> Hi Carv, Hey, Matt! > I guess the dividing line is if you known > substantial financial harm has > come to your organization, then immediately take any > volatile evidence from > the machine <insert plug for Carv's software here> > in what hopefully is a > forensically sound manner and power it down, as > legal action is likely to be pursued. While I fully agree with what you've said, my experience has been that things actually happen a little differently. Usually, an incident might be identified or suspected, the admin "mucks about" or "plays with" the machine for a bit, and either finds something...or not. Take a look at some of the other lists, particularly Security-Basics...very few people dealing with NT/2K systems know about tools like handle and fport. > However, if you are simply gathering the extent of > damage due to "suspicous" > events, then gathering volatile data <insert Carv > plug #2> and then live > imaging may be more appropriate to determine the > nature of these events. > It's quite possible evidence will be altered during > the long imaging process > or even destroyed, at least the argument could > always be made in court. I'm not sure how performing "live" imaging will provide assistance in determining the extent of damage due to an event. I do agree with the fact that a "live" image may not be admissable in court...one thing that folks who testify have said is that tools aren't questioned by opposing counsel as much as methodologies are. However, the decision to make a "live" image should include whether or not prosecution is a goal. I wouldn't recommend making a live image at all, if prosecution is the end goal. Any manager who says, "we want to prosecute, but we can't take the system down" needs some education. I've seen cases in which someone other than the security staff has hired an outside firm to perform forensic analysis, and there was never any reason to believe that the case would ever be taken to court. Such cases are a waste of resources...time, money, etc. > But > at least you would have a static record to mull over > to see if someone > hacked and hopped to another machine (the whole > "Baked Alaska" analogy). Yes, having _something_ to work with, should you need it, may be advisable. I once met an admin who took images of drives for just about any incident...and his office is full of drives he hasn't looked at...and doesn't have the time to do so. > I had a test server that showed what appeared to be > a trojan (Trinoo profile, but odd port). Just out of curiosity, what did the output of fuser or lsof (assuming Linux system here) show you about the port/process? Carv __________________________________________________ Do You Yahoo!? Yahoo! - Official partner of 2002 FIFA World Cup http://fifaworldcup.yahoo.com ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Fri Jun 14 2002 - 17:33:11 PDT