2

So these days with talks about having hacked machines being used for malware spreading and botnet C&C, the one issue that is not clear to me is what do the law enforcement agencies do once they have identified a server as being a source or controller of attack/APT and that server is a VPS on my cluster/datacenter?

Do they take away the entire machine?

This option seems to have a lot of collateral damage associated with it, so I am not sure what happens and what are the best practices for system admins for helping law enforcement with its job while keeping our jobs!

intiha
  • 123
  • 2
  • 2
    Way too broad and varied for discussion here, but in general, LEAs are like sledgehammers... or explosives. They're blunt instruments and rarely give a damn about collateral damage. So yeah, they'll haul off an entire server with dozens of VPSes on it if even one VPS is in breach of the law badly enough to get the server seized. And feel free to compliment me as unpatriotic or evil for saying the following... but the way to comply with law enforcement (period, not just as a sysadmin) is to keep your mouth shut, volunteer nothing, and let your lawyer handle all contact with LEA. – HopelessN00b Oct 04 '12 at 07:16

1 Answers1

2

(Disclaimer - I'm a computer forensics and computer security management undergrad. Local laws and LEO protocols may differ)

As far as I know, I've not actually seen protocols specifically pertaining to VPSes. There's a few things to look at here. Law enforcement agencies have not shied away from seizing co-owned servers in the past or even unrelated servers 'in case' and generally, quite frankly collateral damage is not an issue for them. If there was evidence in the machine, it is VERY likely they will seize the whole thing. As such, the first line of defence is, not being in a situation where this may happen at all.

Practically speaking, an adept forensics professional might wish to do live forensics to examine the behaviour of the suspect server 'in situ'. They might also find backups useful in determining when the issue happened. Assuming you deal with one, that is. That said, properly trained forensics folks are less common than one would hope - There's a fair number of cops in my class for a reason, and in many places, forensics specialists are cops who learnt forensics, not sysadmin or cyber forensics specialist type folk hired to work for law enforcement. Dealing with the latter may be easier than the former. Better yet. Let the legal department handle it, and just do what you need to.

Within the company, this is the sort of thing you need to take into account for your IR/DR plans - since getting a server siezed is a disaster. Do you have policies for the sort of information you can release to law enforcement? Can you co-operate with them to document the transfer of the hardware (which makes both your lives easier - they get started on chain of custody, and you would be on better terms with them).Its also good if you didn't have a random bunch of non sysadmins messing around with your wiring.

In theory, if downtime was an issue, getting a server from a spare pool and restoring the contents of it from the last backup may be an option. Its just another issue - as long as you keep good complete documentation, and backups, you should have anything you need on hand.

A few useful pointers on what police would look at would be from places like SANS and ACPO. Also talk to your company's legal department on what local requirements may be.

Journeyman Geek
  • 6,969
  • 3
  • 31
  • 49