so the answer is: we dont
have such services, or they do work so secret that noone knows, but i
doubt this in germany hehe.

--

<THE CIRCLE OF LOST HACKERS> QUESTION: Except for the crime they inculped
you, did you have any relations with the police ? (phone calls, non
related interview, job proposition) ?

Hehe, no, not at all.

--

<THE CIRCLE OF LOST HACKERS> QUESTION: what kind of information was
the police asking you during your interview ? Were they asking non
crime-related information ?  (like: who are you chilling with, etc ?)

Yeah, that was the part they where most interested in ! They had
printed my /etc/passwd and said "thats your nick, right?" . I didnt say
anything to that whole complex, but they continued, and I mean, if you
have one user in your /etc/passwd, it is pretty easy to guess thats
your nick. So, they had searched the net for that nick, they found a
page maintained by some hackers who formed some kind of crew. they had
printed the whole website of that crew, pointing out my name anywhere
where it appeared. They tried to play the good-cop game, the "you're that
cool dude there eh?" etc. I didnt say anything again. It took several
minutes, and they wanted to pin-point me that i'm using this nick they
found in /etc/passwd and that i am a member of that group which they
had the webpage printed. They knew that there was a 2nd hacker at that
university. They asked me all the time if i know him.  I dont know why
he had more luck. of course i did know him, it was my mate with whom i
did lots of the stuff together.

--

<THE CIRCLE OF LOST HACKERS> QUESTION: You didnt say anything ? How did
they accepted this ?

hehe. they had to accept it. i think thats in most countries that, if
you are accused, you have the right to say nothing. I played an easy
game: I accepted to have copied the 9 cd's. because the cd's are prove
enough at all, then the cops where happy. I didnt say anything to that
hacking complex, which was way more interesting for them. I though "I
have to give them something, if I dont want to go before court" . I said
"I did copy that windows cd" so they have at least something.

--

<THE CIRCLE OF LOST HACKERS> QUESTION: did you feel some kind of evolution
in your relation with police ? Did they try to be friend with you at
some point ?

yeah, they did try to be friend at several stages.

a) At the raid. my parents where REALLY not amuzed, i think you can
imagine that. having policemen sneaking through your cloth, your bedroom,
etc. So, they noticed my mom was pretty much nervous and "at the end"
. They said "make it easy for your mother, be honest, be a nice guy,
its the first time, tell us something ..." (due to my starting law
school at that time, I, of course knew that its the best thing to stay
calm and say nothing.)

b) At the questioning, of course. after I admitted the warez stuff,
they felt pretty good, which was my intention. they allowed me to smoke,
and stuff like that. when it came to hacking, and i didnt say anything,
They continued to be "my friend", and tried to convince me "thats its
easier and better if i admit it, because eveidence is so high" . They
where friendly all the time, yeah.

--

<THE CIRCLE OF LOST HACKERS> QUESTION: What do you think they were really
knowing ?

They definitly knew I used unauthorized dial-in accounts at that
university, they knew I was using that nick, and that I am a member of
that hacking group (nothing illegal about that, though) . I was afraid
that they might know my real activities, because, again, that university
was JUST my starting point, so all i did was using accounts i shouldnt
use. Thats no big deal at all, dial-ins. but i didnt know what they knew
about the real activities after the dial-in, so i was afraid that they
know more about this.

--

<THE CIRCLE OF LOST HACKERS> QUESTION: did they know personnal things
about the other people in your hacking group ?

nope, not at all.

--

<THE CIRCLE OF LOST HACKERS> QUESTION: How skilled are the forensics
employed by german police in 2002 ?

huh, i luckly dont know. I read that they do have some forensic
experts at the BKA, but the usually busting LKA isnt very skilled, in my
opinion. they have too less people to cover all the computer crimes. they
work on low money with old equipment. and they use much of their time
to go after kiddie-porn.

--

<THE CIRCLE OF LOST HACKERS> QUESTION: how does the police perceived
your group ?  (front-side german hacking group you guyz all know)

I think they thought we're a big active crew which does hacking, hacking
and hacking all the time. i guess they wanted to find out if we e arn
money with that, e.g., of if we're into big illegal activities. because
of course, it might be illegal just to be a member of an illegal group.
like organzied crime.

--

<THE CIRCLE OF LOST HACKERS> QUESTION: in the other hand, what do you
think the other hacking crew think about your group ?

