OCR of the Document

View the Document >>

Air Force Office of Special Investigations, “Statement of Suspect/Witness/Complainant,” February 11, 1998, Unclassified

All FLT 39 39 HEREIN IS UNFLASSIFIEP 2 DATE 09-17-301 BY 60324 UC bamsab am 331 16 FACSIMILE All THANSMITTAL omcw DOD TO USE DFDOD SECTDON - 10 IE cameo Iv omemmll Wm UNCLAS mm noun ms 1 or not XI Foa omcw use ONLY tormmumquAW an no ass an FBI CITAC no can Wm macaw mu - sumct Administrator 0m statement moummuwvanmmw -FAXNO on com vows NO on comm mm mm ammo - 0788 H0 134595290 0 Here'smaxsammd mummn logsrighxnow Remnant Mb b6 per FELQ 09 20 SECTION 1 - 3 man In 09mm om ruusuma me mm was mam an Amuse CONTACTED me moms councrzo magmas AF FORM 3535 FEB 95 mania mm some 5 mom 09 38 32 15 0701-0120 STATEMENT OF 8U CTMITNESSICOMPLAINANT WSICOWNAW Apt 30 1997 twamwmd m mw w-u lm-wdu dfomd Ian- mvanaa-Axmu-cwt dv uo n unwam uhMHo-m RIVACYACTSTAMT mm 10 0 85 ll mun-uni 1 Aka-war grown-n in ammumhunuummwm human I an button-$69 ju - I INFORMATION out has 1 um Thins sum mu wan- 1 1- I I 552 qs 461 onus #155647 5 1156 11 comm - I PERSONAL mmumu Mn or 7n KANE nut mu met- who - ssu sumslamos W a LOCAI Armies nncuo lip nod-I I 4mm I cm mum mmunw mos y n 54 3 srouson monmwou nous l1 0F OFFENSE AND 5TH wmum J1 RIGHTS MEET 2M boon duh-l that I on sup-curl a tin ah-n51 alien-u 41 ADVISED BY IRWIN and Mal WI With MUSEUM AS A owl-lamb no su ect addict Mika- Into-I m May to 5th orth- 0 5 animal 31 of NITMLS Coda ryJ-o'u but the right to main 0 Any mum I nah oral at 61m 09-30 in a hill or in can Ma non-indium or Marni I how In ght to have a Ioww mount I any chain a civilian louver 0' my own mic at I my rm a lawyer in 6015 NI imMow If I 6064 I0 mvur auction with or I lam mun-v ouw I want a minty Iowyu on win In 3990303 rm no a alumcum largo a want on lam Mam-d Ion by du m mhoniu SUSIECT Napr INITIALS Demand-tom Hommumh mwdq um lmkodn WM Mala I do not want a Ion-wt I am wining to 93er gum-u of mak- - 13th or both mn- fem-b muslin-ion I do van a may and I do not wish to who a numb or 0on any gym-g I wgnI hwy I yo no mt ony swim or was any mention um 1 Wk 0 o-Iawu I Wand my light and Int walnut dun not col-9w on admindan a 1d SIGNATUK 0 SUSPECT 5mm 0 msm mm AF FORM 1188 JUL 95 LEA mus arm as women use 1 0 use I FEB-12-1998 8913B BEST Mummy Ex 5 February 8 1995 1 Mmleware that an individual based on my machine Ham had illegally accessed nilitar amenities on the Internet TWinrson who contacted me at home was I at Myriad Corporation the the leases our connectiVity to the Internet I immediately drove to Myriad and was told that the law enforcement officer was going to need to talk to me On arrival I was taken to officeewhere he Ii iirtently talking to en MXHD 1 investigator rom the Air Force 2 1 was told that I woul- an official letter in the mail and a copy would be faxed to The field agent would not take any information from me at the time and did not want any passwords or information The field agent instructed me if I was willing to cooperate and only then to turn off the trimming of my log files in my crontab and not to change any configurations of the machine aside from i that Upon my request the field agent gave me some mneral times that hacking activity was noted as occurring tted by galm IT issued