Introduction

In 1996 members of two 'hacking' groups in the Columbus area started using The Ohio State University as a gateway for causing trouble on the Internet. Several members of the group would come to public computing labs at OSU and use password sniffers to get lists of valid OSU accounts and passwords. They then used some of these accounts to gain free access to the Internet through OSU's dial-up modem pool, and traded other accounts to friends. Once on the Internet they frequently engaged in unethical or illegal activities, including probing for hosts and network services on those hosts, running exploit scripts to gain access to other computers, or launching denial of service attacks against targets that they wanted to 'take down.'

Once news of this activity gained our attention OSU began a yearlong investigation to identify and (hopefully) apprehend the intruders. We found several tools that proved useful during the course of the investigation and wrote others. We collected a very large amount of evidence from our investigations, and learned many valuable lessons about how to correlate evidence from a variety of sources together to reconstruct past events.

I begin this chapter by giving a brief account of the investigation and describing how the tools detailed in Chapter 4 (Incident Response Tools) were used, and conclude by discussing some of the lessons learned about correlating evidence.

Case History