Educause Security Discussion mailing list archives
Re: Process / Forms for Students voluntarily surrendering computers
From: Joel Rosenblatt <joel () COLUMBIA EDU>
Date: Fri, 22 Oct 2004 19:14:39 -0400
James, For the cases where I have dealt with the FBI, the procedure we follow is that we get a request to preserve evidence form - this form contains the type of evidence that they want us to preserve (logs, mail, whole hard drive, etc). At that point, we collect what they what and put it on the side. We do not turn anything over to anyone without a subpoena. If we have to turn over evidence that includes anything personal (email, data, whole system), we get a statement written by the owner that states that they give the FBI permission to look at the information. In most cases, the FBI has been willing to state that they have no material interest in the owner (our student, faculty, ...), but they are only interested in the data because it is part of a bigger investigation - I am sure that if this were not the case, this procedure would change. Our general procedure has been that we (AcIS Security) will write something up and then send it over to the GC office .. they tweak it and send it back - then we use it. In the few cases where there was a malicious use of a machine, we impounded the system as evidence and it was never returned to the user .. this is very rare, but it has happened. This is a good document to look at if you are interested in setting up a incident response team <http://csrc.nist.gov/publications/nistpubs/800-61/sp800-61.pdf> it's about 148 pages of details about all kinds of incident response. I'm not sure if anything I've written is useful ... it's Friday and this was a really long week :-) Regards, Joel Rosenblatt Joel Rosenblatt, Senior Security Officer & Windows Specialist, AcIS Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033 http://www.columbia.edu/~joel --On Friday, October 22, 2004 5:18 PM -0400 James H Moore <jhmfa () RIT EDU> wrote:
Sorry for the cross-post but this deals in both areas. Common situation (at FIT - Ficticious Institute of Technology), Sally Student scans the Whitehouse, or NSA, ... We get a polite request to investigate. We go to Sally, and ask why she has been trying to fingerprint government systems. She denies all knowledge, and we ask if we can look at her system. She loans us her notebook. What is good wording for voluntary release? What is a good investigative process? So that, 1) We avoid liability (e.g. we don't mess up her drive while investigating, and accidentally delete the folder with her thesis and research in it.) 2) We prepare for student judicial, in case, she thinks that she has erased all the evidence, but hasn't. 3) What do we disclose to Sally (or the university), and when about our investigative process. What questions did I miss? - - - Jim Moore, CISSP, IAM Information Security Officer Rochester Institute of Technology 13 Lomb Memorial Drive Rochester, NY 14623-5603 Office: 585-475-5406 Lab: 585-475-4122 Fax: 585-475-7950 "In the middle of difficulty lies opportunity." Albert Einstein "The release of new internet threats have not created a new problem. It has merely made more urgent the necessity of solving an existing one." Parallels quote by Albert Einstein on atomic energy ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/groups/.
Joel Rosenblatt, Senior Security Officer & Windows Specialist, AcIS Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033 http://www.columbia.edu/~joel ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/groups/.
Current thread:
- Re: Process / Forms for Students voluntarily surrendering computers Herrera Reyna Omar (Oct 22)
- <Possible follow-ups>
- Re: Process / Forms for Students voluntarily surrendering computers Eric Pancer (Oct 22)
- Re: Process / Forms for Students voluntarily surrendering computers Joel Rosenblatt (Oct 22)