Re: Process / Forms for Students voluntarily surrendering computers

[Joel Rosenblatt <joel () COLUMBIA EDU>]

James,

For the cases where I have dealt with the FBI, the procedure we follow is
that we get a request to preserve evidence form - this form contains the
type of evidence that they want us to preserve (logs, mail, whole hard
drive, etc).  At that point, we collect what they what and put it on the
side.  We do not turn anything over to anyone without a subpoena.  If we
have to turn over evidence that includes anything personal (email, data,
whole system), we get a statement written by the owner that states that
they give the FBI permission to look at the information.  In most cases,
the FBI has been willing to state that they have no material interest in
the owner (our student, faculty, ...), but they are only interested in the
data because it is part of a bigger investigation - I am sure that if this
were not the case, this procedure would change.  Our general procedure has
been that we (AcIS Security) will write something up and then send it over
to the GC office .. they tweak it and send it back - then we use it.  In
the few cases where there was a malicious use of a machine, we impounded
the system as evidence and it was never returned to the user .. this is
very rare, but it has happened.

This is a good document to look at if you are interested in setting up a
incident response team
<http://csrc.nist.gov/publications/nistpubs/800-61/sp800-61.pdf> it's about
148 pages of details about all kinds of incident response.

I'm not sure if anything I've written is useful ... it's Friday and this
was a really long week :-)

Regards,
Joel Rosenblatt

Joel Rosenblatt, Senior Security Officer & Windows Specialist, AcIS
Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033
http://www.columbia.edu/~joel


--On Friday, October 22, 2004 5:18 PM -0400 James H Moore <jhmfa () RIT EDU>
wrote:

> Sorry for the cross-post but this deals in both areas.
>
> Common situation (at FIT - Ficticious Institute of Technology),  Sally
> Student scans the Whitehouse, or NSA, ...
>
> We get a polite request to investigate.
>
> We go to Sally, and ask why she has been trying to fingerprint government
> systems.
>
> She denies all knowledge, and we ask if we can look at her system.
>
> She loans us her notebook.
>
> What is good wording for voluntary release?
>
> What is a good investigative process?  So that,
>   1) We avoid liability (e.g. we don't mess up her drive while
> investigating, and accidentally delete the folder with her thesis and
> research in it.)
>
>   2) We prepare for student judicial, in case, she thinks that she has
> erased all the evidence, but hasn't.
>
>   3) What do we disclose to Sally (or the university), and when about our
> investigative process.
>
> What questions did I miss?
>
> - - -
> Jim Moore, CISSP, IAM
> Information Security Officer
> Rochester Institute of Technology
> 13 Lomb Memorial Drive
> Rochester, NY 14623-5603
> Office: 585-475-5406
> Lab: 585-475-4122
> Fax: 585-475-7950
>
> "In the middle of difficulty lies opportunity." Albert Einstein
>
> "The release of new internet threats have not created a new problem. It
> has merely made more urgent the necessity of solving an existing one."
> Parallels quote by Albert Einstein on atomic energy
>
>
> **********
> Participation and subscription information for this EDUCAUSE Discussion
> Group discussion list can be found at http://www.educause.edu/groups/.



Joel Rosenblatt, Senior Security Officer & Windows Specialist, AcIS
Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033
http://www.columbia.edu/~joel

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/groups/.