the following commands to shut off trimming- crond and ensured that ttiimin would no longer occur I then went home and logged in from home WW and I had a significant amount of data that was not backed up on our System we immediately went and bought a zip drive drove to her office and downloaded backup copies of our all of our client uebpages home directories and email We left the system files etc on the machine bxmle WC no I arrived at home I started looking around to see if I could piece together exactly who the culprit was My first step wes to check our Iver loq nessaqe file that log system messages I found no activity that I deemed as unusual during the alleged hacking times Next I did 2 a 'iast' command to see who was logged in during those times One user had been i logged in at the euroxinate times of the hacking indicated by Field Investigator salow is a list of the last lo a that we captured With the user we sueected This account is shared and the overseas i I user indicates that she was logged in on 3 25-16 33 and that it was indeed her at that time only04 10 - 00 38 00 27 Sun Feb 8 00 49 - 00 59 00 10 i Sun Feb 8 00 04 - 04 07 04 03 Sun Feb 2 00 01 - 00 01 00 00 I Sun Feb 0 00 00 - 00 01 00 00 Sat tab 7 23 5 - 23 59 00 02 Feb 7 23 55 23 56 00 01 I Fri Fab 6 06 13 - 06 22 00 08 i Thu tab 5 15 25 16 33 00 08 yea Feb 4 02 56 - 02 57 00 01 wad Feb 9 02 35 - 02 53 00 10 Tue Feb 3 23 54 - 23 54 00 00 Tue Feb 3 05 49 - 06 08 00 19 WAVAIIABIE 00 Feb 3 05 46 - 05 49 00 02 Tue Feb 3 05 04 - 05 36 00 32 Tue Feb 3 04 50 - 04 57 00 06 Tue Feb 3 04 32 - 01 37 00 05 0 4 mm I have highlighted a time range that seemed to match with what 1 indicated However now see that I jumped the gun a bit in that a date was A wrong -indicated a break If on Feb 5 00 40 02 351 and one Eeb 4 10 00 EST According to this last log I suppose that the bat account could not be suspect The file was set 'to trim because I was more concerned with disk space than security so more data is not available In my haste I accidentally Lost the last' that contained all the users and their log in times It will be available on the tape restored system once the court order is obtained_ 0 I would like to' have a note made though that I have seen the bat account logged in prediously from two locations mm x About this time I was contacted by another field investigator axemmc - arranged an appointment to meet me at my service proud ofti 'egihere the machine resides He also made arrangements to get backup copies or my drives It was totally under my consent and he made it perfectly clear to me that I didn't have to backup the hard drives or cooperate With them at all also gave me some file names that the hacker had placed on previous systems to aid me in looking for iles he named were as follows mu m After he called I started poking around on my system some more I edited no files nor did I create any files in system areas All that I have included were taken from telnet session logs I mined the logs and the message logs _ I found nothing that I felt was important Then I started looking for files on the system that ecently updated I found some suspicious a 1 files namely a file nam 1 7 one of the Ivar directories Th ent I was able to make out that the 2 1 containe iSt of all the