('binary' encoding is not supported, stored as-is) I was looking for documentation available discussing circumstances where each of the following approaches is better: a) leave the system online/plugged to the network -> online investigation b) unplug the system from network and shutdown -> offline forensics c) unplug the system from network and unplug from power source -> offline forensics It can be argued that with any of these approaches you potentially loose or alter evidence in some way; usually, approach c) is considered best in procedures as it freezes the hard disk and makes impossible further tampering (network connection information and data in volatile memory not written to disk would be lost however). Approach a) is sometimes necessary , for example, if there is an incident with a mission critical system that cannot be unplugged from the network or shut down (even if backups are available, sometimes bringing up a replacement system might take just too long or be extremely difficult because of specialized hardware availability). I intend to write a paper on the matter including a list of situations where each approach is better suited but I want to include as well legal implications for each approach (legal requirements from different countries are welcome) and also recommended procedures for each approach (for example, in an online investigation you might still use trusted binaries saved on a floppy or cdrom rather than system binaries; if the kernel was tampered with this might be of no use though). Finally, I was dreaming of a system which had a kind of “forensic hibernation mode”; currently I’m not aware of a system with this capability (that would preserve memory an network connection sate while freezing hard disks and, at the same time, being easy to do forensics on it). If there is still no work in progress on this kind of systems I would also like to discuss requirements for a standard that would allow computer makers to include this capability on computer systems. All feedback, comments and suggestions will be greatly appreciated. Regards, Omar Herrera ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Sat Mar 29 2003 - 05:33:48 PST