Do you actually alter evidence in the process of shutting down? There was the mention of disk encryption as one possibility, but how much slack space do you alter in actually shutting down. Literally pulling the plug seems the only alternative... hope you are sure it's a real incident (how many servers haven't come back after pulling the plug). Say you scan a production machine that costs $ for every minute of downtime, it has an extra port open or shows signs of a certain signature (odd external connections, IRC attempts, etc.) If you had aware staff, before mucking around significantly (like a typical admin), you could run fport/handle/netstat/lsof and then image the drive. The "extent of damage" issue comes in because: * This machine could be one of 200 standard images and if you don't find out how he hacked one, then all could be at stake. * Hackers rarely stay put, and they may have downloaded/executed sploits against services blocked at the firewall (SMTP, IMAP, NetBIOS, etc.) You may lockdown/rebuild the original machine, but another neighbor could already be connected to an IRC server in Pakistan. * The machine could be a trusted host to a database server with medical records, credit cards, etc. Did he hack this server too? As far as collecting unused drives, that's why I'm on this list... to find easier and faster ways to do IR and move faster than the hacker. Matt > -----Original Message----- > From: Mark Menz [mailto:markmenzat_private] > Sent: Tuesday, June 18, 2002 11:41 AM > To: 'H C' > Cc: forensicsat_private > Subject: RE: Imaging a "live" system > > > When I did it last year it was to look at a employee and not > let them know > we were looking at them. I used (believe it or not) Back > Orifice with a > plugin to view individual sectors of the disk accross the > network. Worked > well. I then (with my partner) wrote a quick program to copy the disk > accross the network from the suspect machine to another one. > In this case it > was a desktop we could not move and only had a limited time > to do it prior > tothe suspect comming back to his desk. Our program ram from > a floppy. So > there is one reason to do this. I can think of others as well. > > -----Original Message----- > From: H C [mailto:keydet89at_private] > Sent: Tuesday, June 18, 2002 6:31 AM > To: forensicsat_private > Cc: subscribeat_private > Subject: RE: Imaging a "live" system > > > > If you do then it's known changes to the system will > be > > made. *However*, if you document those changes and > move > > in a methodically and sound manner, than I see no > reason > > why you cannot proceed. > > I'm still not all that clear on _why_ you'd ever want > to perform imaging of a "live" system. I can see why > one would want to collect volatile data from the > system, and then perhaps (based on decisions made > regarding the situation) move on to disconnecting the > system, and then imaging the drive. > > > One of the best things about a live system is the > > volatile info > > Agreed. However, I think we need to address the issue > of methodologies...like develop one. From my > perspective at this point, very few admins are > collecting this information. Now, I understand that > not every situation requires it, but some do...and I > think admins aren't doing it for a couple of reasons. > > First, there isn't even a framework, let alone a > methodology, available. > > Second, no one really wants to do all the repetitive > documenting of their actions...they'd rather just get > on with it. > > Third...and I think this was brought out at CanSecWest > to a degree...most don't know how to interpret the > data they do get. The issues seem to be as much a > lack of time as they are a lack of skill. > > What if there were some way to collect this > information in a "clean" manner that also performed > the necessary documentation? What if the collection > of volatile (and some non-volatile) information could > be automated and thoroughly documented? > > carv > > > > > > > __________________________________________________ > Do You Yahoo!? > Yahoo! - Official partner of 2002 FIFA World Cup > http://fifaworldcup.yahoo.com > > ----------------------------------------------------------------- > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com > > > ----------------------------------------------------------------- > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com > ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Jun 18 2002 - 18:01:33 PDT