RE: Imaging a "live" system

From: Kelly, Lee (kellylat_private)
Date: Sat Jun 15 2002 - 18:23:00 PDT

Next message: Ken Seitz: "RE: DD -> Netcat NT Imaging"

Previous message: Gary L. Palmer: "Reminder on 2nd issue of IJDE"
Next in thread: crazytrain.com: "RE: Imaging a "live" system"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

 I would like some more information if possible before weighing in on this.
What is the event that triggered the investigation? Is the system in
question actively attacking/damaging other systems, in which case you may
want to stop the attack/damage before thinking about imaging the system.

What are your incident response measures in this case? 

I agree that a 'live' system will be tricky due to changes in files as they
are opened/closed/changed and this in itself may change your course of
action.

Lee.

-----Original Message-----
From: H C
To: forensicsat_private
Sent: 6/10/02 2:43 PM
Subject: RE: Imaging a "live" system

> I would be interested in knowing what criteria
others 
> are using for deciding to acquire an image from a
"live" 
> system (*nix or Windows) and what you think the 
> appropriate standards should be for acquiring the
> evidence in a forensically sound manner within the 
> incident response context.

I'm not clear on why you'd want to image a "live"
system...given the size of some of these drives, the
system will change between when you start and finish
the imaging process.

For NT/2K systems specifically, I would recommend
collecting "volatile" data prior to imaging the
system.  I'll elaborate by way of example...assume a
system is found to have Sub7, and something about the
incident requires that an image be made of the drive. 
If you simply shut down the system and image it, how
do you know that the Sub7 server was a running process
at the time that the system was shut down?  How do you
know who was connected?

That being said, I'm working on a project to retrieve
and *document* the collection of volatile information
from a "victim" system.

Carv  


__________________________________________________
Do You Yahoo!?
Yahoo! - Official partner of 2002 FIFA World Cup
http://fifaworldcup.yahoo.com

-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Ken Seitz: "RE: DD -> Netcat NT Imaging"
Previous message: Gary L. Palmer: "Reminder on 2nd issue of IJDE"
Next in thread: crazytrain.com: "RE: Imaging a "live" system"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sun Jun 16 2002 - 18:49:53 PDT