

What happens when your server is compromised and you get help from the FBI? - imjustsaying

Often when a company announces that its servers have been compromised, the company also states that they have begun working with the FBI or a similar law enforcement agency.<p>What does this actually entail? I&#x27;m imagining this means anything from simply beginning contact with the FBI, to sharing server logs with them, to giving them full access to the machine for full forensics and interviewing you and your staff.<p>For minor intrusions, I&#x27;d imagine that there are many cases when law enforcement wouldn&#x27;t get involved at all due to limited resources. On the other end of the spectrum, when millions of users&#x27; financial records are compromised I would imagine a more detailed response.<p>Does anyone have any experience with this? I&#x27;m curious to know anyone&#x27;s stories.
======
fbithrowaway
We've had multiple cases where we have had help from the FBI.

I work at one of the larger webhosting companies, so we have a point of
contact with them to start with. We help them out with various things (CALEA,
data preservation, child porn/financial fraud, etc) so they tend to assist for
major problems.

We reach out to our point of contact. We have to prove that the criminal fit
somewhere in
[http://www.justice.gov/criminal/cybercrime/docs/ccmanual.pdf](http://www.justice.gov/criminal/cybercrime/docs/ccmanual.pdf)

They then ask for data (our proof). In all the cases we've handled, our proof
has been enough to hand off to a prosecutor. Sometimes the data is enough for
the prosecutor to move forward and score a conviction, sometimes they have
doubts as to whether a jury can be convinced so they either let them take
deferred adjudication, or they try to strike a plea.

We've always known the culprit personally when they commit the crime (name,
address, etc.) so I can't speak for other peoples' investigations where these
things aren't known.

------
mgarfias
My only experience has been with child porn and terrorism stuff found on
servers I worked on. In our case, we burned all the files from the users'
account, html/access logs/etc, to CD, and handed them over to an agent who
appeared in our office.

------
dunsany
I wrote a paper on the NW Hospital case that involved FBI investigation
[http://www.planetheidi.com/Pompon-
VB2010.pdf](http://www.planetheidi.com/Pompon-VB2010.pdf)

