> Amen to education. Most sysadmins are not focused on > preservation of forensics evidence, be it for > prosecution purposes or technical investigation, but > instead on stopping the attack and recovering. You're so right! And to be quite honest, that really provides a great transition to the topics of the exchange principle and evidence dynamics that Eoghan mentioned. If sysadmins are going to respond to incidents, they need to understand a little more about the systems they administer. That way, they can collect the information they need to in order to make appropriate decisions. Either that, or some sort of first responder procedure needs to be employed (such a thing has been documented here on SF), so that admins can use it. That same info needs to be kept in mind when investigating a possible compromise as well, be it a virus, break-in, trojan, etc...the digital artifacts that are exchanged can vary, and the first responder needs to have the tools/knowledge on hand to collect enough info to make an appropriate decision. However, a more important decision needs to come from senior management. Is the business so important that a machine needs to be put back into service w/o performing a root cause analysis? What happens? Does the machine get compromised again? How is the system put back into service? Is it wiped and re-ghosted/re-installed? If the same or similar system is put back into service, w/o a root cause analysis and remediation steps (which is where things like the exchange principle and evidence dynamics come into play) then the compromise (hack, virus, etc) will likely happen all over again. Carv __________________________________________________ Do you Yahoo!? Y! Web Hosting - Let the expert host your web site http://webhosting.yahoo.com/ ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Oct 23 2002 - 06:44:18 PDT