how to subpeona Quest for ISP records
Khoder bin Hakkin
hakkin at sarin.com
Thu Dec 20 13:22:50 PST 2001
[Found on Morpheus as "WritingSubpeonas.pdf",
not found on cryptome's search, so here it is]
How to Write Subpoenas
Kathy Hines, Manager - Security Services
Qwest Law Enforcement Internet Security Seminar
Qwest Internet Solutions
Minneapolis, MN
October 19, 2000
Agenda
� Examples of subpoena problems
� Examples of well written subpoenas
� Child Pornography
� Available Information
� The Security Technical Analyst Team
Botched userids - they were
probably forged anyway.� Please provide address, phone number, billing
information, and connection records for the
userid �john a peterson @u s west. net� for 7/ 23
- 7/ 30/ 2000.
� Legitimate userid formats would be:
john. peterson@ uswest. net or
john_ peterson@ uswest. net.
� Please provide address, phone number, billing
information, and connection records for the
userid �h@ ckez 133 @u s west. net� for
8/ 19/ 2000. Can not have two @ symbols in an
e- mail address.
Occasionally it makes sense to issue a
subpoena with a userid as evidence.
� Please provide connection records and caller- id
for the userid �larryboy@ qwest. net� for 12: 01
a. m. on 9/ 17/ 2000 through 11: 59 p. m. on
9/ 17/ 2000 MDT.
� The criminals had stolen a car that contained
computer equipment and used one of the laptops
to connect to the Internet. The police were
looking for the caller- id of the account�s
connections on 9/ 17.
Stolen car with a laptop in it.
Send me everything for the last
millenium.
� Please provide all subscriber information from
1995 through the present for IP address
216. xxx. xx. 227; also referred to as
cxxppp227. ptld. uswest. net.
Grand Jury Subpoena
Send me everything but the
kitchen sink.� Please provide all subscriber information for
�candigirl,� including, but not limited to, true
name, date of birth, SSN, address, all phone
numbers, credit card numbers, connection logs,
e- mails, chat sessions, web sites visited, and
connections to other ISPs.
� We have the customer�s account information but
not everything they�ve ever done on the Internet.
Send me the kitchen sink too!
Preservation of Evidence Request
This letter is to request that Qwest Communications
take all necessary steps to preserve any and all records
and any other evidence in its possession pending the
issuance of a court order or other legal process in
regard to all telephone and Internet conference
connection information on September 11, 2000 between
8 pm through 4 am Pacific Standard Time (PST). This
request also covers preservation of all records,
including call details, for the Qwest connection
telephone number (111) 222- 9999 during the above
period of time.
Typo the IP address and we can
start an international
investigation!
� The IP address 63.14.69.108 is for a qwest. net
connection.
� The IP address 63.147.69.108 trace routes
through a uu. net connection.
� The IP address 163.14.69.108 trace routes
through an att. net connection.
� The IP address 263.14.69.108 does not exist.
No IP numbers go over 255.
A very well written subpoena.
�information about the subscriber to IP address
216.161.69. xxx, account holders name, address,
phone number, and connection records for this
ISP account. The intrusion occurred on Sat. 12
Aug. 2000 at 22: 54: 59 hrs. to Sat. 12 Aug.
2000 23: 30: 20 hrs. C. D. T.
I don�t have to play guessing games with
any of this data.
Another good subpoena.
Please provide all available account information
for IP address 63.1xx. 69. xxx on 8/ 16/ 2000 from
11: 56 a. m. to 12: 18 p. m. MST including any
and all screen names and E- mail addresses along
with telephone numbers of the account holder,
any caller ID information maintained for any
connection made from this account including
true names and addresses.
I won�t have additional �screen names,�
but I can provide the rest of the data.
<excerpted logs>
Subpoena Submission Process
� Qwest uses the C T Corporation as a receiving agent
for subpoenas
� C T Corporation has offices in all 50 states - use the
one in your state to send subpoenas to Qwest
� Address the subpoena to �Qwest Communications�
� The Minnesota address for C T Corporation is
C T Corporation System
405 Second Avenue, South
Minneapolis, Minnesota 55401
Copyright Qwest Internet Solutions, 2000
Available Information
� We do not keep copies of our customers� e- mail
messages
� We do not monitor our customers� Internet traffic
� We do not surf through our customers� web pages
looking for offending material
� We strive to maintain our computer logs for one
year
� We can provide name, address, telephone
number( s), and secondary userids for an account
� We have, in the past, retained copies of customers�
current e- mail when provided with a court order
Security Technical Analyst Team
� We currently have seven people on the team
� They handle approximately 11,000 e- mail
complaints from the Internet to abuse@ qwest. net
each month
� They have fulfilled approximately 130 subpoenas
so far in 2000
� They have fielded several warrants, court orders,
and one vacate court order
� They handle about 100 calls per month regarding
subpoenas destined for Qwest, hacking incidents,
Denial of Service attacks, and questions concerning
account deactivations
--
foo
More information about the cypherpunks-legacy
mailing list