>Second scenario is a bit different. Users have been booted off the >system >but it has not been shut down nor have services been shut down. >So it's >live in the sense that network connectivity and processes are >alive and >well, but *hopefully* data movement is minimized as users >have been >removed from the equation. Telling all users to play dead so you can image the system could possibly be a very bad thing to do. First of all, you'll probably want to take the live image as soon as possibly. So you might not have as much time as you'd like to investigate the system beforehand. If a legitimate user has made some fraudulous moves, he'll now right away that your on to him. And if he knows a little bit about forensics, he can really ruin your day. Also, you'd need a quick and dirty way to kick all of your users. Otherwise, some are bound to try a 'clean' exit. Which, for our purposes, would be like dumping car oil in a fishing pond. Does anybody know of a way to freeze all user activity immediately, without putting volatile data at risk? Yours almost sincerely, Daan _________________________________________________________________ Send and receive Hotmail on your mobile device: http://mobile.msn.com ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Fri Jun 21 2002 - 06:55:05 PDT