We and other hackers saw us as group which shares knowledge, exchange
security related informations, have nice meetings, find security problems
and write software to exploit that problems. I definitly did not see us
as organzied hacking group which earns money, steal stuff or make other
people loose money, but, I mean, you cant know what a group really does
just from visiting a webpage and looking at some papers or tools.

--

<THE CIRCLE OF LOST HACKERS> QUESTION: are the troubles over now ?

yeah, troubles are completely over now. i got a fine, 75 german marks
per cd, so i had to pay around 800 german marks. I am not previously
convicted, no crime record at all. no civil action.

--

<THE CIRCLE OF LOST HACKERS> QUESTION: Now that troubles are over, do you
have some advices for hackers in your country, to avoid beeing busted,
or to avoid having troubles like you did ?

hehe yeah, in short words:

a) Always crypt your ENTIRE harddisk

b) Do NOT own any, i repeat, any illegal warez cd. reason: any judge
knows illegal copied cds. he understands that. so, like in my case,
you get accused for hacking and you end up with a fine for illegal
warez. Thats definitly not necessary. and, furthermore, you get your
computer stuff back MUCH easier & faster if you dont have any warez
cd. usually, they cant prove your hacking. but warez cd's are easy.

c) do not tell ANYTHING at the raid.

d) if you are really into trouble, go to a lawyer after the raid.

--

<THE CIRCLE OF LOST HACKERS> Thanks for the interview WILLY !

De nada, you are welcomed ;)



                       ------------------------------------------

                                    Zac's interview



<THE CIRCLE OF LOST HACKERS> Hello Zac, nice to meet you .

Hi new staff, how's life ?

<THE CIRCLE OF LOST HACKERS> QUESTION: Can you tell us what kind of
relationship you're (as a hacker) having with the police in your country ?

I live in France, as a hacker I never had troubles with justice .  In my
country, you can have troubles in case you are a stupid script kiddy (most
of the time), or if you disturb (even very little) intelligence services
. Actually we have very present special services inside the territory,
whereas the police itself is too dumb to understand anything about
computers . Some special non-technical group called BEFTI usually deals
with big warezers, dumb carders, or people breaking into businesses's
PABX and doing free calls from there, and stuffs like that .

--

<THE CIRCLE OF LOST HACKERS> Explain to us how you got into hacking,
since when you are involved in the scene, and when you started to play
with TCP/IP networks .

I started quite late in the 90' when I met friends who were doing warez
and trying to start with hacking and phreaking . I have only a few years
of experience on the net, but I learnt quite fast beeing always behind
the screen, and now I know a lot of people, all around the world, on
IRC and IRL .

Beside this, I had my first computer 15 years ago, owned many INTEL based
computers, from 286 to Pentium II . I have now access to various hardware
and use these ressources to do code . I used to share my work with other
(both whitehats and blackhats) peoples, I dont hide myself particulary
and I am not involved in any kind of dangerous illegal activity .

--

<THE CIRCLE OF LOST HACKERS> QUESTION: When did you get into troubles
for the first time ?

Last year (2001), when DST ('Direction de la Surveillance du Territoire',
french inside-territory intelligence services) contacted me and asked if
I was still looking for a job . I said yes and accepted to meet them .
I didnt know it was DST at that time, but I catched them using google ;)
They first introduced themself from 'Ministere de l'Interieur', which is
basicaly Ministery charged of police coordination and inside-territory
intelligence services . In another later interview, they told me they
were DST, I'll call them 'the feds' .

--

<THE CIRCLE OF LOST HACKERS> QUESTION: How did they find you ?

I still have no idea, I guess someone around me taught them about me
. When I asked, they told me it was from one of the various (very few)
businesses I had contacted at that time . Take care when you give your
CV or anything, keep it encrypted when it travels on the net, because
they probably sniff a lot of traffic . I also advise to mark it in a
different way each time you give it, so that you can know from where it
leaked using SE at the feds .

--

<THE CIRCLE OF LOST HACKERS> QUESTION: Can you tell more about the
organization ?

Some information about them has already been disclosed in french
electronic fanzines like Core-Dump (92') and NoWay (94'), both written
by NeurAlien . I heard he got mad problem because of this, I dont really
want to experiment the same stuff .


--

<THE CIRCLE OF LOST HACKERS> QUESTION: is there other special services
in your country who are involved in hacking ?

Besides DST, there is DGSE ('Direction General de la Securite Exterieur'),
these guys most focuss on spying, military training, and information
gathering outside the territory . There is also RG ('Renseignement
generaux', trans. : General Information) , a special part of police
which is used to gather various information about every sensible events
happening . The rumor says there's always 1 RG in each public conference,
meeting, etc and its not very difficult to believe .