files in my root directory tree- After this I went to sleep I auoke the following morning and started working on getting information from my server This was 2 9 99 around 08 00 I logged in and checked lvar lo nessages and found man ICMP errors for many mm H different IP numbers logged in on her account and did a lockup - mam-era Many were immediately paged and left a massage for Here is a transcript tron the log file that contained all the ICMP errors that we saw and the hosts they belonged to were inserted and are preceded by I know that some of these are probably related to the epache on my system- 4 i 25 1b 03' 31 com mm but Bowevor I wanted to be thorough such that sf any of these sites come up on you heo them j Dec 48 10 48 38 Source Route Faxlod goo 28 11 43 34 Source Route Failed Dec 23 11 58 42 Source Route railed Dec 28 11 58 45 Source Route Failed Dec 28 12 04 14 Source Route Failec Dec 261 1250921 Source Route Failed Doc 28 19 21 37 Source Route Fai1ed Dec 28 19 27 36 Source Route Failed 0 Dec 28 19 41 24 Source Route Foiled _ Dec Source Route Fee 28 23 42 09 bmumhwr Source Route Filled I go 3 Source Route failed ec 4 56 Source Route Failed Doc 29 09 50 06 mwuwnm I Dec I Dec 29 gt58 34 mwuwnwt ISource 3 t9 f il'd'hmumnmx - A Doc 4 Source Route Failed mmumnm 1 Jan lir 3 0 57 amumnxm lSouxce Route Failed moumaxm i Jan 1 18 54 37 150urce Route Failed AVAILABLE 00W FEE-12-1998 oa 51 Source Reute Failed Source Route Failed Source Route Failed Source Route Failed Source Route Failed Source Route failed - av Source Route Failed _ ource Route Failed Source Route Failed Source Route Failed Source Route Failed Source Route Failed Source Route Failed Source Route Failed Source Route Failed Source Route tailed Source Route Failed Source Route Failed Woe Route Failed Source Route Failed Source Route Failed Source Route Failed Source Route Failed h Source Route Failed rm ff ff Source Route Failed meff I Jan 1 Jan 1 21 23 18 Jan 1 21 25 13 Jan 1 21 27 19 Jan 1 21 29 16 Jan 1 21 31 18 Jan 1 glz33218 r016 1bx7ucw Jan 2 12 19 49 Jan 2 12 42 58 Jan 2 12 44 59 Jan 2 12 46 59 Jan 2 12 09 59 Jen 2 12 50 59 Jan 2 12 52 59 Jan 2 12 56 59 13 2 12 58 59 Jan 2 13 00 59 Jan 2 13 02 59 11 1 Kbx ubu7ucx uh Jan 3 09 07 09 Jan 3 13 55 15 Jan 3 13 58 18 Jan 3 13 53 20 Jan 3 14 03 28 bn6%mu7MC% Jan 4 03 01 00 mmummc Jan cueunu7x0 Jan 4 11 00 53 2 bxsim 7nc I I Jan 4 14 33 20 Source Route Failed Source Route Failed 643$ cow Route Fai led Source Route railed Source Route Failed Source Route Failed Source Route Failed ce Route Failed Source Route Fai1ed Source Route Foileo Source Route Failed Source Route Failed Source Route Failed lug d Source Route Source Route Failed Source Route Foiled Sourcc_Route Failed Source Route Failed Source Route Failed Source Route Failed Source Route Failed Fource Route Failed 5107' 8 37 mouwmm Jan 7 08 49 21 mmunmxc Jan 7 09 59 39 Jan 7 10 00 28 oxeubuvxc Jab 7 16 16 03 Jan 5 05 41 57 Jan 8 05 44 40 33h 8 05 56 47 Jan 8 Jan 8 53 05 48 mummwm 0 Jan 8 21 06 06 0 Jan 8 21 06 30 Jan 5 21 08 54 Jon 8 21 14 51 Jan 3 21 18 54 Jan 3 21 20 54 Jan 8 21 24 54 Jan 8 21 26 54 Jan 8 21 28 54 A Jan 9v35 36 15 mmuw w J n 9 9 0 2 on $6 Jan 9 20 01 40 I 2 Jan 9 20 03 03 I I Source Route Foiled nib Source Route Falled Source Route Failed Source