Hi Carv, I guess the dividing line is if you known substantial financial harm has come to your organization, then immediately take any volatile evidence from the machine <insert plug for Carv's software here> in what hopefully is a forensically sound manner and power it down, as legal action is likely to be pursued. However, if you are simply gathering the extent of damage due to "suspicous" events, then gathering volatile data <insert Carv plug #2> and then live imaging may be more appropriate to determine the nature of these events. It's quite possible evidence will be altered during the long imaging process or even destroyed, at least the argument could always be made in court. But at least you would have a static record to mull over to see if someone hacked and hopped to another machine (the whole "Baked Alaska" analogy). I had a test server that showed what appeared to be a trojan (Trinoo profile, but odd port). I couldn't prove to managment that this warranted disconnecting the machine, therefore I had to do live forensics. The owner of the machine rebooted it and then downloaded some software. The backdoor disappeared and the downloads most likely destroyed any slack space. Matt > -----Original Message----- > From: H C [mailto:keydet89at_private] > Sent: Monday, June 10, 2002 2:44 PM > To: forensicsat_private > Subject: RE: Imaging a "live" system > > > > I would be interested in knowing what criteria > others > > are using for deciding to acquire an image from a > "live" > > system (*nix or Windows) and what you think the > > appropriate standards should be for acquiring the > > evidence in a forensically sound manner within the > > incident response context. > > I'm not clear on why you'd want to image a "live" > system...given the size of some of these drives, the > system will change between when you start and finish > the imaging process. > > For NT/2K systems specifically, I would recommend > collecting "volatile" data prior to imaging the > system. I'll elaborate by way of example...assume a > system is found to have Sub7, and something about the > incident requires that an image be made of the drive. > If you simply shut down the system and image it, how > do you know that the Sub7 server was a running process > at the time that the system was shut down? How do you > know who was connected? > > That being said, I'm working on a project to retrieve > and *document* the collection of volatile information > from a "victim" system. > > Carv > > > __________________________________________________ > Do You Yahoo!? > Yahoo! - Official partner of 2002 FIFA World Cup > http://fifaworldcup.yahoo.com > > ----------------------------------------------------------------- > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com > ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Fri Jun 14 2002 - 17:31:47 PDT