--

<THE CIRCLE OF LOST HACKERS> QUESTION: can you compare the organization
with an equivalent one in another country ?

Their tasks is similar to CIA's and NSA's one I guess . DST and DGSE
used to deal with terrorists and big drugs trafic networks also, they
do not target hackers specifically, their task is much larger since they
are the governemental intelligence services in France .

--

<THE CIRCLE OF LOST HACKERS> Is DST skilled with computers ?

They -seem- quite skilled (not too much, but probably enough to bust a
lot of hackers and keep them on tape if necessary) . They also used to
recruite people in order to experiment all the new hacking techniques
(wireless, etc) .

However, I feel like their first job is learning information, all
the technical stuff looks like a hook to me . Moreover, they pay very
bad, they'll argue that having their name on your CV will increase your
chances to get high payed jobs in the future . Think twice before signing,
this kind of person has very converging tendances to lie .

--

<THE CIRCLE OF LOST HACKERS> QUESTION: what kind of information did they
ask during the interviews ?

The first time, it was 2 hours long, and there was 2 guyz . One was
obviously understanding a bit about hacking (talking about protocols,
reverse engineering, he assimilated the vocabulary as least), the other
one wasnt doing the difference between an exploit and a rootkit, and
was probably the 'nice fed around' .

They asked everything about myself (origin, family, etc), one always
taking notes, both asking questions, trying to appear like interrested
in my life . They asked everything from the start to the end . They
asked if the official activity I have right now wasnt too boring,
who were the guy I was working with, in what kind of activity I was
involved, and the nature of my personnal work . They also asked me if I
was aware of 0day vulnerabilities into widely-used software . I knew I
add not to tell them anything, and try to get as much information about
them during the interview . You can definitely grab some if you ask them
questions .  Usually, they will tell you 'Here I am asking the questions',
but sometimes if you are smart, you can guess from where they got the
information, what are their real technical skills level, etc .

At the end of the interview, they'll ask what they want to know if you
didnt tell them . They can ask about groups they think you are friend
with, etc .  If you just tell them what is obviously known (like,
'oh yeah I heard about them, its a crew interrested in security, but
I'm not in that group') and nothing else, its ok .

--

<THE CIRCLE OF LOST HACKERS> QUESTION: What do you think they were really
knowing ?

I guess they are quite smart, because they know a lot of stuff, and
ask everything as if they were not knowing anything . This way, they
can spot if you are lying or not .  Also, if you tell them stuffs you
judge irrevelant, they will probably use it during other interviews,
in order to guess who you are linked to .

--

<THE CIRCLE OF LOST HACKERS> QUESTION: are the troubles over now ?

I hope they will let me where I am, anyway I wont work for them, I
taught a few friends of mine about it and they agreed with me . Their
mind changes over time and government, I highly advise -NOT- to work
for them unless you know EXACTLY what you are doing (you are a double
agent or something lol) .

--

<THE CIRCLE OF LOST HACKERS> do you have some advices for hackers in
your country, to avoid beeing busted, or to avoid having troubles ?

Dont have a website, dont release shits, dont write articles, dont do
conference, dont have a job in the sec. industry . In short : it's very
hard . If they are interrested in the stuffs you do and hear about it,
they'll have to meet you one day or another . They will probably just
ask more about what you are doing, even if they have nothing against
you . Dont forget you have the right to refuse an interview and refuse
answering questions . I do not recommand to lie to them, because they
will guess it easily (dont forget information leakage is their job) .

I advise all the hackers to talk more about feds in their respective
groups because it helps not beeing fucked . Usually they will tell
you before leaving 'Dont forget, all of this is CONFIDENTIAL', it is
just their way to tell you 'Okay, thanks, see you next time !' . Dont
be impressed, dont spread information on the net about a particular guy
(targetted hacker, or fed), you'll obviously have troubles because of it,
and its definitely not the good way to hope better deals with feds in
the future . To FEDS: do not threat hackers and dont put them in jail,
we are not terrorists . Dont forget, we talk about you to each other,
and jailing one of us is like jailing all of us .


<THE CIRCLE OF LOST HACKERS> Thanks zac =)

At your service, later .


