> I would be interested in knowing what criteria others > are using for deciding to acquire an image from a "live" > system (*nix or Windows) and what you think the > appropriate standards should be for acquiring the > evidence in a forensically sound manner within the > incident response context. I'm not clear on why you'd want to image a "live" system...given the size of some of these drives, the system will change between when you start and finish the imaging process. For NT/2K systems specifically, I would recommend collecting "volatile" data prior to imaging the system. I'll elaborate by way of example...assume a system is found to have Sub7, and something about the incident requires that an image be made of the drive. If you simply shut down the system and image it, how do you know that the Sub7 server was a running process at the time that the system was shut down? How do you know who was connected? That being said, I'm working on a project to retrieve and *document* the collection of volatile information from a "victim" system. Carv __________________________________________________ Do You Yahoo!? Yahoo! - Official partner of 2002 FIFA World Cup http://fifaworldcup.yahoo.com ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Jun 11 2002 - 10:55:55 PDT