Route b flmfiiff 112 Ft ld-l j jb U3 3d Eource Route Failed ourco Route Failed ouree Route railed Source Route Failed I mwuwnmt Jar 9 23 00 34 5 me Jan 9 Jan 9 23 20 51 Jan 9 23 22 51 Jan 9 23 24 51 Jan 9 23 26 51 Jan 9 23 28 51 Jan 9 23 30 51 Jan 9 23 32 51 Jan 9 23 36 51 Jan 9 23 36 51 Jan 9 23 36 51 Jan 23 40 51 I Jan 10 00 27 26 KG- mm Jan 10 00 28 07 Jan 10 21 35 24l Jan 10 21 42 30 Jan 10 21 11 30 Jan 10 21 48 30 Jan 10 21 50 30 Jan 10 21 52 30 Jan 10 21 54 31 Jan 10 21 56 31 Jan 10 21 58 30 nusunx7xc Server failed Jan 11 19 45 22 Jan 11 19 45 23 I Jan 11 52 19 55 P Wlb C Source Route railed Source Route Pailad Source Route Failed Source Route Failed Source Route Failed Source Route Failed Source Route Failed Source Route Failed Source acute Failed Source Route failed Source Route Failed Source Route Paileo Source Route railed Source Route Failed rm mix Source Route Failed Source Route Failed Source Route Failed Source Route Failed Source Route Failed Source Route Failed Source Route Failed Source Route Failed Source Route Failed C 371 69 32 gBEs'r AVAILABLE cow LU bmuwmwt an 11 19 49 53 Source Route Faxled can 11 19 51 28 Source Route Failed Jan 11 19 57 04 Source Route Failed Jan 11 19 59 04 Source Route Failed Jan 11 20 01 04 Source Route Failed Jan 11 20 05 04 Scurce Rout Failed Jan 11 20 07 04 Source Route Failed Jan 15 9 09 04 Source Route Foiled00 58 28 I m Angourco Route Falleo Jan 00 58 29 Source Route Failed gm1 001 17 12 Source Route Failed Non-exiscenc hosn domain Jan 14 06 37 12 mwummw Source Route Failed Jan 1 06 37 19 Failed bmuwwm 03 6 fan 14 21 07 34 Source Route b x'ijxijTxC - mm mom an 15 16 28 45 Source Route Failed bmuwnm u _mmumnxm 0an 1 22 55 06 Source Route Fa led mwuwmm bhf fib'f erI a fb l7 C' gen 16 5 33 9 Source Route rolled h n Jan 16 05 39 24 Source Route Failed II 0an 16 05 35 12 Source Route Failed Jan 16 05 36 48 Source Route Failed Jan 16 05 38 48 Source Rout Failed Jan 16 05 40 48 Source Route Failed Jan 16 Source acute Sealed Jan 16 05 46 48 Source Route Failed Ian 16 05 45 48 Source Route Failed Jan 16 05 50 48 Source Route Failed Jan 16 05 52 48 Source Route moumnyc rco ic'uvvo ICUSource RouLe Failed Jan 16 03 56 48 Source Route Failed INon-existent host domain b613 '7 Jan 16 14 55 15 Source Route Paileo A Jan 16 15 01 15 Source Route Failed I ' umnnm Jan 16 ISouroe Route Failed W m 19 58 19 mwuw m Source Route Failedbog ex1stent 'b wbw7xct Jan 17 21 03 35rmwuwmm 41$ource Route Failed Jan 17 21 05 02 Source Route Failed Jan 17 21 06 44 Source Route Failed Jan 17 21 05 44 Source Route Failed Jan 17 21 10 44 Source Route Failed Jan 17 21312 44 Source Route Foiled Jan 17 21 15 94 Source Route Failed Jan 17 21 16 4a Source Route Failed Jan 17 21 18 44 Source Route Failed Jan 17 21 20 44 Source Route Failed Jan 17 21 22 4 Source Route Failed Jan 17 21 2 4 Sourca Roqte railEd- UK 1 Soucoo Route railod1 'bx ucx7w0 Jan 17 23 41 58 Source Route 3 Non axistont host domain Jan 19 11 09 12 uwnm Source Route railed a Jan 18 11 12 21 Source Route Failed Jan 18 11 16 21 Source Route Failed Source Route Failed Jan 18 11 18 21 Source Route Failed Jan 13 11 20 21 10 BEST AVAILABLE 001w Jul 10 - 13 11 22 21 b pm Scurcc Route Farlan Jan 13 11 24 21 Source Route Failed Source Route Failed mwumhw AL xxr Jan 19 