                       ------------------------------------------

                                 Big Brother does Russia
                                           by
                                      ALiEN Assault



This  file  is  a basic description of russian computer law related
issues.  Part  1  contains  information  gathered  primarily  from
open sources. As this sources  are  all  russian, information may be
unknown to those who doesn't know russian language. Part  2  consists
of  instructions  on  computer crime investigation: raid guidelines and
suspect's system exploration.


0 - DISCLAIMER 1 - LAW
  1.1 - Basic Picture 1.2 - Criminal Code 1.3 - Federal Laws
2 - ORDER
  2.1 - Tactics of Raid 2.2 - Examining a Working Computer 2.3 -
  Expertise Assignment


--[ 0.DISCLAIMER.

INFORMATION PROVIDED FOR EDUCATIONAL PURPOSES ONLY. IT MAY BE ILLEGAL
IN YOUR COUNTRY TO BUST HACKERS. IT MUST BE ILLEGAL AT ALL. THERE ARE
BETTER THINGS TO DO. EXPLORE YOURSELF AND THIS WORLD. SMILE. LIVE.


--[ 1.	 LAW.

----[ 1.1. Basic Picture.

Computer-related  laws	are  very  draft and poorly describes what are
ones about.  Seems  that  these  are  simply  rewritten instructions
from 60's *Power Computers* that took a truck to transport.

Common	subjects  of lawsuits include carding, phone piracy (mass
LD service thievery)  and...  hold  your  breath... virii infected
warez trade. Russia is a real  warez  heaven  -  you can go to about
every media shop and see lots of CDs with  warez,  and some even has
"CRACKS AND SERIALS USAGE INSTRUCTIONS INCLUDED" written  on  front
cover  (along with "ALL RIGHTS RESERVED" on back)! To honour pirates,
they  include  all  .nfo  files  (sometimes  from  4-5 BBSes warez was
courriered  through).  It  is  illegal	but  not  prosecuted.  Only if
warez are infected  (and  some VIP bought them and messed his system up)
shop owners faces legal  problems.

Hacking  is  *not  that  common*,  as  cops are rather dumb and busts
mostly script kiddies for hacking their ISPs from home or sending your
everyday trojans by email.

There  are  three  main  organisations	dealing  with  hi-tech	crime:
FAPSI (Federal	Government  Communications  and  Information  Agency
- mix of FCC and secret service), UKIB FSB (hi-tech feds; stands for
departamernt of computer and information  security)  and  UPBSWT  MVD
(hi-tech  crime fightback dept.) which incorporates R unit (R for radio -
busts ham pirates and phreaks).

FSB   (secret	service)  also	runs  NIIT  (IT  research  institute).
This organisation  deals  with	encryption  (reading your PGPed mail),
examination of malicious  programs  (revealing	Windoze source) and
restoration of damaged data (HEXediting saved games). NIIT is believed
to possess all seized systems so they have tools to do the job.

UPBSWT	has a set of special operations called SORM (operative
and detective measures	system).  Media describes this as an
Echelon/Carnivore-like thing, but it  also monitors phones and
pagers. Cops claims that SORM is active only during major criminal
investigations.


----[ 1.2. Criminal Code.

Computer criminals are prosecuted according to this articles of the Code:

- 159:	Felony. This mostly what carders have to do with, accompanied by
	caught-in-the-act  social  engineers.  Punishment  varies
	from fine (minor, no criminal record) to 10 years prison term
	(organized and repeated crime).

- 272:	Unauthorized access to computer information. Easy case will end
up in
	fine  or up to 2 years probation term, while organized, repeated
	or involving "a person with access to a computer, computer complex
	or network" (!#$@!) crime may lead  to	5  years  imprisonment.
	Added to  this are weird comments on what are information,
	intrusion and information access.

- 273:	Production, spreading and use of harmful computer
programs. Sending
	trojans  by  mail considered to be lame and punished by up to 3
	years in prison. Part II says that "same deeds *carelessly* caused
	hard consequences" will result in from 3 to 7 years in jail.

- 274:	Computer, computer complex or network usage rules breach. This
one is
	tough  shit.  In  present,  raw  and  somewhat	confused
	state this looks, say, *incorrect*.  It  needs that at least
	technically literate person should provide correct and clear
	definitions. After that clearances this could be useful thing:
	if  someone  gets  into  a  poorly  protected  system,	admin will
	have to take responsibility too. Punisment  ranges  from ceasing
	of right to occupy "defined" (defined  where?) job positions to
	2 years prison term (or 4 if something fucked up too seriously).


----[ 1.3. Federal Law.

