According to Robert Accettura's blog, an "efficient" way FBI used is simply shutting down an ISP, rather than take specific data.
FBI has a search warrant for searching one of the IRC network CIT Hosting hosts. All CIT Hosting's clients got offline because of their clients has some content of FBI's interest?
This issue has been discussed in Slashdot and reported in this Carrier Hotels' article
From CIT Hosting's website 14/2/2004:
Dear Customers of FOONET/CIT:
We regret to inform you that on Saturday February 14, 2004 at approximately 8:35 am EST, FOONET/CIT's data center in Columbus, Ohio temporarily ceased operations.
Here are the facts of what occurred:
The FBI executed a search warrant issued by the United States District Court for the Southern District of Ohio regarding the IRC network that we host. According to the warrant, it appears that the Bureau is investigating whether someone hosted on our network hacked and attacked someone else.
After several hours of attempting to track down, inspect and audit the terabytes of data that we host, the FBI determined that it was more efficient (from their point of view) to remove all of our servers and transport them to the FBI local laboratories for inspection. This was completed at 7:00 pm EST same day.
The FBI has assured us that as soon as the data has been safely copied and inspected, the equipment will be promptly returned. Unfortunately, the FBI has not been able to tell us when they will be completed with their inspection.
We have been told by the Special Agent in charge of the investigation that If you need access to your data you are asked to please contact the Bureau via email to email@example.com. Make sure to include in your email your name, mailing address, and telephone number with area code.
Since we wish to focus 100% of our efforts on restoring services, we would appreciate it very much if you do not attempt to contact us directly. Please rest assured that we are doing everything possible to restore service to you as quickly as possible.
To the many who have inquired, Paul and family are OK, although shaken by these events. They are at home and awaiting the blessed event of their new child's birth. We thank you for your good wishes and prayers.
Please check back here often. Through this site, we will keep you informed of ongoing developments as we know them.
Thanks again for your understanding.
Thanks god, they resumed business on 23/2/2004:
We have restored service at Equinix's Chicago Data Centers. We are in the same facilities as MSN and many fortune 500 companies. The facility has multi OC192 connections to the backbone.
Posted by Antony at February 24, 2004 8:38 PM
The FBI has begun retuning equipment to CIT which is being shipped to our new facilities in Chicago.
At this time CIT will continue to provide dedicated DDOS Protected web hosting only.
If you are a customer missing data please be patient we will notify our customers as soon as we receive their servers, and will arrange for your data to be returned to you. If you have not been contacted it is because we don't have your server yet.
CIT provides reliable and scalable solutions for customers of all sizes and services. Located in Equinix's Chicago Data Centers , CIT has access to all the major carriers without the need for local loop circuits.
Our Chicago staff is focused first and foremost on customer satisfaction, and will take every action necessary to accommodate each customer. Unlike many large ISPs, CIT prides itself in its ability to provide personalized service to each customer – if a customer calls twice for assistance, they can usually speak to the same representative. Our sales and support teams are allowed a great deal of flexibility to work together to resolve each customer’s needs on an individual basis. Our success and rapid growth can be attributed to the satisfaction of our customers - word-of-mouth referrals account for a large portion of the new business we receive each month.
Since none of the IRC server has been return to us, the IRC Network will remain down until further notice. AS soon as we receive the IRC servers back we will promptly notify our customers of the return and arrange to get your data or collocated server back to you.
>> more February 2004 entries