02 18 46 Source Route Failed J Jan Source Route Failed 33 Source Route Failed bmuwnm Jan 19 05 36 01 ISource Route Failed Amwumuuc - on existent host demain mxmAmnw Jan fragmentation needed and or set buezmAVAC 1 Jan 20 17 04 28 Source Route Failed Jan 20 17 05 13 Source Route Failed Jan 20 17 06 01 Source Route Failed Jan 20'17 09 37 Source Route Failed Jan 20 17 11 37 Source Route railed Jan 20 17 13 37 Source Route Failed Jan 20 17 15 37 Source Route Failed Jan 20 17 17 37 Source Route Failed Jan 20 17 19 37 Source Route Failed Jan 20 17 25 37 Source Route Failed Jan 20 17 27 31 Source Route railed swam Non-existent host domain 3117 Jan 21 21 56 07 Jan 22 Source Route Failed 6 Jan 22 22 41 59 Source Route Failed DWHMUV uxmruync I umuwhw Jan 23 09 54 15 Scurce Route Failed n Jan 23 09 54 40 Source Route Failed 1 Amwumwxo 3299 09135 mas14 29 as 23 14 32 57 25 14 36 57 23 14 36 57 23 14 40 57 23 14 42 57 23 14 44 57 23 14 46 57 23 14 46 57 23 14 50 57 2 Ildz52 mwmmaxm 24 00 58 22 24 01 00 40 24 01 01 31 24 01 03 30 24 01 06 16 24 01 09 31 24 01 10 15 24 01 11 31 24 01 13 30 24 01 15 30 24 01 19 15 24 01 20 15 24 01 20 16 24 01 34 54 24 01 37 54 24 01 39 03 24 01 41 54 24 01 43 08 24 01 45 08 24 01 45 54 24 01 47 08 24 01 69 09 24 01 49 54 24 01 51 08 24 01 51 54 24 01 53 08 24 01 53 54 24 01 55 54 2 1 157 61 16 34 mem 24 04 12 07 Source Route Source Route Source Route Source Route Source Route Source Route Source Route Source Route Source Route Source Route Source Route Source Route Source Route Source Route Source Route Source Route Source Route Source Route Source Route Source Route source Route Source Route Source Route Source Route Source Route Source Route Source Route Source Route Source Route Source Route Source Route Source Route 12 Source Route Failed Source Route Failed Source Route Failed Source Route Failed Source Route Failed Source Route Failed Source Route failed Source Route Failed Source Route Failed Source Route Failec Source Route Foiled Failed railed Failed Pa41ed rested Failed failed Failed Failed Faiied railed Foiled Failed Failed tailed Failed railed railed Failed Failed Failed Failed Failed Failed Failed Failed Failed Failed Failed 1 1 0 Failed Failed Failed - an 24 00 19 43 Source Route Failed Jan 24 04 21 43 Source Route Fa11ed Jan 24 04 23 43 Source Route Failed Jan 24 04 25 43 Source Route Failed a_ Jan 24 04 27 43 Source Route Failed Jan 24 04 29 43 Source Route Failed Jan 24 04 31 43 Source Route Failed Jan 24 04 33 43 Source Route Failed Jan 26 00 35 43 Source acute Failed Jan 24 04 37 43 Source Route railed Jan 24 04 39 43 Source Route Failed host domain 7' Jan 25 13 31 57 Source Route Failed Jan 25 13 36 32 Source Route Failed bmmw mr Non-existent host domain Jan 25 22 56 33 Source Route Failed Non-exrstent hostlcomaxn 9 Jan 26 00 00 53 Source Route Failed wbxehbx7 03 Jan 26 20 46 45 Source Route Failed Jan 26 20 9 5 Source Route railed Jan 26 20 51 54 Source Route Hailed Jan 26 20 53 54 Source Route Failed Jan 76 20 55 54 Source Route Failed Jan 26 20 57 54 Source Route Failed Jan 26 21 03 54 Source Route Failed Jan 26 21 07 54 Source Route Failed Jan 26 21 09 54 Source Route railed nmumwmm IServer fail Jan 26 22 12 47 Source Route 601190 Jan 26 22 14 19 Source Route Failed Jan 26 22 14 40 Source