Most notable subject related laws are:

"On  Information,  Informatization  and Information Security"
(20.02.95). 5 chapters	of  this  law  defines	/*  usually not
correct or even intelligent */ various	aspects  of  information  and
related issues. Nothing really special or important  -	civil rights
(nonexistent), other crap, but still having publicity (due  to	weird
and easy-to-remember name i suppose) and about every journalist covering
ITsec pastes this name into his article for serious look maybe.

"National  Information Security Doctrine" (9.9.2K) is far more
interesting.  It  will tell you how dangerous Information Superhighway
is, and this isn't your average  mass-media  horror  story  -  it's
a  real thing! Reader will know how hostile  foreign  governments  are
busy  imlpementing  some  k-rad mind control tekne3q  to  gain r00t on
your consciousness; undercover groups around the globe are  engaging in
obscure infowarfare; unnamed but almighty worldwide forces also about
to control information...ARRGGH! PHEAR!!!

{ALiEN special note: That's completely true. You suck Terrans. We'll
own your planet soon and give all of you a nice heavy industry job}.

Liberal values are covered too (message is BUY RUSSIAN). Also there are
some definitions (partly correct) on ITsec issues.

"On  Federal  Government  Communications and Information" (19.2.93,
patched 24.12.93  and  7.11.2K).  Oh yes, this one is serious. Everyone
is serious about his  own  communications - what can i say? Main message
is "RESPONSIBLES WILL BE FOUND. OTHERS KEEP ASIDE".

Interesting  entity defined here is Cryptographic Human Resource -
a special unit	of  high qualified crypto professionals which must be
founded by FAPSI. To be  in  Cryptographic  Human  Resource  is to serve
wherever you have retired or anything.

Also  covered  are rights of government communications personnel. They
have no  right	to  engage  in	or to support strike. Basically they have
no right to fight  for	rights.  They  don't  have  a right to publish or
to tell mass-media anything about their job without previous censorship
by upper level management.

Cryptography   issues	are  covered  in  "On  Information  Security
Tools Certification"  (26.6.95 patched 23.4.96 and 29.3.99) and "On
Electronic Digital Signature"  (10.2.02).  Not	much  to  say about. Both
mostly consists of strong definitions of certification procedures.


--[ 2. ORDER.

----[ 2.1. Tactics of Raid.

Given information is necessary for succesful raid. Tactics of raid
strongly depends on previously obtained information.

It  is	necessary to define time for raid and measures needed to conduct
it suddenly  and  confidentially. In case of presence of information
that suspect's computer  contains  criminal  evidence  data,  it  is
better to begin raid when possibility that suspect is working on that
computer is minimal.

Consult  with  specialists  to	define what information could be stored
in a computer  and  have  adequate technics prepared to copy that
information. Define all  measures to prevent criminals from destroying
evidence. Find raid witnesses who  are	familiar  with	computers
(basic	operations, programs names etc.) to exclude  possibility of
posing raid results as erroneous at court. Specifity and complexity
of  manipulations  with  computer  technics  cannot be understood
by illiterate,	so  this  may  destroy	investigator's efforts on
strengthening the value of evidence.

Witness' misunderstanding of what goes on may make court discard evidence.
Depending  on  suspect's  qualification  and  professional  skills,
define a computer technics professional to involve in investigation.

On arrival at the raid point is necessary to: enter fast and sudden
to drive computer stored information destruction possibility  to  the
minimum. When possible and reasonable, raid point power supply must be
turned off.

Don't allow no one touch a working computer, floppy disks, turn computers
on and off; if necessary, remove raid personnel from the raid point;
don't allow no one turn power supply on and off; if the power supply
was  turned  off at the beginning of raid, it is necessary to unplug all
computers and peripherals before turning power supply on; don't manipulate
computer technics in any manner that could provide inpredictable results.

After  all  above  encountered	measures  were	taken,	it  is necessary
to preexamine  computer technics to define what programs are working
at the moment.	If   data  destruction	program  is  discovered  active
it  should  be	stopped immediately  and examination begins with exactly
this computer. If computers are connected  to  local  network,	it  is
reasonable to examine server first, then working computers, then other
computer technics and power sources.


----[ 2.2. Examining a Working Computer.