Route Fail-d Jan 26 22 21 06 Source Route Failed mwnmaxm bxemnx7xcs i8 gn-q a r 13 CD lc 1 770 mums cow JD-JG Jan 27 00 2 S4r $ource Route Failed '7 Jan 27 J3 23 zo Source Route failed'bwuwnw Jan 21 93 2 03 Source Route Failed Jan 2 - 03 26 57 - - Source Route Failed Ja 27 05 25 59 Source Route Failed m mmw Non-existent host comain Jan 27 05 48520 mwuwnm Source Route failed Jan 27 05 48 32 Source Route Failed bmumnmn Jan 2 93 49 59 Source Route Failed 1 Jan 2 1 3$ 42 protocol unreachablatwm WU03 i I 11 72 T umwm I Jan 0- 20 50 Source Route failed i Non-existent host domain Feb 1 14 26 39 m wnm3 Source Route Failed Pen 1 14 26 42 Source Route railed 1 Feb 1 14 23 12 Source Route Failed Feb 1 14 29 48 Source Route Failed Feb 1 14 31 48 Source Route Failed Feb 1 15 33 48 Source Route Failed Feb 1 14 35 9 Source Route Failed Feb 1 14 37 48 Source Route Failed Feb 1 14 35 48 Source Route Failed Feb 1 14 41 48 Source Rouce Failed Feb 1 14 43 48 Scarce Route Failed Feb 1 14 45 48 Source Route Failed Feb 1 14 07 48 Source Route Failed Feb Source Route Failed Feb 3 1Sourc Route Failed I 14 19 b @126 @9234 r or o - eb 3 13 13 22 mwmw wr Source Route Failed Feb 3 13 15 22 Source Route Failed Feb 3 13 17 22 Source Route tailed Feb 3 13 25 22 Source Route Failed Feb 3 13 29 22 Source Route Failed Feb 3 13 31 22 Source Route Failed r mnnwuo Non-existent host domain Feb 3 Source Route Failed - F2 1 10 15 17 Source Route nxexbx7 c Feb 4 44 Source Route Failed 'Non-exiscent hosn domain Ammo Feb 1 32 am Source Route Failed I b- Feb 4 18 04 27 Source Route failed Feb 4 18 04 51 Source Route Failed 3 Feb 4 18 09 15 Source Route Failed Feb 18 21 15 Source Route -- Feb 4 18 23 15 Sou ce Feb 118 25 15 Source-Route mwumnwa - - 7 2 1 - DXLI n Feb 5 7 20 28 Sougce Route reeled Feb 5 17 20 34 Source gout Fail-ed I Feb 5 17 21 26 Feb 5 17 24 32 Source Route gaiteq 79b 5 17 26 32 gougco Route Failed Feb 5 17 26 a Source'houto Fiiled I Feb 5 17 29 48 Source noueewaailed I Feb 5 17 30 32 Sharon Roda mixed i Feb 5 17 32 32 1 Feb 5 17 32 48 Source aouug Failec Feb 5 17 34 33 'Sou'fc'e'Ro ut Tsolted a Feb 5 17 34 43 Source Route-Eai1ed Feb 5 17 36 48 50urca-Rgucefggiued- bxe 1bx7xc - 2 442 54 5 - H i Pcb ld-iz jb 07- an -or 40 bye ny7xc I Cv For 3 17 38 48 Source Route rallec Fee 3 17 40 33 Source Route Failed Feb 2 17 40 48 Source Route we mm- Ct Feb 6 03 13 51 mnuwnwr Source Route railed Feb 6 03 20 30 Source Route Failed Feb 6 03 21 46 Source Route Failed Feb 6 03 25 48 Source Route Failed Feb 6 04 28 25 Source Route Failed Feb 6 04 32 51 Source Route railed Feb 6 04 37 53 Source Route railed Feb 6 06 43 06 Source Route Failed Feb 6 05 15 16 Source Route Failed Feb 15 05 25 45 Source Route railed bmuwnm Feb 7 23 17 00 m wwm Source Route Failed nmuwnm Feb 7 15 17 317575575070 Source Route Failed Feb 7 15 19 04 Source Route railed Feb 7 15 20 40 Source Route Failed _ Feb 7 15 22 40 Source Route Failed Feb '7 15 24 40 Source Route Failed Feb 7 15 26 40 Source Route Failed Feb 7 15 28 40 Source Route Failed Feb 7 15 30 40 Source Route Failed muuwnm Feb 7 25 32 40 Source Route Failed hmumrm Non-existent host domain Feb 7 Fource Route FED 20 12 90 ISource Route Failed mwumnwm 4' Feb 8 53 34 bx6 mx7MC Source Route Failed b KSlbeKm I I E eb 9 16 ISouroe Route mu TUTQL P 16