During the examination of a working computer is necessary to:

- define what program is currently executing. This must be done by
examining
  the  screen  image  that  must  be  described  in detail in raid
  protocol. While necessary, it should be photographed or videotaped. Stop
  running program and fix results of this action in protocol, describing
  changes occured on computer screen;

- define presence of external storage devices: a hard drive (a
winchester*),
  floppy  and ZIP type drives, presence of a virtual drive (a temporary
  disc which is  being	created  on  computer  startup	for increasing
  performance speed) and describe  this  data  in  a  protocol	of raid;


- define presence of remote system access  devices  and  also  the
current state of
  ones (local network connection, modem  presence),  after  what
  disconnect  the computer  and modem, describing results of that in
  a protocol;

- copy programs and files from the virtual drive (if present) to the
floppy disk or to
  a separate directory of a hard disk;

- turn the computer off and continue with examining it. During this is
necessary to
  describe  in	a  raid protocol and appended scheme the location
  of computer and  peripheral  devices (printer, modem, keyboard,
  monitor etc.) the purpose of every  device,  name,  serial  number,
  configuration (presence and type of disk drives,  network  cards,
  slots etc.), presence of connection to local computing network  and
  (or) telecommunication networks, state of devices (are there tails
  of opening);

- accurately  describe the order of mentioned devices interconnection,
marking
  (if necessary) connector cables and plug ports, and disconnect computer
  devices.

- Define, with the help from specialist,  presence  of	nonstandard
apparatus inside
  the computer, absence of microschemes, disabling of an inner power
  source (an accumulator);

- pack (describing location where were found in a protocol) storage
disks and
  tapes.  Package  may	be special diskette tray and also common paper
  and plastic bags, excluding ones not preventing the dust (pollutions
  etc.) contact with disk or tape surface;

- pack	every  computer  device  and  connector  cable.  To  prevent
unwanted
  individuals' access, it is necessary to place stamps on system block -
  stick the power  button  and	power  plug slot with adhesive tape and
  stick the front and side panels mounting details (screws etc.) too.


If it is necessary to turn computer back on during examination, startup
is performed with a prepared boot diskette, preventing user programs
from start.


be of western origin but i never met this term in western sources. Common
shortage is "wint".


----[ 2.3. Expertise Assignment.


Expertise  assignment  is an important investigation measure for such
cases.	General  and  most  important  part  of  such  an expertise is
technical program (computer technics) expertise. MVD (*) divisions have
no experts conducting such expertises  at  the	current  time,	so  it
is possible to conduct such type of expertises	at  FAPSI  divisions
or to involve adequately qualified specialists from other organisations.

Technical program expertise is to find answers on following:

- what information contains floppy disks and system blocks presented to
  expertise?

- What is its purpose and possible use?

- What programs contains floppy disks and system blocks presented to
  expertise?

- What is their purpose and possible use?

- Are there any text files on floppy disks and system blocks presented to
  expertise?

- If so, what is their content and possible use?

- Is there destroyed information on floppy disks presented to expertise?

- If so, is it possible to recover that information?

- What is that information and what is its possible use?

- What program products contains floppy disks presented to expertise?

- What are they content, purpose and possible use?

- Are  between	those  programs  ones  customized  for	passwords
guessing or
  otherwise  gaining  an  unauthorized	computer  networks access?

- If so, what are their  names,  work  specifications, possibilities of
usage to
  penetrate defined computer  network?

- Are there evidence of defined program usage to penetrate the
abovementioned network?

- If so, what is that evidence?

- What is chronological sequence of actions necessary to start defined
program
  or to conduct defined operation?

- Is it possible to modify program files while working in a given
computer network?

- If so, what modifications can be done, how can they be done and from
what computer?

- Is it possible to gain access to confidential information through
mentioned network?

- How such access is being gained?

- How  criminal  penetration  of  the  defined	local  computer
network  was
  committed?

- What	is  the  evidence  of  such  penetration?

- If this penetration involved	remote access, what are the possibilites
of identifying an
  originating computer?

- If an evidence of a remote user intrusion is absent, is it possible
to point computers from
  which such operations can be done?


Questions may be asked about compatibility of this or that programs;
possibilities of running a program on defined computer etc. Along with
these, experts can be asked on purpose of this or that device related
to computer technics:

- what is the purpose of a given device, possible use?

- What is special with its construction?

- What parts does it consist of?

- Is it industrial or a homemade product?

- If it is a homemade device, what kind of knowledge and in what kind of
  science and technology do its maker possess, what is his professional
  skill level?

- With what other devices could this device be used together?

- What are technical specifications of a given device?


Given methodic recommendments are far from complete list of questions
that could be asked in such investigations but still does reflect the
important aspects of such type of criminal investigation.





CREDITS

     I like to mention stiss and BhS group for contibutions to this file.